Horse meat burger, cod and chips, a bacon sandwich, cloud hosting providers… which is the odd one out? The bacon sandwich, of course.
Last year’s well publicised food scares aside, the point is that often products are not quite what they seem. So in the list above, why is the bacon sandwich the odd one out? Well, to date, we have yet to see a successfully counterfeited Bacon sandwich on the market. Often cloud computing hosting providers are also not quite what they seem. Lots of promises are made on websites as to how good a service is, but on further exploration is the service actually what it seems? It is useful to explore some of them.
99.9999% or 100% uptime guarantee
A Service Level Agreement (SLA) is a measure of availability, which is typically described through percentage statements such as 99.999% SLA. When these statements are explored in real time, this is the outcome:
|Availability %||Downtime per year||Downtime per month||Downtime per week|
|90% (“one nine”)||36.5 days||72 hours||16.8 hours|
|98%||7.30 days||14.4 hours||3.36 hours|
|99% (“two nines”)||3.65 days||7.20 hours||1.68 hours|
|99.5%||1.83 days||3.60 hours||50.4 minutes|
|99.9% (“three nines”)||8.76 hours||43.8 minutes||10.1 minutes|
|99.99% (“four nines”)||52.56 minutes||4.32 minutes||1.01 minutes|
|99.999% (“five nines”)||5.26 minutes||25.9 seconds||6.05 seconds|
|99.9999% (“six nines”)||31.5 seconds||2.59 seconds||0.605 seconds|
|99.99999% (“seven nines”)||3.15 seconds||0.259 seconds||0.0605 seconds|
This information is all very good, but without looking at the fine print it is actually a meaningless and empty promise on the part of the provider. Failure to meet an SLA is usually backed by a penalty clause and penalties as an industry standard are not normally too onerous for service providers. Traditionally, the provider gives a percentage of the overall monthly fee back to the user, depending on the length of the outage. Below is a table showing what a customer could commonly expect to reclaim:
|Service Availability during Monthly Review Period||Service Credits as % of Monthly Rental Charge|
The calculation is: (Total hours – Total hours Unavailable)/Total hours) x 100
Other important factors to note when looking into the SLA include:
1. The penalty often does not refer to the service as a whole. Your business may have a web server but the SLA may only be for either network or server availability, so the fact that your website is not working may not be relevant.
2. The advertised SLA does not actually match the penalty clause. For example, your business may have been told it will receive 99.999% availability but the penalty clause starts at 99% availability, so you would never be fully compensated.
3. It is also important to explore what time period the penalty is measured over. It is common that providers use a period of 12 weeks, which actually means on a 99% SLA that your business could be offline for 21.6 hours, or on a 99.9% SLA just over 2 hours and still be within the service level.
4. How is the availability measured? Monitoring commonly checks servers at various intervals, e.g. every 15 minutes, every 5 minutes or every minute. Based on these tests, short outages may often go unnoticed and it is often impractical to check with a higher frequency. 99.999% uptime checked every minute will mean that only longer outages will be spotted or that a short 2 second glitch will show up as a minute long outage.
5. It is usually the customer’s responsibility to request service credit checks and SLA’s are therefore not a good way to determine the quality of a service.
Unlimited bandwidth included or 1000 GB bandwidth included
What do they these statements actually mean? Well, they could mean any number of things and statements like these often have an * next to them, referring you to an acceptable use policy where they actually restrict you to 400GB of throughput. However, more often the biggest concern is actually how quickly you can get this bandwidth, how big is the Internet connection?
To illustrate this further, if we equate Water to Internet traffic and a Hose Pipe to the Internet connection, the biggest pipe will move more Water and it really does not matter if your contract allows you to move a gallon of Water or not. If the Pipe can only move three gallons and you are sharing it with 1,000 other people then the net result will be a negative experience.
We have ISO 27001 for information security
There are few points which you need to know about ISO 27001. Firstly it is an information security management system (ISMS) which means that it is a framework for managing security, it is not a standard that ensures that an organisation is actually secure. Only standards such as PCI actually provide any guarantees, as they are prescriptive about processes, not just suggestive.
Due to the fact that it is a system, people can just buy an off the shelf set of processes and procedures and quickly demonstrate an ISMS without actually really properly implementing it. However, there are some new legislation guidelines being released soon, which will mean that the auditor will be paying far more attention to the ‘monitor and measurement’ section which will hopefully improve the situation.
When you setup an ISMS the business also sets the scope of the system and some Cloud providers have been known to use this to their advantage. For example, the business could limit the system scope to the ‘spare parts’ management element of the business then publicly broadcast that it is IS0 27001 compliant but conveniently not mention what for. There are positive and negative elements to IS0 27001 and although it is a good indicator on the strengths of a hosting provider, you clearly need to ask more than “do you have an IS0 27001 accreditation?”
See terms and Conditions
Remember, what a business offers on the website is not necessarily what you get. For instance, I recently witnessed a company offering a Hosted Email solution and on its homepage the provider boldly stated that they offered a free backup service. I could not find this mentioned anywhere else on the website and after further inspection I discovered that their terms and conditions actually stated that backup was NOT included in the service, unless expressly mentioned in your selected email package. I will let you draw your own conclusions on this.
Your business needs to check the terms and conditions closely in order to explore the full nature of the service being provided, particularly on longer contracts. You may sign up for a service which allegedly offers UK hosting on dedicated hardware, in full IS0 27001 audited facilities, but if the supplier then decides that they wished to migrate over to Amazon Web service, you may not be able to legally stop him. Equally, you may be contractually obliged to continue to use the service regardless of any changes. Contracts should give your business the right to cancel if there is any fundamental change to the nature of the service delivery.
You are nearly always ultimately responsible for your own data and most contracts will state that the service provider shall not be liable for loss or corruption of data or information. This is not necessarily because they are a poor provider but usually because it is hard, if not impossible, to get insurance against that form of loss – especially when it is so difficult to place a value on data.
I hope that by reading this blog you have realised that it is easy for providers to hide behind the online world in which we live in, so closely check what you are buying. Just because the website looks good and you recognise the brand, it does not guarantee that you receive the level of service which you are expecting. It is also important to remember that many of the technologies used in the Cloud are new and long standing, strong brands will also be new to these technologies, and their previous ethos may not necessarily work in the new Cloud world. Many companies historically may have been excellent at providing break-fix style contracts, but can they stop things breaking in the first place?
Originally published on Compare the Cloud 16 April 2013 as What makes a quality Cloud hosting provider? by Richard May.