Gotchas in the Cloud: 4 Traps for the Unwary

A traffic coneHere at SitePoint we’ve offloaded heaps of time- and resource-hungry business systems to the magical cloud, and we’re hardly alone. Cloud solutions are cheap, plentiful, and mostly reliable. It seems as if everyone’s migrating their mail to Google Apps, hosting stuff on Amazon S3, sharing files on Dropbox, or writing up their invoices on Saasu.

If you’ve yet to do the same, I bet you’ve started thinking about it. But, hold that thought for just a moment — before you sign up, you ought to make a checklist of some crucial issues, and make sure that your prospective cloud computing provider matches up. Otherwise, the results could be anywhere from vaguely annoying to downright catastrophic. Let’s take a look at just some of the issues you need to consider before jumping on board the cloud craze.

Who Ya Gonna Call?

First and foremost, if you’re going to farm out a service or platform to an external provider in the cloud, you should ensure you understand the support arrangements. They may be limited, slower than you’d like, or cost extra.

Cloud-hosted services, like accounting, document control, or email, are usually free or cheap — peanuts compared to the cost of running your own mail server. But is it worth the saving if you have to spend hours troubleshooting a problem yourself, trolling forums for a bunch of potential answers, or waiting a few days for an answer to a support ticket?

If you require good support and a very fast turnaround on problems, ensure that your prospective provider guarantees a certain level of service, or at least has an excellent reputation for a speedy response. If you’re able to fix your own problems, perhaps that’s less of a priority for you. Whatever your choice, be sure that you’ll receive the level of support you expect.

It’s 10 p.m. Do you know where your data is?

If you deal with personal information, such as addresses, birth dates, or private correspondence, I’m sure that you’re very careful about how you store it, and you’ve promised your customers that you’ll keep those details safe. Can your cloud computing provider promise the same?

Laws in many countries are very strict on the manner in which private information is stored, transferred, or otherwise managed. For example, if you’re reading this in Canada, you’re responsible for the protection of personal data that you outsource to some other provider. Meanwhile, if you’re in a country which is part of the European Union, it’s possible that the EU’s Data Protection Directive prevents you from transferring personal data to a location where privacy protection is less adequate. A good cloud provider will be upfront about how they deal with sensitive information, and they’ll do it in a way that is easy to understand.

What’s more, when you store your own data, you can be reasonably sure of precisely who has access to those systems. Naturally you’ll choose a system administrator you know to be competent, trustworthy, and reliable. Some companies and government departments will go as far as asking for security clearances and police record checks for anyone who’ll come into contact with private data. If you expect that of your own administrators, you should expect it of those in your prospective cloud service.

If your cloud service provider is unable to guarantee the same level of attention to data security as you expect, keep shopping around. The wrong choice could mean that you’re putting your customers’ privacy at risk, not to mention your reputation; you might even be leaving yourself open to some very big liabilities.

Hack the Planet!

Evil folks do evil stuff. The entire gamut of potential security risks in the cloud is far too large to squeeze into one tiny newsletter, so we’ll focus on a few key security-related activities that you should be able to conduct in your shiny new cloud environment.

You should have the ability to audit system activity — ideally, information about who has done what in your system should be made available to you. If a bored teenager sneaks into my SitePoint email account and sends a message to all staff saying “LOL U R ALL J3RKS,” I’d like to at least know their IP address, as well as whether they accessed anything else, of course. Ask your prospective provider about what kinds of audit logs they can provide to you in case of a security problem, and whether they can help you investigate any intrusions.

If you’re deploying an app to a cloud hosting provider, you should be able to run penetration tests — that is, masquerading as a malicious person in order to identify weak spots in your app. Some providers’ acceptable use policies prohibit all malicious traffic, which can mean that you’re unable to perform these tests in the right environment. What’s more, they may be smart enough to detect shady traffic and ban the source of the traffic — you’d feel a bit silly if you tested your app and were booted off as a result. Find out if your provider will permit this kind of testing; you may need to let them know in advance, there may be certain activities you’re unable to perform, or you may need to ask for their assistance, but it’s better than no testing at all.

When you trust your services and data to a third party, you should expect them to be upfront and honest with you about any and all security vulnerabilities that may arise, and they should move quickly to plug any holes in their systems. Look for a cloud provider with a good reputation for addressing these problems quickly, and be sure that they’ll tell you about incidents as soon as they can.

Outages, Closures, and Fail — Oh My!

Imagine that you’re waiting on a super important message, and your email is hosted some place in the cloud. It’s critical that you receive this document this afternoon so that you can meet a project deadline by 5.00 p.m. You’ve been checking your inbox every few minutes just to be sure you’re on top of it when it arrives. “Hurry up, hurry up,” you mutter under your breath as you reach for the bookmark again.

Then, suddenly: “Sorry, we’re down for unplanned maintenance.”

Argh! You jump on the company’s status blog, Twitter page, Facebook, forums, and anywhere else you can think of to find out what’s wrong. There’s nothing for an hour or so, then a little note appears: “Something went terribly wrong today. We’re working really hard on restoring the backup, and we should be done within a few hours.”

A few hours? I don’t know about you, but at this point I’d be … well, I’d be saying stuff I’m unable to print here.

A major reason for moving to an outsourced solution is to avoid such a situation — naturally a big company whose entire business is file storage or service provision can afford good hardware, plenty of redundancy, stringent backups, and nice fat tubes. When you choose a provider, then, it’s absolutely crucial that you choose one with a reputation for reliable uptime, speedy recovery from problems, and prompt attention to customer information. Any system can fail once in a while; it’s how that company deals with the situation that makes a huge difference.

Worse yet is when companies go bust, which is an unfortunate reality in today’s climate. Anyone remember Omnidrive? It was an online storage solution, kind of like Dropbox, or Apple’s iDisk, allowing you to stash up to 1GB of your files out there somewhere in the ether. It was fine for a while, then it was plagued with outages and reliability problems; there were rumors of mismanagement and generally shady dealings, and then Omnidrive finally disappeared.

Saving a few bucks a month with an unproven operator will mean very little if all your important data disappears into the ether.

Whew!

So there you have four major issues you should think about when it’s time to move into the cloud. If you’ve already gone through this process yourself, feel free to share any more tips and tricks with other readers in the comments below!

(Pic: CraigPJ)

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • http://www.dangrossman.info Dan Grossman

    I’d love to read more about SitePoint’s experience in moving services onto Amazon EC2 and S3, and any other cloud services they might be using.

    I recently moved a rather large site (W3Counter, which tracks all the page views to about 30,000 websites in real-time) “into the cloud”. It was running on three rather expensive servers and still sluggish during peak hours.

    Moving it onto Amazon was an interesting experience. There was a lot of work to do, starting with building custom server images (operating system, services, configuration, etc.) and doing benchmarks to figure out just what the capacity of an Amazon “instance” is. They offer different “sizes”, each with different performance characteristics in terms of CPU, memory and disk IO.

    Throw “Amazon Elastic Block Storage”, or the equivalent of virtual hard disks, and there’s a lot of combinations to test.

    I ended up with a single “large” instance (5 virtual CPUs, 7.5GB RAM) with a RAID array of virtual disks taking over the database. Not only did the array provide better IO performance than the native “instance storage” each instance is provisioned with, but using EBS meant a straightforward way to make full drive backups without replication or slowing down the website.

    The web server was replaced by “medium” instances (5 virtual CPUs, 1.7GB RAM each) and I can scale up or down depending on traffic by launching and stopping new copies of the web server image.

    All in all I saved over $300 per month in hosting costs and the site has never performed better.

  • Anthony Eden

    Downtime is sometimes more likely to occur when you are DIY-ing your services. For example, the Primus Data Centre in Melbourne went down over the weekend, taking down a massive amount of colo-ed servers. These were people who hadn’t taken their serviced into the cloud, but hosted it themselves on their own server in a Data Centre. The place was down for several hours, and we were all helpless.

    However, hosts of reputable cloud services don’t go down as frequently (if ever). Why? They have built in international redundancy into their clouds!! That’s something we can never do if we were to host our own services.

    Anthony Eden
    LocalitySwitch.com

  • Andy

    Want to learn a new way to backup the data to S3? Try CloudBerry Backup. It is powered by Amazon S3 reliable and cost efficient storage. If you want to take part in beta sign up on the website. What safer place to keep your files than Amazon’s servers?

  • http://www.heyraena.com raena

    Anthony — the thing is, though, it *is* quite possible to build redundancy into your own hosting; you just need to sort out a second place to go and use it (and it’s easy to start). It gets more difficult if you need to replicate database-backed sites, but it’s still eminently doable.

    In my previous job I dealt with many a client who used more than one data centre for just such a situation. I think it’s a bit of a stretch to say you could *never* do it when hosting it yourself.