In many cases, commoditization of a product can be a great thing for the consumer, especially if the product space is competitive on both price and quality. This appears to be the case for the cloud, or more specifically, the Infrastructure as a Service (IAAS) offerings that have become available from Amazon, Google, Microsoft, and others. By taking the complexity out of maintaining networks and servers and converting capital expenditures to operating expenditures, organizations can focus on the applications they need to run, and more importantly on sustaining and growing their business.
Not surprisingly, many of these services leave the management of the server operating systems and applications to the end-user or consumer; the service is TRULY only the infrastructure. I recall the first time I spoke about the product, there was some surprise when I indicated that we still needed to patch the operating systems on the virtual servers we were standing up in the cloud.
This is an important point – cloud means different things everywhere, and not having an expert understanding of the offering can open up the production environment to risks that can affect availability, or worse result in a security compromise.
So, if this new risk is created, why change? Where is the advantage? I would suggest that the biggest advantage is this – by transferring away to a commodity provider the work necessary to maintain your infrastructure, you can get more value out of your technology budget by putting your team on more complex, valuable tasks. Put it this way – if you don’t need to hire someone to handle backups or swap out hard drives, you can bring on resources to manage the availability, scalability, security, and integrity of the application.
This does beg a second question, however: how does a small or mid-size business afford to take on applying expertise in availability, scalability, and security? This is especially important if your business is not an internet-based business, but still relies on that presence for growth and success. Perhaps some of these services can be outsourced as well; as long as there is a mechanism for ensuring that the support is delivering on their promises then it’s simply another opportunity to focus on core strengths.
The first thing to look for in a service provider should be related to the availability of the system – are they managing for the redundancy of the system, do they recognize the points within the system that are at risk of fault, and do they arrange the design of the system to avoid fault tolerance? Additionally, whether the servers are being backed up in a way that allows for easy and reliable recovery, preferably reducing the risk of a local fault. For instance, are backups still being performed, and if so are they being sent offsite?
Next, look for a level of expertise in managing the application being used. For instance, your support team should be providing expertise in managing Linux if your platform is WordPress or Magento. Likewise, they should be demonstrating situational awareness about the systems and the applications running on them. Are they aware of recent security issues? Have they addressed patching and managed for known exploits? Are they aware of intrusion patterns and are they examining logs to identify and handle them? This level of expertise in keeping a system in integrity is priceless when managing a production environment.
Importantly, having a provider who is aware of compliance requirements is important, as it reduces the effort necessary to manage the provider and the environment. For instance, if SOX compliance is a necessary component of the production environment, a SOX compliant approach to managing the environment and handling service requests is appropriate to ensure that controls are in place for effective change management. Conversely, if your provider is an expert on your application but doesn’t understand the controls necessary to maintain PCI compliance, there is a good possibility that a PCI violation is in your future.
Finally, there are unique opportunities in a cloud environment that don’t exist in a traditional infrastructure environment that an effective team can manage for: cloud means scalability in a way that doesn’t exist with servers being deployed “in house.” For instance, a team that can help to architect and maintain an application that can take advantage of automated scaling allows for significant cost discounts over the long term.
But (and this is a big but) these benefits carry big risks. The ability to scale and deploy resources with little effort could easily result in high “accidental” costs and risk damaging the organization’s bottom line. Again, knowing what resources make sense, navigating these resources, and avoiding unnecessary operational expense can be like using a unicycle on a slack line. Without a team that has the expertise to manage this environment, the most likely case is an inefficient use of the IAAS environment.
Finding a way to comprehensively support your systems is an important part of running a production environment, and is exceptionally important in navigating the IAAS offerings available and maximizing the uptime of that environment. Ask your team if they can manage it. If the team is doing a great job, you’ll already know because they’ll be updating you in their regular reports on the performance, availability, scalability, security, and integrity of the application.