Moving to the Cloud? Five Questions You Must Ask Cloud Providers

The shift to cloud computing is well past the tipping point. Incumbents like Microsoft, IBM and Cisco are all dumping wheelbarrows full of money into their cloud efforts.

Even the once-constant cloud skeptic, Larry Ellison, is now on board – albeit reluctantly – and behemoths in the making like Salesforce.com have the cloud to thank for their rise.

Moreover, every time a research firm studies adoption patterns or asks the IT community about their future plans, the cloud continues to trend upwards. A new Savvis survey found that 75% of companies will use enterprise-class cloud computing solutions within five years. A MarketBridge cloud survey echoed those findings. Of the 1,000 small-to-medium enterprises surveyed, 44% already have at least one business application running in the cloud, and more than 70% said that they intended to move more of their business into the cloud sometime in 2011.

However, concerns and questions marks abound. Every time I write a cloud story, I get emails and my stories get comments from cloud deniers. This comment from “AngrySparrow” on my recent cloud prediction story is representative:

Cloud computing? Hmmm... I'm not convinced. Naturally, could be wrong, but I work for a very, very, very large IT services company and frankly, the sales just aren't there - at least, not in Europe. It's mostly hype at the moment - like WAP - and it seems it's mostly sales guys talking it up - making predictions about how glorious "it's all gonna be!!"

Now, I don’t want to pick on AngrySparrow here – well, not too much, anyway. The rest of his comment makes some good points about regulatory issues in the European Union that will slow adoption there, but if you’re not convinced that you’ll be heavily invested in the cloud sooner rather than later, you might also be a charter member of the Flat Earth Society.

Comments like these do serve a purpose, though. They point to the fact that there is still a lot of work to be done by cloud providers before the cloud can be truly considered a mainstream technology and not one on the cusp.

Here, then, are five questions to ask cloud providers before you commit to their services.

1. What models do you offer (private, public, hybrid), and what if I want to transition from one to another?

There is plenty of debate about the best cloud model for various types of businesses. Anytime there is a high premium on data privacy and security, organizations are nudged towards private clouds.

What, though, constitutes a private cloud? Can hosted services still be private?

That’s a debate I don’t want to go too far into now, but your cloud plans need to cover these issues. If you classify certain data as verboten in public cloud environments, how will you know that the private and public clouds are kept separate?

Just as importantly, what if you change your mind? Is there an easy migration path from private to public and vice versa? What if regulatory compliance forces you to strip certain applications out of public clouds? Can the provider offer some alternative, such as air-gapping?

If so, how do you know that they have the administrative controls in place to ensure that the air gap isn’t breached by something as simple as a misconfiguration?

2. What is covered in your SLA?

For any enterprise-class service, SLAs are a big deal. Yet, a joint Ponemon Institute-Symantec cloud security study found that 65% of organization evaluate cloud vendors by word of mouth alone. Few require proof of security compliance and more than half just trust vendors to do what they claim they’ll do.

It goes without saying (but I’ll say it anyway) that few are proactively negotiating the terms of SLAs. “SLAs, security, reliability and uptime can all vary greatly from provider to provider,” said Rami Habal, Director of Product Marketing for ProofPoint, a SaaS security and compliance provider. “Ensure that you can hold cloud vendors accountable through SLAs, not just operationally but at an application level. Insist on SLAs for applications.”

If something important – data privacy, disaster recovery and automatic backup, logging – is not in the SLA, ask why it’s not there. Next, either go elsewhere or ask them to accept the revised SLA your management and legal team put together to cover all of your concerns.