For most organisations, it is no longer a question of whether to adopt cloud, either wholly or for specific services, but which services to move and when to move them. Having architected and sized the chosen services, they then need to select the most appropriate cloud service providers. If they have done their preparation correctly, the choice of platform is almost immaterial, as these days almost all the technology is pretty good.
This does not mean the choice of provider is straightforward. While most of the public cloud service providers are very capable, there are significant differences in everything from design criteria, billing models and contractual terms and conditions to SLAs and data recovery terms. There is also a multitude of providers offering different types of managed cloud service, perhaps to host legacy services until an appropriate public cloud service becomes available. These, too, have their own T&Cs, SLAs etc., as well as the legal jurisdictions where data is held. These are important considerations when ensuring services are GDPR (General Data Protection Regulation) compliant.
It is vital to know exactly what your organisation is signing up for to avoid problems in the future, so we have developed a checklist which we have been using with our customers to help them compare different options. As we help them define and negotiate cloud contracts, this has been refined to address the most common pitfalls and misunderstandings and to help them make a realistic evaluation and comparison between different cloud service suppliers.
Availability and usage
The first consideration is whether your service requires persistent (reserved), non-persistent (on demand) or metered instances. This will depend to some extent on whether it is required 24 x 7 x 365, but there are other considerations too. Most applications require additional systems such as login/authentication, network etc., which need to be powered up beforehand, so a 9-5 requirement quickly becomes 7-9. Shutting down and restarting has to be sequenced, and some employees will want access outside core hours, so one of cloud’s specific cost-saving capabilities is potentially less useful than it could be as 9-5 quickly becomes 24×7.
With availability decided on, you need to ask potential providers whether their service offers this and how cost effective it is. It does not happen very often, but AWS’ terms and conditions allow them to shut down on-demand instances without any reference to the client. If there are specific times that your service must be available, you need to know whether the provider will ensure these within a non-persistent service.
With metered services, ask your cloud service providers what guarantees they will give that all capacity is available even if not used, and find out what actually constitutes usage. Several applications generate keep-alive packets to ensure availability, and these can be used by providers offering metered instances as the basis for charging even when services are not actually being ‘used’.
Optimisation and granularity
Different cloud service providers handle charging in different ways, so it is vital to understand the characteristics of the service being migrated. Will general purpose instances suffice or are computer, memory or storage optimised instances needed? Costs vary dramatically from individual suppliers as well as between providers. For example, Microsoft Azure has five storage options, each with different dependencies. All need to be understood, compared and evaluated when choosing a service.
More generally, you need to find out what is included in the charging model and what is an extra. If an extra, how is it charged and what is the likely impact on overall charges? For example, for an IaaS instance in AWS, there is a minimum of five and potentially eight metered costs that need to be tracked for a single Internet-facing server. Azure and other public cloud service providers are comparable.
The complexity increases if your organisation is hosting multiple server environments and if other elements are required to run the application, such as security, resilience, management, patching and back-up, which will appear as additional charges. This is less of an issue with SaaS, which usually has a standard per user per month charge.
Maintaining security of cloud services is crucial. First, consider the security classification/business impact of the data within the service. Does this mandate physical location awareness and, if so, where will your organisation’s data be stored? What security, access, audit and compliance controls need to be in place and can the provider guarantee them? If so, how – self-certification or independent testing and validation?
Then consider how the potential supplier operates. If they adhere to recognised security standards, they should be able to prove that they have the relevant controls in place. If not, you need to find out how they will guarantee that their infrastructure is secure and patching is up to date. Providers which have to meet public sector requirements will be regularly audited and tested by independent external providers to ensure that they meet the latest security standards and will have tested and audited procedures for dealing with any security incidents.
Your organisation is responsible for asking your chosen cloud service providers to deliver the appropriate levels of information security and you need to measure and audit the provider to ensure this is applied. This is particularly true with IaaS, less so with PaaS and SaaS. Irrespective of who hosts the data, under both the Data Protection Act and GDPR your organisation retains responsibility for the security of its data.
Resilience is another area where it is important to look under the bonnet to find out what is really being offered. You will be charged for transferring data between domains, so to understand costs you need to know the frequency and size of snapshots and the rate of change of data. If the standard offering does not meet your organisation’s requirements, additional resilience may be available – but what exactly is offered and what are the costs?
You should also examine services guarantees closely and find out what compensation is offered if these are not met. A major loss of services such as a data centre failure, security breach or other outages, or even reduced performance, could create significant issues for your business. Under most public cloud service SLAs, the cloud provider will apologise and refund a proportion of the monthly service fee. This recompense covers a very small proportion of the disruption you may have incurred, so needs to be evaluated carefully before moving a business critical service.
You should also consider whether to have primary and recovery services, where applicable, hosted by the same supplier and whether you have or need an independent backup to restore from in extremis.
Cloud service management, processes and contracts
Look into the details of how the service is run. If operational management is via a portal, find out how the supplier handles escalation and service updates. What processes do they use for Problem Management or Major Incident Management, and do they have SLAs?
You need to be confident that the way the supplier operates fits the way your organisation needs to operate. With public cloud, you are unlikely to be able to persuade providers to revise their processes to suit your organisation, so will be better off talking to private and virtual private cloud service providers. Making changes to standard terms will always impact on costs, so you need to decide if the business benefits are worthwhile over the contract term.
You also need to consider contract flexibility – in particular, whether there are exit or data transfer costs should your organisation wish to switch suppliers.
Finally, think about the cultural fit between your organisation and a potential provider. This may seem trivial, but your organisation is potentially entering into a multi-year agreement which will impact the services it offers its end users. It helps to ensure that all parties are aligned before committing to any agreements.