1 – Back up everything (even if your service provider is doing this too)
Anyone who has seen my LinkedIn profile will not be surprised to hear that I am an advocate of Cloud services. My career has progressed from selling (and advising on) on-premises technology via hosted solutions, to true Cloud propositions, and I can’t see that trend reversing. So, it may come as a surprise that my latest post is about the risks of offsite computing solutions.
I’d like to start with a true story. One of my close friends is a college lecturer in California. She had enthusiastically embraced Cloud technology in the form of Google Drive (as the method for sharing course content with her students). Unfortunately, one of the things she had stored on her Google Drive (this was a personal account, not one associated with the college) was a YouTube download of a TV documentary which was still under copyright. Google are clear in their terms and conditions that you cannot store copyrighted material on the service, but she thought, incorrectly as it transpired, that as the file was on YouTube it was freely available.
Google ended up restricting access to my friend’s entire Google Drive, not just the contentious file. As a busy teacher with many years’ worth of teaching material stored and shared with her students via Google Drive, you can imagine the impact this decision had. It has been several months and despite lots of communication with the Google helpdesk staff, her access still hasn’t been restored.
This really drives home the need to back up everything, even data held by a supposedly trustworthy and secure Cloud service provider.
2 – Do your due diligence on the service provider.
Another concern, which came to prominence in 2013 (with the demise of 2e2), is the risk of a hosting or Cloud service provider going out of business. Many of 2e2’s customers found themselves in the unpleasant position of effectively having their data held to ransom, as well as being given a very short timescale to pay up and get their data out of the data centres. While the administrators and the companies that bought 2e2’s assets tried to ensure nobody lost data or critical services, the fact is that it’s expensive to run data centres, so if there isn’t any income systems will have to be turned off.
Since then, most hosting providers have written something (such as parent company guarantees, ‘living will’ clauses, vendor support or insurance policies) into their contracts to reassure customers and protect them from unexpected bankruptcy. However, it is always worth checking the agreement.
3 – Create and test a full Business Continuity plan for your systems (regardless of whether they are on-premises, hosted, or Cloud-based)
The next thing I want to look at is Disaster Recovery (DR). There are definitely advantages to hosting or Cloud-based systems when it comes to DR, as I witnessed early one morning. Whilst driving my MD to the office, he took a call from a member of the helpdesk team. They advised that the emergency services were at the office and had closed it off due to a nearby fire which was emitting potentially harmful fumes.
Luckily, the company’s systems were in a geographically distant data centre, and we all had the tools to work remotely (Citrix XenApp, softphones, and a laptop). This meant that the MD could easily trigger the business continuity plan which resulted in all staff from that office getting a text telling them to work from home (or to go to an alternative office). The regular helpdesk call handling system was designed to work no matter where the agents were physically located, and all the IT systems the team needed were still fully available via the Internet.
In the Cloud, it’s easy to think that by moving your IT out of your offices you have automatically protected yourself from disaster. However, that’s not necessarily always the case. What happens if your service provider’s data centre is hit by a disaster? It is important to ensure you know what would happen in that event. Does the service you subscribe to include failover to an alternative data centre? If so, where is that secondary DC? It’s important to ensure you have a thorough DR plan in place to avoid business disruption.
4 – Don’t forget to allow for connectivity problems.
One question regularly asked in the early days of Cloud computing was “what happens if I lose connectivity?” It’s not asked as often now, as people have got used to the idea of always-on connections. But it still requires attention. Can your users connect across the internet via a wi-fi connection or a mobile dongle if your expensive leased line is down? It may be that a secure method for allowing that (VPN, Citrix, etc) should be built into the costs of your Cloud service.
5 – Make sure you are buying the right level of support for your needs.
If your hosted server goes down, who fixes it? It may seem obvious that a hosted server should be supported by the hosting provider, but it depends on what you’ve signed up for. A pure IaaS service will be cost effective but probably won’t offer support beyond the level of the physical host being up and the VM responding to a ping request. If you really count on that application, make certain the level of support you agree with the hosting provider matches your needs. Having everything in the Cloud doesn’t mean you can run your company without any IT expertise at all, unless you’ve actually contracted your provider to replace all the functions of a local IT team (including local PC support if necessary).
6 – Who owns your data, who can access it, and where is it?
Most people would probably argue that any data a UK citizen (or company) stores in a UK data centre, for UK use only, would only be subject to UK law. However, the US legal system doesn’t abide to this logic. In at least two high profile cases, US judges have argued that data held by a US company is subject to seizure by US law enforcement, no matter where in the world the data is stored. Although it is unlikely that you would ever find yourself in this position, it is worth considering whether the laws you operate under (including GDPR) allow you to take any chance that your data will be shared with US government agencies. The international legal situation around these questions is fluid and likely to change over time, but your responsibility as a business is to ensure you know where your data is and who may ultimately have access to it. So, do speak to your service provider about data sovereignty. And make sure they clearly state in the contract that any stored data remains your property.
7 – What happens when you leave?
In the excitement of getting a new business application hosted by the supplier, you would be forgiven for not giving much thought to what happens at the end of the relationship. A historic court case in America shows that it’s vitally important to agree upfront what happens when you stop being a customer.
While it isn’t often clear who is at fault in these cases, what is clear is that when two parties disagree about what should have happened when the contract ceased, nobody wins. Make sure that doesn’t happen to you by clarifying it in the initial procurement process. You want your service to run up to your migration date, your data to be passed to you in a useable form, and the data left behind to be destroyed by an agreed date. There’s a (probably apocryphal) story of an early Cloud user getting a massive printout of gigabytes of data instead of a file after falling out with the supplier.
8 – What is the total cost?
In a previous article, I discussed some of the cost elements of moving an application to a hosting environment or the Cloud. Most of the feedback the article generated was from people agreeing that generally they don’t compare like for like when looking at the total costs of buying a service instead of doing it themselves. If you find yourself unsure about what the total cost of on-premises IT is to your business, you won’t be alone. Often there are hidden costs such as the cost of power and air conditioning, increased insurance premiums, and the cost of the floor space being dedicated to a computer room. These costs may be assigned to other expense lines and aren’t cross charged to IT, so they tend to be forgotten when making comparisons. And, of course, don’t forget the added cost and complexity of business continuity when you have your IT on-site.
Is it still worth looking at a hosted/Cloud solution?
As I said at the beginning, I am a fan of hosting and the Cloud. None of the issues and concerns above change the fact that it makes sense to get your IT out of your offices where it is at a far greater risk compared to when it is in a proper data centre. DC’s have location, connectivity, power supply, cooling, and physical security advantages that you can’t generally achieve in a computer room in your offices. Plus, they haven’t got the biggest risk factor of all wandering around, staff who are unaware of just how critical IT systems are to your business.
As long as you talk to your service provider about your concerns and get them to agree in the contract to any that are crucial to your needs, the risk of moving to a hosted or Cloud environment is far lower than keeping on-premises systems. This has only been exacerbated by the pandemic, which highlighted the need for being able to access files and systems remotely.
We appreciate that taking the first step to moving to the Cloud can be daunting. That’s why, in partnership with Microsoft, we’re pleased to be offering a free Azure Migration Assessment, which evaluates your infrastructure, and provides insights on the business, cost, and technology benefits of migration. Click here for more information.
Written by Ioan Elwick