IT managers considering public cloud providers, including Software as a Service (SaaS) vendors, have the right to ask questions of the many vendors looking to sell them the next big thing. But what are the right questions?
Security is a primary concern to enterprises that deal with sensitive data and are reluctant to put it into the cloud. Paul Burns, president of Fort Collins, Colo.-based analyst group Neovise, said that while people have gotten used to the multi-tenancy aspect of many cloud services, they still should have other security concerns.
“Is the data stored in an encrypted fashion? Is the data encrypted during data transfer? Who holds the encryption keys?” Burns said.
Michael Canniff, a professor of management information systems at University of the Pacific and senior partner with San Francisco-based Mercury Consulting, thinks enterprises should take a three-pronged look at security -- data center, data management and access rights.
“If I was a corporate IT person and I’m looking to get into SaaS and start buying licenses from [vendors], the CIO or IT director are going to need to look at that SaaS provider and find out if their data center is run in a secure manner,” Canniff said. Enterprises should ask about multi-tenancy and if there are systems in place to keep one client’s data separate from another’s. Access management capabilities should also be a concern.
Canniff adds that many SaaS providers have a proven track record with security and are more competent at handling it than many enterprises.
“If you’re dealing with Fortune 100 or 500 companies, they’ve got very sophisticated IT operations,” Canniff said. “But if it’s the small to medium-sized businesses, and I’ve done consulting for a few, then I would rather trust the SaaS provider [for security].”
Jeff Kaplan, managing director of Wellesley, Mass.-based consulting group THINKstrategies, extends Canniff’s argument to the public cloud in general.
“The fact of the matter is the cloud is gaining acceptance in all quarters,” Kaplan said. “You can’t make a turn in this world without being exposed to the terminology of cloud.”
Understand cloud service-level agreements
While a security breach is every IT department’s worst nightmare, a service outage doesn’t come far behind on the list. Canniff recommends examining the disaster recovery and backup plans of a SaaS provider before making a decision.
“Most of these providers will have an ongoing backup routine,” he said, adding that it is still the buyer’s responsibility to find out. “Has the SaaS provider done a disaster simulation, what were the results of that disaster simulation and were they able to get back online?”
Burns also warns against simply assuming that a cloud provider will have a backup plan.
“A lot of SaaS providers don’t have their own data centers, they tend to go to data center providers or just go to a cloud provider and get dedicated or virtual servers through them,” Burns said. “It’s sometimes worth knowing, Who’s your provider?”
Negotiating for disaster recovery during the contract phase of an agreement is also key, according to Canniff. He says that while standard contracts often include some sort of partial money-back guarantee if the provider exceeds a certain amount of downtime, it often is not enough.
Spend cloud computing dollars wisely
And while in negotiations, all sides recommend discussing cost and having a thorough understanding of pricing models. Different SaaS applications use different models, with the most popular being pay-per-user. Some offer pricing models based on how much data is stored.
Burns warns to look at the fine print and be sure to have an exit strategy. He said that while costs may be low while the application is being used, hidden fees may lurk in contracts if the company later decides to move data in-house or to a different SaaS application.
Canniff believes some enterprises are not weighing cost correctly, suggesting that moving to the cloud allows IT resources to be spent in other ways that are potentially more valuable but aren’t factored into a cost analysis.
“One thing I think that some people may not look at from an IT perspective is, Where is their core competency? Where do they want that to be?” Canniff said. “For an on-premise solution, by definition, you have to have a core competency in data management, networking, server upgrades and all of that detail.”