Trust does not and should not come easily. In spite of the impressive growth of the cloud, even top players in the market, such as Amazon and Rackspace, are relatively young companies, having been around the market for a bit over five years. Even their track-record isn't all that stellar. Most cloud players, from Google to Amazon, have suffered from service outages rather recently.
One of the great advantages of cloud computing over the conventional IT model, fortunately, is that the cloud does not require you to jump into a long term commitment with a provider with an upfront investment. The cloud pay-as-you-go model, coupled with the fact that most providers allow you to test-drive their services for free, means that you can learn a lot about the different providers before making a choice, and most times spending almost nothing.
To help you get started in the process of getting to know your cloud provider, I will cover the key points you must have in mind, and the questions you should ask. As with almost everything cloud, these questions are broken into four major points: security, technology, costs, and risks. In this post, I'll cover the questions under the first two categories, and then finish up with costs and risks for part two.
Security is the first thing that comes into everyone's mind when talking about the cloud. It is the first issue raised by cloud detractors, and still one of the top barriers to cloud adoptions. While myself and many others have written extensively in the issue of security and all the myths surrounding it, having an honest look at the security practices of your cloud suitor can save you a lot of headaches down the road.
#1 What are the security-related certifications the cloud provider has achieved?
This alone will help you significantly, since a provider not having a certain certification can be a deal-breaker for many companies. A good example of this is PCI-DSS: if your company needs to be PCI-DSS compliant, having a PCI-compliant cloud IaaS provider is not only essential, it's basically mandatory. If the provider you're looking into does not have the PCI certification, you can forget about them.
The same thing goes for many other security-related certifications and audits. Not only that, but most of these audits cover many security-related points that are going to be the same you worry about internally: physical and logical access to data centers, security controls, and so on. While a certification does not prove anything by itself, the fact that a company takes the time to get certified (and, in some cases, gets multiple certifications) shows a healthy degree of commitment to the security issue.
Another good indicator of security is your provider's client list. If you are looking at a company that has several high-profile, security-minded companies (financial institutions, for instance) as clients, the odds are good that it has already been vetted by these companies, and probably has the proper security measures in place. While not entirely foolproof, a client list is a decent yardstick with which to measure a potential provider.
The greatest danger here would be to ignore a new entrant in the market because of its absent client list. This is when certificates come in handy: while they aren't a replacement, if we assume that the entities who issue the certificates are doing their jobs correctly, then we can reasonably assume a secure environment.
The first technology-related question any company needs to ask to any cloud suitor is related to vendor lock-in: A couple of years ago, this was critical, as most cloud providers did not allow anyone to upload or download virtual machine images. While this is no longer true, the fact remains that having an exit strategy is fundamental, and the first part of any exit strategy is understanding the complexity of moving in and moving out of the cloud.
#2 How easy is it to move my workloads into and out of your cloud?
If for cloud-based servers the answer is simple enough (just upload/download your VM image), for other services it becomes more complicated. Let's say you are using a cloud-based object storage system. How easy is it to retrieve all your data if necessary? Are you going to have to pay any kind of fee to do this? How about moving to a different provider? All these questions are invariably related to the technology being used, and must be answered properly.
#3 What is its vision for the future?
The second part of the technology issue is related to the technological vision of the cloud provider: How does it see its services and offerings evolving? If you are considering moving your systems to the cloud, you certainly don't want to get stuck with a provider that has no plans beyond offering faster and cheaper servers. Looking at the long-term technological view of your cloud suitor will let you consider if their evolution and their future plans are along the lines you want for your company or not. The evolution of the service offerings from your potential providers, should you choose to move your infrastructure to them, is going to be central in your future.
Today we've looked at the two first elements on which you need to question your potential cloud provider: security and technology. To sum up, here is a list of the questions:
- What security certificates do you currently have? Which ones are you trying to achieve?
- What is your client list? Who are your most security-minded clients?
- How simple is it to move my workloads into and out of your cloud?
- What is your vision for the future? How will your services evolve? What is your road map?
These questions (and the answers to them) are fundamental to building a solid long-term relationship with your cloud provider. In my next post, we will cover the two remaining aspects of what you need to go over with your cloud provider. If you think there are any elements I've forgotten, please share in the comments.
After working for a database company for 8 years, Thoran Rodrigues took the opportunity to open a cloud services company. For two years his company has been providing services for several of the largest e-commerce companies in Brazil, and over this time he had the opportunity to work on large scale projects ranging from data retrieval to high-availability critical services.