29
Fri, Nov
0 New Articles

Considerations for Choosing a Cloud Service Provider

Managed Services / SaaS / PaaS / IaaS
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Eyeballing the idea of outsourcing some IT functions to the cloud? If you want to avoid the cloud raining on your enterprise parade, you'll need the protective umbrella of some thorough advance planning.

 

In an industry that's been fond of technology fads for decades, cloud computing looks like one that might actually stick around for a while. Although choosing a cloud service provider (CSP) might seem like a decision little more complicated than choosing a software package, there's more to it than that. Hopefully, here you can find some guidance in figuring out how to make a good choice.

 

Let's first assume you've already made the decision to buy cloud services, rather than building a private or hybrid cloud infrastructure of your own that you may or may not sublet to other companies. "Building" means you're getting into the business of being a cloud provider yourself, which presents a completely different layer of challenges that we won't address here.

Strategic Alternatives

The next big decision is exactly what services you're going to outsource. The stable of "as a service" cloud offerings now includes not just software and platforms or other infrastructure, but also storage, security, data and databases, test environments, APIs, back-end services, and workstation virtualization.

 

Choosing which services to commit to the cloud is more important than it may seem, because on a certain level, you're restructuring how you do business. The changes to your business won't necessarily be drastic, but going to the cloud will definitely cause some. That makes moving to the cloud not just an IT concern, but a strategic move that touches executive, sales, marketing, and other functional enterprise areas. The decision should be treated as such, the subject of thoughtful planning.

 

If your enterprise is big enough, consider undertaking a cloud conversion project with a task force that includes representatives of all the stakeholding areas of your organization. For one thing, you don't want to overlook anything that will be a major stumbling block later. For another, you want to be sure everyone is on the same page about ceding to a CSP a portion of the total control over your infrastructure that you have now.

 

Next comes a long series of strategic questions to which you need to give yourself honest answers. What are your corporate goals in choosing a provider? Saving time or money are the only real justifications for using a CSP. How much of both are you realistically expecting to gain? What kinds of services do you need? Are there some parts of your business for which cloud might not be a good answer? Are you going to outsource "mission-critical" functions or just some peripheral ones? And what does "mission-critical" really mean to your enterprise?

 

The size of your organization is important, too. Does your volume of users (which may include customers and trading partners as well as internal end users) justify using a CSP? If that number is under several dozen, probably not. Another concern is that if your business is too small, you may not have enough clout for a CSP to be flexible about customizing your service or your contract, both of which can be critical to a successful implementation.

 

How quickly do you need to have CSP services deployed? How much uptime do you need to be guaranteed for your apps? How much risk are you taking on by handing control of your outsourced systems to an outside party? How will the role of your IT department change depending on how many services you outsource? Who will be responsible in your organization for administering the relationship with your CSP? How will you track your own resource usage to be sure you're not being accidentally overcharged once you have a CSP, and who internally is going to be responsible for that oversight? Who will be the internal "owner" of your data? These are ducks good to have in a row before you even talk to your first CSP.

Tactical Decisions

Ideally, you'll want to start with one provider and implement an outsourcing program in stages. Realize that you may eventually have several CSPs that handle different services, but that's in the future. However, sampling different vendors for different services right off the bat probably isn't a good idea. It sounds smart, but managing all those relationships can quickly become a problem in itself that can "cloud" the whole outsourcing issue. Procedures you may develop for working with one CSP won't work with all CSPs because there really isn't enough standardization in the industry yet. CSPs don't all charge for services on the same basis, there isn't a universal model for CSP services, and the choices between public, private, and hybrid clouds don't mean the same set of services in all contexts. It's probably best to focus on one relationship at a time unless you have compelling reasons to do otherwise.

 

Naturally, you'll want to at least compare prices from several different CSPs, but the lack of standardization means you have to be wary about the meaning various CSPs may attach to similar terms. For one thing, does the CSP charge by the hour or by transaction? Don't forget that "transactions" will include your sending new customer and product information to the provider's servers as well as receiving back order confirmations, payment data, and so forth.

 

What other services will be necessary? For example, who will carry out the initial integration of back-end data with in-house systems? How about over time as changes might be needed? Will end-user training be required, and if so, who is responsible for that at what cost? Are there consulting or other services that might be required to iron out procedures at the start? Are there special costs associated with staging the implementation and integrating the non-cloud elements of your business?

 

It's a good idea to do a cost analysis over several years that takes into account not just the cost of acquiring services, but the transaction, network, professional services, and other fees that will be required over the life of the contract. Then compare that to your projected costs of making no change. Does your justification for making a change still hold?

Additional Information Resources

There are a few third-party sources of objective information about considerations in making a CSP selection that you'll want to check out, although there may be fees associated with accessing some of them.

 

ISACA (formerly the Information Systems Audit and Control Association) offers ISACA IT Control Objectives for Cloud Computing, an educational resource document for IT professionals that provides a good overview of what ISACA considers should be expected from a CSP. The NIST Cloud Computing Synopsis is a paper from the U.S. National Institute of Standards and Technology that explains cloud systems in non-technical language and makes recommendations for cloud users at all levels. The Cloud Security Alliance Controls Matrix offers a discussion of cloud-services security concerns for both providers and consumers. The Jericho Forum, a membership organization of senior IT officials, has published the Jericho Forum Self-Assessment Scheme (SAS), a protocol that helps users check the effectiveness of IT security plans, including those involved with cloud computing.

 

While you're at it, there are also documents someone at your organization should read about professional standards that relate to cloud-computing services, because you'll want to know if your prospective CSP meets them.

 

ISO/IEC 27001 is an international standard for forming an enterprise's information security management system that spells out control objectives, management responsibilities, and auditing procedures. ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented Information Security Management System. COBIT 5 is ISACA's framework for governance of enterprise IT. SAS 70 is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) that specifies controls and safeguards that service providers must meet for hosting or processing customer data, which is required under Section 404 of the Sarbanes-Oxley (SOX) U.S. financial-reporting requirements law. MSPAlliance, the international association of managed service providers, offers the Unified Certification Standard (UCS) for Cloud and Managed Service Providers, a voluntary set of standards for vendors in the managed services industry.

Specific CSP Attributes

Once you feel you have a grasp of the larger issues, it's time to start evaluating any CSPs you might be considering working with. This step brings with it a new set of questions, some of which will have subjective answers.

 

Does the CSP have sufficient technical expertise? Does it have a successful track record of at least two years in the CSP industry? Does the CSP understand your business type? Does it have expertise in your market segment? Does it have experience with your size of organization? What professional services does it provide to help with your transition? How many data centers does it have (just one means it's potentially more vulnerable to outages)?

 

What are the CSP's total capabilities? Is the CSP limited in its geographical service area? Do you need your CSP to have international experience? Does the CSP have documented policies and procedures for such service aspects as service changes, event handling, billing and reporting to clients, and providing physical, environmental, and logical security? What's the quality of their hardware?

 

Then, naturally, there are the usual questions one has in choosing any type of provider. What's the general reputation and financial stability of the provider? Are there some customer references you can check? What's the provider's current level of customer satisfaction? Will there be a specific person at the provider responsible for your services/implementation (not just your "account")?

 

How does the CSP's pricing compare to its competitors? Don't forget that you may be comparing apples to oranges. If price is based on usage, how does that compare to your current costs? If based on hours, how many hours per day will you really be using the service and what will that cost? What will the charges be over time for such tasks as customizing software, cleansing data, or adding services not spelled out in the initial contract? What are the CSP's payment options? How much bandwidth will you need to handle your enterprise traffic? Will you be paying by the hour, per transaction, or some other metric?

The Heart of the Matter: SLAs

Low prices may mean too much wiggle room in the service-level agreement (SLA), which opens up another realm that can be rich with pitfalls. The SLA is possibly the most important part of your agreement with the CSP, so it deserves careful scrutiny.

 

A key part of any SLA is the amount of guaranteed uptime. While 99.7 percent or better uptime is minimally acceptable, it's important to determine how the CSP is defining it. What's the measurement period for uptime performance? How long can service be interrupted before it's truly considered "downtime"? How are incident notifications handled? Too little granularity here can be a huge problem later.

 

What are the provider's other SLA terms and conditions? Can they be customized for you? How many and what kind of customer support services are included? What constitutes noncompliance with the SLA and what are the penalties for that? Is there a clear differentiation of duties performed by your staff and the CSP's? What happens if a midday outage occurs? What happens if a data breach occurs?

 

Are customization of services and software covered in the SLA or somewhere else? What happens if you want to upgrade the third-party software you're using to a new version? What if you want to upgrade in-house software running on the CSP's servers? How is that handled and who's responsible for making sure that everything remains integrated?

 

Can your CSP provide services that meet certifications such as PCI-DSS (payment card data encryption and security), the Health Insurance Portability and Accountability Act (HIPAA), or other standards that may be specific to your industry or markets?

 

Will the vendor provide a sandbox environment for you to test in before full implementation? What are the disaster recovery and failover plans of the provider? A promise of 100 percent uptime is meaningless if the provider doesn't have an HA/DR plan.

Parsing the Technical Issues

Of course, you can't forget technical issues that may seem like mere details compared to the other, bigger questions that have to be answered, but the technical matters also have to be clarified.

 

How are users going to be connected to resources? What policies does the CSP use to determine which users access which servers? How well is your data going to be isolated from other clients' in shared environments? How does the CSP handle load-balancing between servers to keep the needs of other clients from slowing down your application response times? Will your users be able to connect to your applications easily via mobile devices?

 

What will be the procedures for adding new trading partners to your systems if that's necessary (otherwise known as "supplier enablement")? Will you be able to maintain audit trails on changes to your own data? Do your applications need to use Web services? How will Web services use be handled, and how will where those services are located affect your transaction numbers? Are the user interfaces and menus for end-users and administrators easy to understand and use?

 

While we've covered a great many questions here, there are always more. Because your business is unique and so are your needs in a CSP, there could easily be hundreds more that you need to ask to be sure a CSP is the right fit for your business needs. Someone in your organization needs to explore what those might be. You don't need to believe in Murphy's Law to know that the question you forgot to ask could end up being the one that comes back to bite you.

Into the Future

How things will work for you in a cloud environment on day one isn't going to be the end of a project; it's the start of an ongoing relationship. As with anything, over time circumstances can change, both for your enterprise and for the CSP. So there are a few more points to be sure to cover.

 

How hard will it be to drop the provider if they don't measure up? Does your contract spell out everyone's responsibilities if there needs to be an exit strategy? How often will the provider be sharing performance data with you, and what happens if that data isn't satisfactory to you? How easy will it be to migrate your apps and data if you decide to switch CSPs later, for whatever reason?

 

Does the provider have a long-term cloud strategy for its own business? What are your guarantees if your CSP is later acquired by another company?

 

Can your CSP extend your services smoothly if your enterprise expands in the future? On the other hand, don't take on more services than you really need up front. You don't want to be paying for extras if that growth turns out to be farther in the future than you currently anticipate.

 

Finally, after all is said and done, before you ink that pact, you have to ask yourself if you trust the people into whose hands you're going to place an important piece of your business. If the answer is anything other than "yes," all the other questions become irrelevant.

 

If you're interested in a list of CSPs who provide service for IBM i users, please see "Technology Focus: Cloud Service Options for IBM i."

 

John Ghrist

John Ghrist has been a journalist, programmer, and systems manager in the computer industry since 1982. He has covered the market for IBM i servers and their predecessor platforms for more than a quarter century and has attended more than 25 COMMON conferences. A former editor-in-chief with Defense Computing and a senior editor with SystemiNEWS, John has written and edited hundreds of articles and blogs for more than a dozen print and electronic publications. You can reach him at This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: