Choice of platform is almost immaterial, as today almost all the technology is pretty good. However, while most public cloud providers are very capable, there are significant differences in everything from design criteria, billing models and contractual terms and conditions to SLAs and data recovery terms. These vary significantly both between providers and across the various services offered by a single provider. There are also many different types of managed cloud service available.
Based on our experience of negotiating cloud contracts, we have developed a checklist to help organisations evaluate the various options available and avoid the most common pitfalls and misunderstandings.
1.Availability and usage
The first consideration is whether your service requires persistent (reserved), non-persistent (on demand) or metered instances. You may think that non-persistent will be fine for all but the most business critical applications, but check the conditions carefully. It does not happen very often, but AWS’ terms and conditions allow them to shut down on-demand instances without any reference to the client. If there are specific times when your service must be available, you need to know whether the provider will ensure these within a non-persistent service.
With metered services, ask what guarantees there are that all capacity is available even if not used, and find out what actually constitutes usage. Several applications generate keep-alive packets to ensure availability, and these can be used by providers offering metered instances as the basis for charging even when services are not actually being ‘used’.
2.Optimisation and granularity
Different cloud providers handle charging in different ways, so you need to understand the characteristics of the service you wish to migrate. Will general purpose instances suffice or are computer, memory or storage optimised instances needed? Costs vary dramatically within the different offers from a single provider as well as between providers. For example, Microsoft Azure has five storage options, each with different dependencies.
You also need to know what the charging model classes as an ‘extra’ and how these are charged.For example, for an IaaS instance in AWS, there are a minimum of five and potentially eight metered costs that need to be tracked for a single Internet facing server. Azure and other public cloud services are similar. Complexity increases if your organisation hosts multiple server environments and if other elements are required to run an application, such as security, resilience, management, patching and back-up, which will appear as additional charges. This is less of an issue with SaaS, which usually has a standard per user per month charge.
Your organisation is responsible for asking your chosen cloud provider(s) to deliver the appropriate levels of information security and you need to measure and audit them to ensure this is applied. This is particularly true with IaaS, less so with PaaS and SaaS. Under both the Data Protection Act and GDPR your organisation retains responsibility for the security of its own data, regardless of who is actually the host.
You need ask suppliers:
·If the security classification/business impact of the data within your service mandates physical location awareness, where will the data be stored?
·Can they guarantee the security, access, audit and compliance controls you require and, if so, how – self certification or independent testing and validation?
·How do they guarantee that their infrastructure is secure and patching is up to date?
If they adhere to recognised security standards, they should be able to prove that they have the relevant controls in place. Providers which have to meet public sector requirements will be regularly audited and tested by independent external providers and will have tested and audited procedures for dealing with any security incidents.
You will be charged for transferring data between domains, so to understand costs you need to know the frequency and size of snapshots and the rate of change of data. If the provider’s standard offering is not sufficient, additional resilience may be available, but at a cost.
You should also examine services guarantees and find out what compensation is offered if these are not met. A major loss of service such as a data centre failure, security breach or other outage, or even reduced performance, could create significant issues for your business. Under most public cloud service SLAs, the cloud provider will apologise and refund a proportion of the monthly service fee – which may cover a very small proportion of the disruption to your business.
Finally, consider whether to have primary and recovery services hosted by the same supplier, and whether you wish to have an independent backup to restore from in extremis.
5.Service management, processes and contracts
Cloud promises to make your life easier, but this only happens if the supplier works in a way that fits the way your organisation needs to operate. With public cloud, you are unlikely to be able to persuade providers to revise their processes to suit your organisation, so will be better off talking to private and virtual private cloud providers. Making changes to standard terms will always impact on costs, so you need to decide if the business benefits are worthwhile over the contract term.
Operational details are important. For example, if management is via a portal, find out how the supplier handles escalation and service updates, what processes they use for Problem Management or Major Incident Management, and what their SLAs cover. You also need to consider contract flexibility, in particular whether there are exit or data transfer costs should your organisation wish to switch suppliers.
Finally, think about the cultural fit. This may seem trivial, but your organisation is potentially entering into a multi-year agreement which will impact the services it offers its end users. It helps to ensure that all parties are aligned before committing to an agreement.