Gotchas in the Cloud: 4 Traps for the UnwaryBy Raena Jackson Armitage
Here at SitePoint we’ve offloaded heaps of time- and resource-hungry business systems to the magical cloud, and we’re hardly alone. Cloud solutions are cheap, plentiful, and mostly reliable. It seems as if everyone’s migrating their mail to Google Apps, hosting stuff on Amazon S3, sharing files on Dropbox, or writing up their invoices on Saasu.
If you’ve yet to do the same, I bet you’ve started thinking about it. But, hold that thought for just a moment — before you sign up, you ought to make a checklist of some crucial issues, and make sure that your prospective cloud computing provider matches up. Otherwise, the results could be anywhere from vaguely annoying to downright catastrophic. Let’s take a look at just some of the issues you need to consider before jumping on board the cloud craze.
Who Ya Gonna Call?
First and foremost, if you’re going to farm out a service or platform to an external provider in the cloud, you should ensure you understand the support arrangements. They may be limited, slower than you’d like, or cost extra.
Cloud-hosted services, like accounting, document control, or email, are usually free or cheap — peanuts compared to the cost of running your own mail server. But is it worth the saving if you have to spend hours troubleshooting a problem yourself, trolling forums for a bunch of potential answers, or waiting a few days for an answer to a support ticket?
If you require good support and a very fast turnaround on problems, ensure that your prospective provider guarantees a certain level of service, or at least has an excellent reputation for a speedy response. If you’re able to fix your own problems, perhaps that’s less of a priority for you. Whatever your choice, be sure that you’ll receive the level of support you expect.
It’s 10 p.m. Do you know where your data is?
If you deal with personal information, such as addresses, birth dates, or private correspondence, I’m sure that you’re very careful about how you store it, and you’ve promised your customers that you’ll keep those details safe. Can your cloud computing provider promise the same?
Laws in many countries are very strict on the manner in which private information is stored, transferred, or otherwise managed. For example, if you’re reading this in Canada, you’re responsible for the protection of personal data that you outsource to some other provider. Meanwhile, if you’re in a country which is part of the European Union, it’s possible that the EU’s Data Protection Directive prevents you from transferring personal data to a location where privacy protection is less adequate. A good cloud provider will be upfront about how they deal with sensitive information, and they’ll do it in a way that is easy to understand.
What’s more, when you store your own data, you can be reasonably sure of precisely who has access to those systems. Naturally you’ll choose a system administrator you know to be competent, trustworthy, and reliable. Some companies and government departments will go as far as asking for security clearances and police record checks for anyone who’ll come into contact with private data. If you expect that of your own administrators, you should expect it of those in your prospective cloud service.
If your cloud service provider is unable to guarantee the same level of attention to data security as you expect, keep shopping around. The wrong choice could mean that you’re putting your customers’ privacy at risk, not to mention your reputation; you might even be leaving yourself open to some very big liabilities.
Hack the Planet!
Evil folks do evil stuff. The entire gamut of potential security risks in the cloud is far too large to squeeze into one tiny newsletter, so we’ll focus on a few key security-related activities that you should be able to conduct in your shiny new cloud environment.
You should have the ability to audit system activity — ideally, information about who has done what in your system should be made available to you. If a bored teenager sneaks into my SitePoint email account and sends a message to all staff saying “LOL U R ALL J3RKS,” I’d like to at least know their IP address, as well as whether they accessed anything else, of course. Ask your prospective provider about what kinds of audit logs they can provide to you in case of a security problem, and whether they can help you investigate any intrusions.
If you’re deploying an app to a cloud hosting provider, you should be able to run penetration tests — that is, masquerading as a malicious person in order to identify weak spots in your app. Some providers’ acceptable use policies prohibit all malicious traffic, which can mean that you’re unable to perform these tests in the right environment. What’s more, they may be smart enough to detect shady traffic and ban the source of the traffic — you’d feel a bit silly if you tested your app and were booted off as a result. Find out if your provider will permit this kind of testing; you may need to let them know in advance, there may be certain activities you’re unable to perform, or you may need to ask for their assistance, but it’s better than no testing at all.
When you trust your services and data to a third party, you should expect them to be upfront and honest with you about any and all security vulnerabilities that may arise, and they should move quickly to plug any holes in their systems. Look for a cloud provider with a good reputation for addressing these problems quickly, and be sure that they’ll tell you about incidents as soon as they can.
Outages, Closures, and Fail — Oh My!
Imagine that you’re waiting on a super important message, and your email is hosted some place in the cloud. It’s critical that you receive this document this afternoon so that you can meet a project deadline by 5.00 p.m. You’ve been checking your inbox every few minutes just to be sure you’re on top of it when it arrives. “Hurry up, hurry up,” you mutter under your breath as you reach for the bookmark again.
Then, suddenly: “Sorry, we’re down for unplanned maintenance.”
Argh! You jump on the company’s status blog, Twitter page, Facebook, forums, and anywhere else you can think of to find out what’s wrong. There’s nothing for an hour or so, then a little note appears: “Something went terribly wrong today. We’re working really hard on restoring the backup, and we should be done within a few hours.”
A few hours? I don’t know about you, but at this point I’d be … well, I’d be saying stuff I’m unable to print here.
A major reason for moving to an outsourced solution is to avoid such a situation — naturally a big company whose entire business is file storage or service provision can afford good hardware, plenty of redundancy, stringent backups, and nice fat tubes. When you choose a provider, then, it’s absolutely crucial that you choose one with a reputation for reliable uptime, speedy recovery from problems, and prompt attention to customer information. Any system can fail once in a while; it’s how that company deals with the situation that makes a huge difference.
Worse yet is when companies go bust, which is an unfortunate reality in today’s climate. Anyone remember Omnidrive? It was an online storage solution, kind of like Dropbox, or Apple’s iDisk, allowing you to stash up to 1GB of your files out there somewhere in the ether. It was fine for a while, then it was plagued with outages and reliability problems; there were rumors of mismanagement and generally shady dealings, and then Omnidrive finally disappeared.
Saving a few bucks a month with an unproven operator will mean very little if all your important data disappears into the ether.
So there you have four major issues you should think about when it’s time to move into the cloud. If you’ve already gone through this process yourself, feel free to share any more tips and tricks with other readers in the comments below!