Data Center Operations 52

The number of Cloud Computing providers continues to increase as business and consumer IT services move to the cloud. There has been similar growth in data centers to fuel Cloud Computing service offerings. Cloud providers of all types and sizes, including well known technology leaders and thousands of startups and emerging growth companies, are making major investments in this promising new approach to IT service delivery.

Sharing IT resources to create efficiencies and economies of scale is not a new concept. However the cloud business model works best if the traditionally enormous investments in data center operations are spread over a larger pool of consumers. Historically data center architectures have been deliberately oversized to exceed periodic peak loads, which means during normal or low demand periods, data center resources are often idle or underutilized for long stretches of time. Cloud service providers, on the other hand, seek to optimize resource usage, both human and technological, to gain competitive advantage and maximize operating profit margins.

The challenge for consumers of cloud services is how to best evaluate the provider’s capabilities to deliver appropriate and cost-effective services, while at the same time protecting the

customer’s own data and interests. Do not assume that the provider has the best interests of their customers as their top priority. With the common carrier model of service delivery, which Cloud Computing is a form of, the service provider normally has little or no access to or control over the customers’ data or systems beyond the contracted level of management. Certainly this is the correct approach to take, but some cloud architectures might take liberties with customers’ data integrity and security that the customer would not be comfortable with if they became aware. The consumer must educate themselves about the services they are considering by asking appropriate questions and becoming familiar with the basic architectures and potential areas for security vulnerabilities.

When making a decision to move all or part of IT operations to the cloud, it first helps to

understand how a cloud provider has implemented Domain 1’s “Five Principal Characteristics of Cloud Computing”, and how that technology architecture and infrastructure impacts its ability to meet service level agreements and address security concerns. The provider’s specific technology architecture could be a combination of IT products and other cloud services, such as taking advantage of another provider’s IaaS storage service.

The technology architecture and infrastructure of cloud providers may differ; but to meet security requirements they must all be able to demonstrate comprehensive compartmentalization of systems, data, networks, management, provisioning, and personnel. The controls segregating each layer of the infrastructure need to be properly integrated so they do not interfere with each other. For example, investigate whether the storage compartmentalization can easily be bypassed by management tools or poor key management.

Lastly, understand how the cloud provider handles resource democratization and dynamism to best predict proper levels of system availability and performance through normal business fluctuations. Remember, Cloud Computing theory still somewhat exceeds its practice: many customers make incorrect assumptions about the level of automation actually involved. As provisioned resource capacity is reached, the provider is responsible for ensuring that additional resources are delivered seamlessly to the customer.

It is imperative that an organization considering purchasing cloud services, of whatever kind, be fully aware of exactly what services are being contracted for and what is not included. Below is a summary of information that needs to be reviewed as part of the vendor selection process, and additional questions to help qualify providers and better match their services against

organizational requirements.

√ Regardless of which certifications cloud providers maintain, it is important to obtain a

commitment or permission to conduct customer or external third-party audits.

√ Cloud customers should understand how cloud providers implement Domain 1’s “Five

Principal Characteristics of Cloud Computing”, and how that technology architecture and infrastructure impact their ability to meet service level agreements.

√ While the technology architectures of cloud providers differ, they must all be able to

demonstrate comprehensive compartmentalization of systems, networks, management, provisioning, and personnel.

√ Understand how resource democratization occurs within your cloud providers to best

predict system availability and performance during your business fluctuations. If feasible, discover the cloud providers’ other clients to assess the impact their business fluctuations may have on your customer experience with the cloud provider. However this is no substitute for ensuring the service level agreements are clearly defined, measurable, enforceable, and adequate for your requirements.

√ Cloud customers should understand their cloud providers’ patch management policies

and procedures and how these may impact their environments. This understanding should be reflected in contract language.

√ Continual improvement is particularly important in a cloud environment because any

improvement in policies, processes, procedures, or tools for a single customer could result in service improvement for all customers. Look for cloud providers with standard continual improvement processes in place.

√ Technical support or the service desk is often a customer’s window into the provider’s

operations. To achieve a smooth and uniform customer support experience for your end users, it is essential to ensure that the provider’s customer support processes,

procedures, tools, and support hours are compatible with yours.

√ As in Domain 7, review business continuity and disaster recovery plans from an IT

perspective, and how they relate to people and processes. A cloud provider’s

technology architecture may use new and unproven methods for failover, for example. Customers’ own business continuity plans should also address impacts and limitations of cloud computing.

Contributors: John Arnold, Richard Austin, Ralph Broom, Beth Cohen, Wing Ko, Hadass Harel, David Lingenfelter, Beau Monday, Lee Newcombe, Jeff Reich, Tajeshwar Singh, Alexander Windel, Richard Zhao