Whilst Cloud Computing is now well established as a route to greater flexibility, efficiency and capital expenditure reduction, not all organisations yet feel ready to transition their business critical applications to a cloud environment.
Entrusting these applications to the cloud – those without which your business simply could not operate – means that availability, recoverability security and performance are all of paramount importance. For these applications, be they CRM, or ERP, off the shelf or custom built, a one-size-fits-all approach is not sufficient.
Here I explore the key factors involved in deploying business critical applications to the cloud. For example what questions should be asked of your provider; from the cloud infrastructure and service processes, and issues such as application optimisation, to the Service Level Agreement (SLAs) contract and the way that the account will be managed.
With more variables to consider, do critical business applications require different and specialised infrastructure solutions and what skills and expertise are required from your provider?
Critical and cloudy
Firstly, it’s important to be clear what is meant by “business critical”. If an organisation needs an application to be highly available (during specified time periods not necessarily 24x7x365) then, by definition, it is ‘business critical’ for that organisation, regardless of its purpose.
For such applications, the key factors that need to be addressed are availability, recoverability, security and performance. Generally, recoverability will go hand-in-hand with availability as will security, in order not to compromise the availability of the application or the data on which it relies, and these characteristics must be delivered with appropriate and acceptable performance to end users.
There are many definitions of the cloud, but here we focus on externally hosted, public clouds where management of capacity, patching, changes and releases, for the entire infrastructure stack below the application itself, is delivered by an external provider. The characteristics which collectively characterise the cloud are:
- service-based delivery using internet techniques
- shared infrastructure
- elasticity and scalability
- ‘metered’ consumption model and associated payment.
This is the scenario where organisations will have most concern regarding cloud deployment but many of the issues raised will also be relevant for an internally hosted private cloud environment, where the organisation itself performs the majority of the associated infrastructure management activities.
The first key consideration is to choose your cloud carefully so that you work with a provider who is as transparent as possible concerning their infrastructure and service processes, so allowing you to determine a good understanding of the overall solution architecture for your applications.
For business critical applications, it may be important to select a provider who will allow a degree of customisation on how the cloud infrastructure is architected, and how their service ‘wrap’ is delivered to you, in order for you to be confident that the provider is able to deliver the service levels they claim.
From the outset, establishing a close relationship with a provider is important so that they fully understand the types of applications that will be running; cloud providers deliver environments for many different purposes, from test and development to those specifically designed with critical applications in mind, so ensure that the environment is fit for purpose.
Further, for business critical applications, a provider’s knowledge of, and experience in, running specific applications such as SAP, becomes more important, so that the infrastructure can be appropriately architected to satisfy the criticality requirements.
By its nature, the cloud infrastructure introduces unique challenges; it is more dynamic than traditional in house IT operations and so there is more potential for continual change in the underlying infrastructure allocated to your application to meet its varying demands. A cloud provider is likely to take full advantage of their virtualisation platform, adding further variables to the mix – for example, when an application’s virtual resources migrate dynamically across the provider’s underlying physical environment.
With more variables to consider, it’s also important to work with your provider to understand how application performance optimisation will be delivered, if at all, to ensure that the user experience is not compromised, and that the applications you need perform to the required standard when it most matters to your business.
Service Level Agreements and Contracts
Essentially, the ‘cloud environment ‘ is another piece of your infrastructure and it needs to be given the same consideration as you would for any environment you run in-house. This means having the assurance, through Service Level Agreements (SLAs) and the contract with your provider, that the service you sign up to meets the levels of availability, recoverability and performance required. For example, can your provider deliver the required security compliance for standards such as PCI DSS?
This is where carrying out due diligence on all aspects of service provision comes in, and it’s important to think in terms of ‘worst case’ scenarios. For example, when it comes to disaster recovery, establish where your organisation’s applications fit in the ‘queue’ should the provider have a problem with their infrastructure. Ensure you know where your organisation is prioritised, and how quickly you could be up and running again in the event of a service outage. Issues such as this can make a significant difference when you’re waiting for applications, on which your business and customers rely, to come back online.
In addition, think about the consumption model when agreeing the contract and, specifically, the level of fixed and variable capacity required; on-demand services are paid for at a premium price over pre-determined, committed levels of consumption. Similarly, consider the flexibility of the contract itself; requirements may change over time so be wary of getting locked into long contracts that don’t give you the option to move provider should you need to. Flexibility should also be considered in terms of ‘data portability’, for example, should you wish to change provider, could you get access to all the data that they hold?
Of course it’s not only how your data is managed, but also where it is stored that is increasingly important in today’s compliance-driven landscape. In terms of contracts, it is not enough to know the stored location of data, but also the location of the support and monitoring functions of the infrastructure. In a wider context, this aspect of ‘data sovereignty’ is also important for all applications not only business critical ones.
You should find out if the contract allows you to specify where data should go, either temporarily – such as for access – or permanently, in the course of fulfilling supporting and monitoring functions – for example, will your data pass through a geographic jurisdiction for ‘issue resolution’ ? This is of particular importance for government entities and for compliance with data protection legislation.
Finally, a word of caution about service credits; these are offered by providers as a refund should the service fall below a contractually agreed level. Whilst it’s important to ensure that a provider has an attractive service credit regime, clients should be confident, through their own due diligence (addressing issues highlighted earlier), that the circumstances triggering the need for service credits never arise.
One of the less tangible, yet no less important, aspects of a providers’ service, is to ensure that clients are valued, and that the relationship is managed professionally. As anyone who has encountered issues with a third party supplier can testify, trust and confidence in a provider can be dented, on the basis of a poorly managed relationship or less than satisfactory service from staff, precisely at the point when it is most needed; when an issue arises.
Equally, no customer likes to feel that they’re just one of many, so it’s important to ask at the outset if there will be a dedicated account manager, so that if you have concerns or need more substantive advice on a particular aspect of your cloud deployed applications, that you have access to this. Ultimately, people do business with people they trust, and this factor cannot be underestimated when it comes to appointing a third party to manage your critical applications. Unfortunately, all too often, it’s not until you have an issue which requires resolving that you really understand exactly where you fit as a priority with your provider.
Cloud computing offers many advantages but also, as it’s still relatively new, there are no all encompassing ‘best practices’. Knowledge and good planning are both key and ‘one size’ does not fit all. This is true not only of the infrastructure itself, but also the definition of the managed service provided and associated SLAs, and even the way in which the relationship is managed by a provider.
All of these issues become magnified when it comes to entrusting business critical applications to a third party, however , by asking the right questions and understanding the way in which the cloud environment is designed and managed, you will be better equipped to make the most informed decisions about your most important resources.