How to buy cloud computing services

Five key questions to ask any prospective cloud provider

If you need more computing or storage capacity in your data center but capital expense is an issue, then a public cloud computing service makes a nice option. You get on-demand IT resources that are infinitely scalable and you pay for what you use.

Cloud Computing Services

But running an enterprise application in a public cloud isn't as simple as some providers might have you believe.

Buying a cloud service isn't just about the nuts and bolts of computing and storage, cautions Dave Powers, associate information consultant at Indianapolis-based Eli Lilly & Co., which has been using Amazon Web Services (AWS) since April 2008. "It's about all of the Web services and capabilities built on top of the cloud that makes being able to spin up some computing, do some storage and then tear it all down very low-friction."Before committing to a cloud services provider, IT execs should understand exactly what resources they have on hand, what they're buying, and how running on a public, shared server infrastructure will affect applications and business processes.

Tony Bishop, CEO of Adaptivity, a consulting firm specializing in next-generation IT infrastructure, puts it this way: "As much as cloud does away with the limitations of hardwired infrastructure, it doesn't alleviate the need for proper planning and IT integration discipline. It amplifies it."

Here are some practical guidelines on issues to consider and questions to ask when buying cloud services.

1. Are your applications ready?

For Bernard Golden, CEO of HyperStratus, a consulting firm specializing in advanced IT technologies, the top priority is figuring out whether an application needs modifications or a complete re-architecting for use in the cloud. "In some cases, your application architecture could even constrain your cloud options," he says. Golden uses this simplistic case as an example: "Say you have something running on an Alpha chip-based computer. You're not going to find a cloud service that can run Alpha binaries."

Failure to rethink an application might even defeat the purpose of using a cloud service, says Eli Lilly's Powers. This was one of the company's first lessons learned as an AWS user, he adds.

"At first, we literally picked up a workflow from our internal grid environment and dropped it into the cloud. While that worked, we learned that we had constrained ourselves. In the cloud, we had this infinite amount of compute and storage, but our application, designed to run inside Eli Lilly's fixed-size computing environment, couldn't take advantage of it," Powers says.

Now, the Eli Lilly team might chunk up an application and move data into and out of the cloud in smaller, more consumable pieces, or it might store some data in the cloud, so an application doesn't have to retrieve it from the enterprise data center, Powers explains.

And, Powers makes sure every cloud-destined application accounts for fault tolerance. "If you're buying infrastructure as a service, you have to understand that a machine can go down at any time, and your application design needs to consider that," he adds.

Tom Nolle, CEO of CIMI, a high-tech consulting firm, advises that developers work through the deployment process before committing to a cloud. "You need a little flow diagram: Here's the cloud. Here's my application inquiry going into the cloud. Here are the data sources needed to fulfill that request and here's where they flow and how they get moved. Now I can see everyplace I have data flowing around, I have a vulnerability to network behavior and I can begin to manage the vulnerability."

Latency, response times, throughput -- these are watch points across the network. As Powers says, "We wouldn't want to be moving terabytes of data at a time in an interactive session for scientists; they wouldn't get the response times from the cloud they're accustomed to on the Eli Lilly network."

2. Where is your data?

A cloud provider isn't going to share nitty-gritty network details -- nor should you need to delve into the cloud at such a granular level, experts say. "It's never going to give you exact addresses, hardcoded, but it will need at least to provide a broker mechanism that can tell you, 'I'll go get you that data, and I'll provide you the right data you're requesting for system-to-system communications, based on your entitlement," says Adaptivity's Bishop. In other words, you need to understand where your data resides in the cloud from a logical perspective.

On top of that, you may want to work with a cloud provider who allows you to designate geographically where your data resides, Nolle says.

With the Amazon cloud, for example, you can select between Europe and U.S. regions, then narrow the location even further by picking availability zones. Once that's settled, you can query your ISP and Amazon about their peering relationship in those zones, Nolle says.

"The point is," he says, "if you know roughly where something is going to be allocated in terms of cloud IP resources, then you can make some intelligent judgment about how your access to those resources could be influenced by your selection of provider, or at least to whom you would have to go to obtain some kind of performance guarantee."3. How is data being protected?

Working with a cloud provider allowing geographic designations also can help assuage concerns over security and, especially, compliance. Eli Lilly's Powers spells out the challenge. "We need to be cognizant of where our data is because of regulatory rules that dictate where data may or may not live geographically," he says.

"In the pharmaceutical industry, one of the first questions people ask is about privacy and regulatory-type of requirements and the second is around security. Clearly, both are huge factors for us in determining what goes out into the cloud," he says. In fact, "we haven't unleashed everything that we'd like to yet into the cloud because we're still working out processes and classification of the data -- whose eyes can see what," he says.

Meantime, meeting security requirements in the cloud means encrypting data while in transit and at rest, using secure protocols such as Secure-HTTP, and vetting a provider's access control mechanisms, experts say.

You'll want to query providers about who, physically, has access to machines hosting your data. And, from an entitlement perspective, you need to specify who can make changes, update, view or otherwise manipulate your data -- and have access to the audit trail, Adaptivity's Bishop says.

You've also got to cover disaster-recovery processes in your security discussions, advises Jim Kobielus, a senior analyst with Forrester Research. "A cloud provider should be telling you with high degree of detail how often it backs up data, where it's backed up, how it's protected from a security standpoint, and how quickly it can restore data if the main system goes down and it's restored to a hot failover system," he says.

4. What's customer support like?

Many IT shops may not have time to deal with all the intricacies of a move to the cloud, so they'll need to seek out help, Kobielus says. This help might come in the form of pre-packaged application suites, for example, or assistance in porting data and applications to its cloud.

A provider might offer a CRM application suite, but what if a user would rather migrate from a premises-based CRM system to a cloud-based CRM service? "Will the cloud service provider help optimize, rewrite or tweak the Java code so it runs on its platform?" he asks.

For Animoto, a New York on-demand video production start-up, help migrating the company's platform from a hosted environment to a cloud service was paramount, says founder Brad Jefferson. "We really wanted to do infrastructure as a utility, and not spend any time focusing on that -- it's not a trivial task to implement against an Amazon Web Service or Google App Engine. It takes time, and we didn't want to spend all our cycles implementing it ourselves."

Amazon partner RightScale, a start-up providing cloud computing management and support, did the heavy-lifting for Animoto -- to great success, Jefferson says. After moving the Amazon's Elastic Compute Cloud (EC2) service, the company launched a Facebook application that quickly went viral and became a case study for cloud scalability.

When the Facebook crowd glommed onto Animoto's free, on-demand video -creation tool last April, the company saw requests leap from 25,000 in the first month to 750,000 in a four-day period. Behind the scenes, the number of servers processing videos grew from 100 to 5,000, and back down again as demand leveled off. EC2 never hiccupped, Jefferson says.

Testing the scalability of any cloud provider's infrastructure is a pre-buy must, HyperStratus' Golden says. "Promises of really elastic capability and responsiveness doesn't do you much good if you press a button and the new servers launch a day later. That might be better than what you've got, but that's not nimble -- it's only a Dancing With The Stars level of nimbleness, and that' s not what you want."

Adaptivity's Bishop agrees. "You better be doing your due diligence, asking providers, 'How are you going to prove to me that you're delivering the service level that you're offering? What insight do I have? What tools and what kind of reporting do you offer? What kind of penalties are in place? A lot of these are what you'd find in an old outsourcing contract," he says.

And, if a cloud provider can't show real-time performance monitoring and performance statistics and deliver trended reporting, then don't buy into that cloud, Bishop says. But don't rely exclusively on the provider's management dashboard. "You want your own application, network and transaction monitoring tools so you can guarantee that the user is getting the experience you've contracted for or is used to," he says.

And, don't forget to ask a cloud provider about troubleshooting processes, says Chad Swartz, senior manager of IT operations for Preferred Hotel Group, in Chicago. Before signing on with Terremark Worldwide, Swartz says he got the answers to questions such as: "'If something goes wrong, who do I call?' 'When I call, what can I expect them to do?' 'Is support available 24/7?' "

5. What's my exit strategy?

Equally important, Swartz adds, is getting the answer to this question, "What's your pull-out plan?" In its contract, for example, Preferred Hotel Group specified how Terremark would need to help the company move its data and applications to another provider should it terminate the contract early.

Cloud decision-makers must consider application portability, too, adds Jeff Kaplan, managing director of Thinkstrategies, an on-demand consulting services firm. "If I put my data up, how can I get it back, especially if I've used a provider's preferred application development language? Don't paint yourself into a corner."

Schultz is a freelance IT writer in Chicago. She can be reached at

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.