SSAE 16 is the new audit standard for “Reporting on Controls at a Service Organization” (including data centers) within the United States.

SSAE offers three Service Organization Controls (SOC) reporting options: SOC 1, SOC 2 and SOC 3.  According to the AICPA the reporting options are “designed to help service organizations, organizations that operate information systems and provide information system services to other entities, build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant.  Each type of SOC report is designed to help service organizations meet specific user needs.”

SOC 1 is known as the “Report on Controls at a Service Organization Relevant to User Entities’ Internal Controls over Financial Reporting.” In-essence, this is what SAS 70 was supposed to be — reporting on financial controls at a service organization as an auditor-to-auditor communication tool.  It was never intended to be a data center centric audit.

A SOC 1 report is the basic SSAE 16 report, just like SAS70, which issues either a Type 1 or Type 2 report. A Type 1 report is an auditor’s opinion on the accuracy and completeness of the service provider’s management description of the system or service including the appropriateness of the providers’ controls for a specific date in time. The Type 2 includes everything from a Type 1 report AND it verifies the effectiveness of the controls for a specified period of time; a calendar year, for example.

Ok, you just went through a SSAE16 audit and have a SOC1 report. So now you’re SSAE 16 or SOC 1 “certified, right?  No you’re not. Because, a service provider does not receive a certification after they have been SSAE16 audited.  So, don’t call yourself “Certified” (just yet …).

To address the need for a standard approach to auditing of non-financial controls (e.g. IT centric data center controls) and the need for a certification process, the AICPA created the SOC2 and SOC3 reporting standards.

SOC 2 – the “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” – is an audit of non-financial controls related to compliance and operations of a service provider. This report is used by a providers’ management, its customers and prospects, business partners and other organizations associated with a provider as a tool to assess the control environment of a service provider.

This report, as well as the SOC3, is built upon a set of pre-defined controls outlined within the AICPA Trust Services Principles and Criteria. The AICPA developed these criteria for evaluating the design and operating effectiveness of controls at a data center or other service organizations.  The AICPA defines the Trust Principles as five attributes of a reliable system as being:

1. Security – The system is protected against unauthorized access (both physical and logical).
2. Availability – The system is available for operation and use as committed or agreed.
3.  Processing integrity – System processing is complete, accurate, timely, and authorized.
4. Confidentiality – Information designated as confidential is protected as committed or agreed.
5. Privacy – Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and criteria set forth in Generally Accepted Privacy Principles issued jointly by the AICPA and the Canadian Institute of Chartered Accountants.

SOC 3 – the “Trust Services Report for Service Organizations” – is a general use report that can be distributed and promoted with the SOC 3 seal on the service organization’s website. It also reports on non-financial controls related to compliance and operations at a service organization listed under the SOC 2 description.

So, what’s the difference? Certification!

Now with a SOC3 report, data center and other cloud providers can say they are certified once an auditor issues the opinion that that the service provider has achieved the trust services criteria. Then and only then can the provider display the “SOC 3: SysTrust for Service Organizations” seal.

What the AICPA has delivered is a real win for both the service provider community and their customers. Both get clarity on control standardization. Moreover, the service provider receives a certification and the customers get what they’ve been seeking – a control benchmark to use when comparing data center operators and outsource service providers.

For more information about the:

• SOC Reports Information for Service Organizations  visit: http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/serviceorganization’smanagement.aspx
• AICPA Trust Services Principles and Criteria, visit http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/TrustServices/Pages/Trust%20Services%20Principles—An%20Overview.aspx
• SysTrust for Service Organization seal program, visit www.webtrust.org

A SAS 70 audit verifies that the “defined” controls and processes that a service provider has implemented are followed. Note that I said the defined controls because a service provider with weak controls and processes can claim the same level of audit compliance as a service provider with strong controls and systems. So with a SAS 70 audit, one must thoroughly read through the details within the audit report to understand the level of controls and processes being used and audited.

Now, if you believe that you’ve mastered SAS 70 audits, I’m sorry to say that it has been superseded by the Statement on Standards for Attestation Engagements 16 (SSAE 16).  The good news is the information required to complete the SSAE 16 is not totally different from SAS 70 because the latter was the base from which SSAE 16 was built.

What is different?

The main difference between SAS 70 and SSAE 16 is the depth of information the service provider will now have to provide, including (among other things):

• A management attestation of their overall service offering and underlying control structure
• Verification that appropriate criteria are used for system evaluation
• Evidence for every control during each assessment, rather than reusing prior evidence

The main reason SSAE 16 requires management attestation of its control structure is because SSAE 16 is an attest standard rather than an audit standard.  Instead of only the auditors opining on the controls within the service provider, its management is included in the assessment.  The idea is that the attestation process will hold management accountable with their statements on their company’s service delivery system, controls and control objectives. What’s more, SSAE 16 prohibits the use of prior evidence established in previous audits. By comparison, SAS 70 allows auditors to use evidence gathered in prior audits, which saved some companies a lot of time, but didn’t account for changes that could have impacted a data center’s security posture.

What Remains the Same?

SSAE 16, just like SAS 70, does not dictate the controls that must be covered by the assessment. It is for the service provider to decide which controls are essential to the services provided. The service provider must understand what industry control best practices are as well as what their customers’ auditors would consider to be essential controls to support the services being offered when determining the scope of the assessment.

From a provider’s perspective, a potential starting point for defining the scope of a SSAE 16 assessment would be to begin with their service contracts. The contractual obligations around the offered services would help draw the boundaries that define the systems and the controls that support the offering(s).

An SSAE 16 assessment should fulfill the requirements of a service provider’s clients, including publicly-traded clients, and it can save service providers time and resources in supporting a customer’s audit request.  SSAE 16 is an assessment a service provider completes only one time–providing the same assessment report to any customer’s auditor who requests it.

For more information on SSAE 16, you can visit:

AICPA – http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SSAE.aspx

SSAE16.com – http://www.ssae-16.com/

The Tier level of a data center refers to the ability of the facility to support the systems it serves. Tier designations provide a basis for comparing the functionality, capacity, and cost of a data center’s architecture. More importantly they focus on the availability and reliability – in other words, the ability to overcome equipment failure – of the facility itself, and are driven by the ability of the infrastructure to power and cool the data processing environment.

For instance, utility power can fail; the temperature in the data center can rise to cause damage to equipment; and so on.  These are examples of facility capacity issues, and are the foundation for fault-tolerance.

Click image to enlarge

The tier model helps answer the questions most enterprises have: how important is it that our applications be continuously available, and how much are we willing to pay for that availability. As always, the trade-off is between dollars and sense, although industry and governmental compliance requirements will weigh in too. Even though the tier levels provide an idea of where a data center might fall, it is up to the prospective subscriber to determine just how reliable a center has to be. Can we live with a few hours downtime every month? How about a few minutes, or do we have to have our systems available at all times without exception?

Tier I is the most basic and inexpensive level of data center. These facilities have the basic “capacity components” – one UPS, one engine generator, and dedicated cooling. However, it may not have any capacity for backup or failover, and it can tolerate up to 28.8 hours of downtime per year, or 99.671% availability.

Tier II facilities have redundant capacity components with the exception of power and cooling. Any redundant capacity component can be removed from service on a planned basis without causing processing to be shut down.  But this doesn’t mean that if one capacity component fails, the second one steps in automatically.  These sites average one unplanned outage per year, and schedule three maintenance activities over a two-year period. The annual impact to operations is 22 hours of downtime per year, or 99.75% availability.

Tier III facilities provide multiple sources for power and cooling, though only one source is generally active at one time. Even though these sites have high redundancy they are not completely fault tolerant. Any unplanned activity such as operational errors or spontaneous failures of infrastructure components can still cause an outage.  On average, these data centers have unplanned events totaling only 1.6 hours per year, or 99.98% availability.

At the most robust end of the reliability and cost spectrum, a Tier IV facility must have redundant systems for power and cooling, with multiple distribution paths that are active and fault tolerant to keep them running without ever shutting down for maintenance and with only 0.4 hours of downtime per year, or 99.99% availability.  Basically, they’re about as bulletproof as you can get.

For most companies Tier I and II data centers are going to meet most of their requirements for everything from Human Resources to CRM to customer facing processes. Financial institutions and organizations that have truly mission critical customer facing systems typically use Tier III or sometimes Tier IV because they are critical to their economic stability. Tier IV facilities are generally used by organizations that make the majority of their revenue from online transactions such as financial institutions where billions of dollars are at stake, ATM systems that must run 24/7, and for certain arms of the government. Public datacenters that provide disaster recovery / backup services are also built to higher standards.

When looking for new building space, have accessibility of fiber be a selection criterion.

Having the building being ‘on net’ with fiber or having fiber running down the street increases the likelihood of having several carriers vying to serve the building to offer equipment redundancy for equipment being hosted there.  Also, this improves the chances of getting better pricing due to competition. For organizations with a minimum of 100 or so employees, fiber can make a big difference in the cost of voice, data and any sort of private lines that may be going into the office space.

Conversely, when a building it is not “well lit” with a high bandwidth service, and a customer wants high bandwidth redundant service, they will have to pay the carrier to cover the last mile to bring in a type-2 circuit. Ultimately, this drives up the cost of the property being considered.

Don’t sit on service quotes and expect the service provider to install on short notice.

I frequently come across companies that receive bids from different telco providers, and they sit on the bids until the last minute and expect the provider to install the service on short notice. It’s not going to happen. You’ve got to allow ample time to plan for installation. Just because a provider quoted 90 days months ago doesn’t mean they can still deliver in 90 days. Things change and problems arise. If you know you need telecom or other services in 90 days, then contact the provider well in advance of the quoted 90 days. Otherwise, you might find yourself out of luck.

How long should you budget for installation?

• For any T-1 type service, allow 45 to 60 days for installation.
• Beyond T-1 service, such as 45 MB DS3 (T3), allow 60 to 90 days.
• For fiber circuits, if it’s new fiber and it’s “on net,” plan for 30 to 60 days and if it’s not on net, plan, for 90 to 180 days.
• When there needs to be a new fiber build, plan for a minimum of 6 months.

With the increase in available bandwidth, pricing is becoming more competitive.

Due to the ever increasing availability of high bandwidth internet and its corresponding consumption, there is an increase in the upgrading from T-1 to Ethernet-Over-Copper and Fiber services.  This change is akin to the move from dial-up to DSL, and DSL to T1.

With the increase in offered bandwidth, pricing is also becoming more competitive. For example, competitive pricing on DS3 several years ago ranged from $2,500 to $4,500 per month. Today it’s possible to acquire 100 MB Ethernet service for $2,500 per month, making bandwidth much more affordable.

As a result of running everything over one Ethernet circuit, a company can run its voice, data and MPLS on one circuit. This is great for a company that has, say, five office locations. They can parse the MPLS switch to connect all five offices for four-digit dialing and run it all on one pipe where the resources can be shared because it will be a dynamic circuit. By doing this, when bandwidth is not being used for phone service it will allocated it back to the Internet/data service.

For companies looking to upgrade their services, you may want to consider replacing T1’s and DS3’s with EoC or Metro Ethernet Fiber services for reduced cost and flexibility.

Are you entering into a new telecom service contract?

Many times you can save money if you sign at the end of reporting period like: end of month, quarter end, or year end. Sales agents for telco companies are like car dealers, wanting to meet quota’s before the end of a reporting period. Conversely, if service start time is important to you, avoid these end-of-period times. Too many people signing up for service at the end of a reporting period can affect your scheduled installation.

When comparing providers, and their pricing and services look to be the same, look hard at the other factors that will determine if the provider experience may be good or not.

Billing is one part of the service experience that many don’t think about, and how easy or difficult will it be to work with a provider’s billing department. For example, some carriers over bill and they expect full payment, even if the bill is being disputed.

Technical support is the other big area to look at. Tap into your professional network and ask around to see what the typical wait time is to reach support personnel, and find out about the escalation process to determine how easy or difficult it is to get issues resolved.

Do your research on these extraneous factors through forums and your social networks. Put the question out there: ‘Hey I’m looking at this carrier.  Who’s had good experiences and who has not?

Before taking the plunge in to the cloud, organizations must understand the devil that is in the details outlined below.  If they don’t perform the proper due diligence, there could be both unwanted surprises and disappointment.

When evaluating cloud providers, the due diligence in assessing the provider is not much different than finding a colocation space.  Beyond the usual focus points, there are several cloud-specific items to consider:

Pricing

Pricing can be a BIG surprise when subscribers don’t delve into the details of what they have contracted to use. Subscribers need to know about the service provider’s billing and pricing structure. Most providers set up billing as a recurring monthly item, but it’s always good to do know the specifics.

Regardless of the service being contracted, it is imperative to understand the type of contract required and its renewal process. For example, does it automatically renew, as with an evergreen agreement?  Understand what is needed to attain the most attractive pricing and most importantly understand the exit plan—can  you exit at any time without hidden fees?  Many times subscribers will find there is a need for additional services, 3rd party vendors or simply a requested change to the contract and as a result there will be significant unplanned costs that are outlined in the fine print of the contract.

When looking at price, a red flag for any subscriber is finding a service provider with an apparent unusually low price compared to their competition. This may indicate a low base price with additional fees tacked on elsewhere, like buying a meal ala carte.

Performance

Cloud providers deliver different performance based on geographic location and platform architecture. Subscriber

s should determine the geographic location of the provider being evaluated. Generally it can be expected that a provider in the subscriber’s region to offer lower latency access to their hosted resources.  To mitigate latency, providers may allow applications to be hosted in multiple geographic locations and this may be important for business continuity purposes, or if applications are global in nature.

Most cloud providers offer varying sizes of computing resources — from the smallest single-core to the largest multi-core mammoth-memory server instances. Unfortunately, what is not so clear to most subscribers is that storage IO can really vary from one cloud provider to another. And storage IO, not CPU, often times is the key to application performance in the cloud.

SLAs

A Service Level Agreement is one way to gauge a cloud provider’s comfort level with its service delivery. The best way to ensure good service is with solid SLAs with clear contractual language.  It is best to assure that the provider’s SLA has some teeth specifically in the event of underperformance or a service outage; the provider should offer generous service credits in return.

Related to service outages, determine how the provider measures uptime and how that’s communicated to their customers.  Specifically, what part of the hosting, server reliability, service delivery uptime calculation is taken into account? Subscribers need to understand processes in place for handling major outages and how, when, and with what detail the service provider communicates these issues with the client.

Customer Service

The best customer service departments for cloud services are staffed with specialists who are available 24×7. Subscribers should ensure that their chosen provider’s customer service specialists can meet their needs.

Subscribers need to know they can contact someone at their provider when they experience problems. Some providers bundle support services while others offer various support tiers.  For example, it would be advantageous to know how many support agents the provider deploys and if they are Level 1, 2 or 3 in terms of training and capability. Also, it is important to understand the escalation process when problems arise.

Security

Security will always be a concern in the cloud and a cloud provider’s regard for security can be a market differentiator as well as a deal maker or breaker for the prospective customer of a cloud service.

Ultimately, the subscriber is responsible for its own data, and the cloud provider is responsible for protecting the physical plant that stores that data. In order to eliminate any potential exposure to data loss, both parties need to have appropriate controls in place to both protect data and meet the ever growing regulatory requirements that address the protection of data.

There are a few industry-standard security topics to consider before moving to the cloud. Some of them are: privileged user access, control/monitoring of access, development and change control procedures, physical access controls to the data center, and disaster recovery procedures, to name a few.  If the vendor cannot or is unwilling to speak on these topics, this should be considered a red-flag and the prospective subscriber should move on.

Lock-in

This is where a cloud subscriber may experience issues when deciding to move to another cloud provider. Before contracting with a cloud service, the prospective subscriber should understand how difficult it will be to retrieve their data and applications when moving to another platform/service.

Lock-in can be categorized in three ways.  “Platform” lock-in is where the cloud provider builds their services on certain virtualization platforms (i.e. VMware and Xen).  Where the providers utilize standardized technology platforms, the moving of applications and data can be less of an issue. Related to platform lock-in is “Tool” lock-in where providers offer different tool sets to allow the subscriber to provision their environments. To avoid tool lock-in, subscribers need to make sure that a provider’s provisioning and monitoring tools are compatible with either physical or virtual infrastructures. Lastly, “Data” lock-in is where company data is being processed and stored within the service provider’s infrastructure, including backups.  The question is, can I move “all” of my data to another provider easily?

Data Back-up

Know how the cloud provider backs up data and in the worst-case scenario, what would happen if they went out of business or there is a need to move to another provider. Subscribers should understand the provider’s storage architecture, the number and location of their data centers and its redundancy. Although cloud computing instances can be distributed, disasters do happen.

Location of Data

Many subscribers need to know where the cloud provider is storing their data because it could be spread over different data centers across the globe. This is especially important for companies that are under specific regional regulations; for example, as in Europe where regulation dictates that data isn’t permitted to cross borders unless it meets specific data protection guidelines.

Audit Rights

Will the service provider grant access to their data centers for customer specific audit requirements?

Most service providers eventually will have a customer request that an external audit be performed over their data and processes being hosted by the service provider. Make sure you know how the service provider will make audit information available and what information will be provided.

Any service provider who refuses to undergo these audits is only signaling that its services are only suitable for the most trivial functions.

Though audit rights may never be needed, it would be good to know that these rights exists, and are spelled out, before becoming a customer.

Almost any business can gain enormous benefit from utilizing cloud-based services. The cloud is transforming the way business operates with on demand scalability, eases of access, and reduced IT costs.

The key to moving to the cloud, is for businesses to be smart, like they are for any major transition, about how they choose to transition to the cloud.  Pricing, availability, performance, service levels, and security compliance issues are top concerns – and it’s important to do perform diligence reviews on several cloud service providers before choosing one to make the transition.

A lot of terms have become part of the overall cloud vernacular. None are more accepted than SaaS, PaaS and IaaS. This post is my attempt to peel away the layers of the “cloud onion” in a way that everyone can understand.

The following diagram depicts who manages what across the different cloud models compared to an in house hosted data center. In general, the service provider manages those elements shown in blue, whereas the customer manages everything shown in white.

SaaS – Software-as-a-Service

Due to its low entry costs and substantial benefits – including faster application deployment, greater flexibility and improved employee productivity – Software-as-a-Service adoption is skyrocketing across all industry verticals. This includes unique purpose-built applications as well as general business applications.

With the typical SaaS model, an application resides within a public data center where a service provider maintains the application code, the data, and supporting infrastructure. SaaS is a multi-tenant delivery model whereby an application is shared across clients. The high-level benefits of the SaaS model generally include: rapid implementation because the application and infrastructure is already in place; “pay-as-you-go” pricing according to a subscription and Service Level Agreement (SLA) that ensures a specified level of performance and availability; and improved operations when you consider that someone else is responsible for maintenance and enhancement of the application. What’s more, customers usually benefit from regular application enhancements that are suggested by other users of the software.

Because of the vast array of SaaS application available today, organizations have the ability to dip their toes into the cloud with SaaS point solutions such as customer relationship management, mobile device management, data storage, bac

kup and disaster recovery, and much more. While these are important functions, they only account for a fraction of an organization’s total IT budget. Nevertheless they are a good introduction for companies to begin testing their comfort level with the cloud.

For many organizations, leveraging SaaS can provide a better operational model to drive change for both the business and IT, providing benefits from efficiencies not previously possible with on-premise applications to lowering overall operations costs.

PaaS – Platform-as-a-Service

When an organizations needs to support a business process that is differentiating and unique, this calls for purpose built software.  To build this custom software for the cloud requires a development and a runtime platform that provides the same level of efficiency and flexibility as the cloud does for your infrastructure. Platform-as-a-Service (PaaS) has all the operational advantages of the cloud and also centralizes development in a unique and managed location.

Platform-as-a-Service is an outgrowth of Software-as-a-Service (SaaS).  PaaS allows a customer to rent virtualized servers and associated services for running existing applications or developing and testing new ones. The subscriber’s development teams do not need to worry about the operating system, storage or hosting. The developers write their purpose built code and the service provider uploads that code and presents it on the Web.

PaaS enables organizations to create web applications quickly, without the cost and complexity of buying and managing the underlying software/hardware.  The PaaS model is based on a metering or subscription “pay-as-you-go” model so users only pay for what they use. Users take the resources they need without worrying about the complexity behind the scenes.

The PaaS provider supplies the hardware, operating system, software upgrades, security and everything else related to the day to day hosting of an application as well as manages upgrades, patches and other routine system maintenance. In general, the subscriber’s development teams do not have any access to the underlying operating system. Applications that run on PaaS platforms have to adhere to some restrictions that protect the provider from abuse such as malicious software or run away resource usage.

As with most cloud computing decisions, cost is the major driver for subscribers signing up to a PaaS offering. Instead of maintaining an IT infrastructure that covers the whole stack of the computing environment from hardware up to applications, organizations can offload the cost and administration hassle of maintaining the bottom half of that stack, by renting it from a PaaS provider. The IT department therefore doesn’t have to expended resources managing hardware, storage, networks, and operating systems; they can spend their time and resources building strategic business applications. This makes sense for a lot of companies as this is where IT can deliver value to the business.

There are different categories of PaaS solutions, including add-on development facilities, stand alone development environments, application delivery-only environments, and open platform-as-a-service.

IaaS – Infrastructure-as-a-Service

Then there is IaaS which can provide the most benefit to today’s enterprise in terms of flexibility and overall cost containment.  Where PaaS offers out of the box computing platforms and management for rent, IaaS provides, as a service, just the fundamental hardware and virtualization resources to do anything an organization wants.

IaaS as a market is quite mature, and businesses of every size are taking advantage of this utility-based model to have unparalleled access to huge “virtual” datacenters.

Companies that are serious about managing the costs of their IT functions are taking a more comprehensive view to the expanse of their internally hosted applications. These applications are running on expensive infrastructures which, more often than not, are only running at a fraction of their rated capacity while using significant power, cooling and rack space. Then one needs to consider that this same hardware will be replaced or upgraded on a regular basis, and it requires skilled technical experts to manage this infrastructure.

IaaS provides computer infrastructure services, typically a virtualization environment, along with raw (block) storage and networking backed by the provider’s data centers. Rather than purchasing servers, software, data center space or network equipment, a business instead subscribes to these resources as a fully outsourced service. The subscription rate is typically based on the amount of resources consumed.

This flexible pay-as-you-go model that IaaS provides allows organizations to reduce costs while addressing their “Lack of …” issues – as in, lack of control and visibility; lack of the ability to specify where data resides and how it is protected; and lack of understanding the security over the processing environment and data – because organizations have control over the security of their applications and data, as well as where the data resides. The benefits of IaaS, in addition to the ability to scale, are the (relatively) low costs to get started and the ability to pay only for what you use. Granted, there are different flavors of IaaS that have their unique strengths and weaknesses (Read my previous posting on Amazon EC2 compared to Savvis Open Cloud for a more detailed examination of these two services) but there are solutions available to meet most needs.

From startups to mid-sized enterprises, one of the most difficult things to do is keep capital expenditures under control. By sourcing your infrastructure from the cloud, you have the ability to scale as if you owned your own hardware and data center while keeping the upfront costs to a minimum. IaaS providers have purpose built N+1 redundant data centers that offer the purchasing power of much larger enterprises and as such they can pass these savings to their customers in the form of competitive rates.

IaaS offers a pay-as-you-go model, giving enterprise customers the flexibility to scale up or down in line with business needs. Services are paid for by auditable metered usage.

The IaaS computing model has the potential to change the economics of an organization’s data processing activities by reducing capital and maintenance costs. It also can decrease the time to deliver services and allow IT staff to focus on business innovation rather than infrastructure maintenance.  Furthermore, depending on the service provider, you can manage your “Lack of …” issues and have the same level of control you have today within your private data center.

One should not forget that there are still certain political, legal, license, security, standardization, and scalability issues waiting to be addressed. After that, IaaS will definitely gain more attention of the enterprise sector too. I will try to address these issues in one of the future posts.

Caveat Emptor

It is important to note that there can be considerable overlap between SaaS, PaaS and IaaS.  With the continual changes in the cloud, definitions of the types of services are in a constant state of flux. Unfortunately, the same service may be categorized into either of the three depending on who is making the categorization – a developer, a system administrator or a manager.

In my next post I will examine critical attributes a subscriber should look for in a cloud service provider and how I vet service providers before representing them.

Oracle founder and CEO Larry Ellison

Three years later, Oracle is using its 2011 OpenWorld conference to dispel lingering questions about its ever evolving cloud computing strategy.  During the event, an Oracle executive detailed his company’s plans to deliver not only software-as-a-service (SaaS), but also platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) capabilities in the coming years.

Mr. Ellison isn’t the only corporate executive whose perceptions about cloud computing models have changed over time.  Many decision makers’ views on cloud computing have shifted considerably over the years from the their initial reaction of the cloud being all hype and spin created to separate IT departments from large portions of their tight budget allocations.  Now this initial resistance has waned the world over as more and more companies push data and applications into the cloud. While adoption will continue to increase, there will always be organizations that, for their own reasons, will be slow to embrace this evolving computing model due to concerns ranging from security issues to immaturity of the cloud industry.

But as computing grows more complex, many companies are finding it no longer makes economic sense to own and manage every aspect of the infrastructure they use – from server farms and storage to databases and applications. And let’s not forget all the expert resources required to maintain these infrastructures. This is especially apparent with the explosion of small and internet based companies that are leveraging services like Amazon EC2 because of its flexibility and the reduced overhead expense of an internal data center to support their services.

The evolution of the cloud is evident to anyone that follows the IT industry; the cloud is heartily being embraced as a business enabler. We now see the economic benefits of the various cloud computing models that are, in part, attributed to economies of scale.  It’s estimated that large data centers can purchase power, bandwidth and hardware at greatly reduced rates compared to what medium-sized organizations would pay for the same infrastructure. Cost is one of the major factors that started the unmistakable trend away from private data centers to the cloud.

A few of the important benefits that organizations of all sizes derive from cloud computing are capital cost savings, rapid provisioning of services, elasticity (capacity on demand), and the ability to realign their IT staff to mission critical activities.

Benefits aside, decision makers still have concerns about how secure their data is in the cloud.  These concerns fall under the broad categorizations of “Lack of …” as in, lack of control and visibility; lack of the ability to specify where data resides and how it is protected; and lack of understanding the security over the processing environment and data.  These concerns can’t really be addressed without examining the specific aspects of the types of cloud computing and looking at them in context.

In my next post we will continue with examining SaaS, IaaS, PaaS, Community Clouds, and critical attributes to look for in a cloud service provider.

EC2 is great for company’s like Netflix.

With its Elastic Compute Cloud (EC2) offering, Amazon created a new world order for data processing with its dynamic pay-as-you-go computing platforms. It didn’t take long before organizations all around the world clamored for the benefits of this new computing model. However, we need to keep in mind the purposes that EC2 was created to serve. The use cases EC2 serves best include development and test environments and web. Especially beta projects, or projects with heavy peak traffic (seasonal) or projects that don’t require an SLA. EC2 is great for seasonal peak traffic as they can dial up and dial down and don’t pay while they are parked. Think company’s like Netflix. Savvis though is rolling out next month a VPDC product that lets you park and not pay while you sit idle and will provide an enterprise level supporting infrastructure along with an SLA.

Today there are numerous service providers that compete with or offer complementary services to Amazon and its extremely successful and revolutionary EC2 offering. Each does the infrastructure component a bit differently, but their overall mission is clear: cut costs, reduce space constraints, lower management overhead and offer scalable compute capacity on-demand at a figurative, and sometimes literal, flick of a switch.

One such service provider is Savvis, which offers four web services under its Symphony Enterprise-Class Cloud Solutions: Symphony VPDC; Symphony Database; Symphony Dedicated; and Symphony Open.

Symphony VPDC

Symphony VPDC (Virtual Private Data Center) is a public cloud offering of cookie cutter packages designed to support differing customer needs in an all-in-one package that includes load balancing for the web servers, app servers, and the database. While I personally like this offering because it basically provides customers everything they need, the downside is that there are no modifications to the different VPDC service offerings.

Symphony Dedicated

Symphony Dedicated is plain jane managed hosting that will support your platform. It’s a tried and true product where you don’t buy any equipment, and Savvis will manage everything for you. When you need more compute space, just add more servers. They also can run your applications virtualized and your database in a traditional segmented environment. Symphony Dedicated is a very flexible offering.

Symphony Database

Symphony Database is a basic “lite” database hosting offering for organizations running a co-lo or running on Symphony Open.

Symphony Open

Symphony Open is a multi-tenant model like EC2, where multiple customers have their VMs running on shared hardware. Symphony Open is built on a massively scalable, multi-tenant infrastructure and delivers a secure, enterprise-class cloud environment with built-in high availability and automated resource balancing. Open offers a purchase-by-the-instance cost model with a scalable, agile infrastructure that you control through the SavvisStation Portal to add resources as you need them.

The similarity to EC2 ends at the multi-tenant infrastructure. Symphony Open is a more flexible platform in that you can create a hybrid environment where you can put your web server in the public cloud and put your database on a private cloud—all in the same platform. Or, you can put your database and whatever equipment you may have within a Savvis co-lo. Symphony Open provides you with a right-sized computing environment with the scalability and security of an enterprise-class platform, coupled with Savvis’ private or public network connectivity options.

While EC2 is a great product, it’s not for everyone. It’s good for single use case solutions, but once you start exploring more robust solution requirements that encompass legacy applications, Amazon lacks the expertise to migrate those applications and make them part of the overall solution. EC2 is good for organizations that: aren’t required to meet either PCI or SAS 70 compliance; don’t need to run a large database; and don’t care about having an account manager they can talk to unless they are billing 500k plus per year. All of these criteria are intangibles to Amazon EC2. Also cross connects alone for private line connectivity with EC2 are 1k per month.and private line connectivity for a gig port run 5-10k. per month. This basically forces you to VPN, so you need to consider you transit costs involved in transfer back and forth.

In my opinion, here are a few additional items you need to consider before you jump head first into EC2:

• Amazon can’t provide private connectivity (they can but its expensive), private VLANs or “hybrid cloud” solutions.
• Amazon doesn’t allow third-party audits of its infrastructure, although it does plan to obtain SAS 70 certification for its data centers.
• Amazon meets enterprise needs such as invoices on a one-off basis. The company doesn’t normally customize terms and conditions, and SLAs are yearly rather than monthly.

If you are shopping around for a cloud infrastructure provider and you plan to investigate Amazon’s offerings, be sure to consider Savvis as well. Give us a call and we’ll help you choose the right provider that aligns with your current and future needs.

The old adage of “The devil is in the details” applies here.

Amazon’s EC2 virtualization service allows the hosting of as many instances of a given machine image as you’d like. While this is attractive and compelling, designing an architecture around this flexibility can be confusing at times. Even worse, trying to compare configuration options and costs between EC2 and other providers can be difficult at best.

Aside from standard feature to feature comparisons, there are two core components to take into account when performing any comparisons to Amazon:

Pricing:  Amazon’s pricing structure is entirely a la carte.  Amazon EC2 caters to a broad market and lends itself to a better price when compared at face value.  But caveat emptor, as a more thorough analysis will be required to accurately derive pricing. Amazon’s a la carte charges for basic server use include:

• Bandwidth in and out of the Amazon network
• Bandwidth between servers if they are in separate zones (necessary for SLA coverage)
• Each read and write to the hard disks
• Additional storage capable of handling unexpected system shutdowns
• SLA’s only apply when duplicate servers are running in a different Availability Zone.  This requires subscribing to two of anything that is to apply to an SLA, which effectively doubles costs.
• Forecasting of actual costs is difficult due to the metered model on items like bandwidth and hard disk activity

ECUs:  Amazon introduced a new term to cloud computing: Enterprise Compute Units, or ECUs.  Overall the ECU model is not bad and it may positively influence the needed trend to remove physical comparisons in a virtualized world.  It does, however, introduce a difficult model to compare against equally.  And, if the customer environment is sensitive to physical architecture (i.e. The Chipset), Amazon’s model could prove difficult for them.  This is because Amazon uses white-box commodity hardware of varying ages and technology.

Developers have noted in blogs which chipsets their servers are using and also noted that they may have different chipsets using different speeds when comparing two servers of the same category.  Some of these are older generation hardware that do not support high-speed memory or virtualization. (http://www.cloudiquity.com/2009/01/amazon-ec2-instances-and-cpuinfo/)

When comparing Amazon EC2 to other service providers consider the following:

• Amazon’s pricing model is heavily dependent upon metered usage.  This can be difficult to forecast and manage yet contributes significantly to the overall cost.

Some important questions to ask are: Does the service provider bill for intra-LAN communication? For meter hard disk activity? How does the other service provider compare to Amazon’s 320GM data transfer per direction?

• Amazon’s default storage option is transient, meaning that should either the virtual server or underlying physical server fail for some reason, the data is lost.  Mitigation of this requires an add-on storage product which comes at additional cost.

Does the service provide high performance, and a persistent storage standard with reasonably priced expansion options?

• Amazon’s SLA carries many exclusionary terms, has little financial recourse, and only applies if you have a duplicate server running in a different Availability Zone, meaning you have to buy two of anything that is to apply to an SLA, effectively doubling your costs.

Does the comparing service have a comparable or better SLA that that applies to each instance regardless of architecture?

• Amazon’s bandwidth model charges for data transferred between your virtual servers that live in different zones (i.e., multiple servers across zones for SLA purposes).

Does the comparing service bill for data transfer within the customer VLAN?

• Amazon’s EC2 Compute Units are rated to be equivalent to a 2007 era 1GHz Xeon processor; thus most configurations are 2GHz vCPU’s (2 cores @ 2 ECUs).What does the comparing service offer?  Does it use current generation 3GHz processors?  This is important when comparing to Amazon cores to determine if the comparing service provider’s solution will match or exceed EC2 performance.

• Amazon’s model is based on commodity hardware.What hardware does the comparing service provider use?  Is it based on top tier enterprise class hardware such as that from Cisco, HP, or Compellent ?

• Amazon’s cloud is based on a proprietary, internally developed version of Xen (paravirtualization).What virtualization platform does the comparing service provider use?  Is it industry leading,  a hybridization, or proprietary?

Another thing to consider is the price point to launch a site or application on Amazon is very attractive until you begin to push decent traffic through your EC2 servers. When this threshold has been breached, and this will be unique to every subscriber, Amazon will almost always cost more than leasing equipment or dedicated servers.

As you can see, “the devil is in the detail” with Amazon, when attempting to properly understand what you are asking for and/or comparing to other service providers.  These complexities associated with EC2 may require a more structured and consultative approach when performing the detailed analysis required to compare apples to apples between competing services and bids.

Instead, Facebook has managed to raise substantial investment money without going public. So the company can continue to grow and expand—and continue to dominate social media—without having to fall under the extreme scrutiny of the public eye that comes along with an IPO.

Just how much money has the company managed to raise? According to the New York Times, the most recent investors are Goldman Sachs Group and Digital Sky Technologies, a Russian tech investor and, together, they are handing over $500 million. This is after investors that include Microsoft, Elevation Partners, Accel, and Greylock Partners have, as a group, invested close to $1 billion.

Even if other companies had Facebook’s mammoth ability to raise investment money, other companies might still feel the pressure to go public. That’s because early investors tend to want to be able to cash out. But, because of private stock exchanges, Facebook shareholders have already had the chance to do so, to a degree.

This is how private stock exchanges work: Though companies like Facebook are private, they do have shares. Some employees or investors have stock that they want to cash out, while others want a piece of the pie. These sellers and buyers are matched through private exchanges, which have been developed as a way to bring these two parties together. But there are limits to this kind of stock trading. In fact, in April, Facebook banned existing employees from selling their company shares. So, while share trading is happening, there is certainly pressure from some to have more open and public trading.

But, for now, Facebook is able to continue to raise money and much of the stock can be traded privately, so there may be little impetus for the company to go public. Regardless of whether they do or not, there’s one thing that’s for sure—the company will continue to make news, and the public will continue to watch intently to see if an IPO is in its future.