Random Ramblings About Making Games and Stuff from Cloud

Posts tagged ‘Security’

Why SLA does not make sense in the Cloud?

What do you really want to accomplish with Service Level Agreement (SLA)? To punish or to get the best support available, as soon as possible? With the traditional on premise software if there is a problem you are pretty much all alone with it.The time and the money between binary hitting the fan and fan being fixed is solely coming from your pocket. In the traditional on-premise or dedicated server software environment SLA makes sense. You need to have some leverage and certainty that your software provider is at least mildly interested in fixing your problem.

When “Cloud Computing” is hit with speed bumps the whole Internet is holding its breath. Latest example being Amazon incident on April 21 2011. If SaaS service is not up and running SaaS firm is losing lot of money and very fast. Most of the SaaS firms have monthly recurring revenue model and customers can cancel subscription within one month notice. This means that customers can vote with their wallet. So you can be sure that a SaaS firm gives its fullest attention in order to get their SaaS service up and running as soon as possible. If your provider has fully Clouded its technology (so-called multitenancy), your application instance will be fixed as soon as service is fixed. No one is getting special treatment. Not good or bad. So there is no need to be fearful about your account is not running while others are.

Storm, calm or no cloud? You have no idea.

You should be able to see if your Cloud is in a storm or calm.

With a proper SLA the damages and indemnification are somehow fixed to the amount of money you pay for the software, services included. With SaaS firms your monthly – and even yearly fees – are quite small amount of money and so are the potential liquidated damages. This means that, for example, 10% indemnification of the subscription value is merely a nominal sum. For example, if a SaaS service would cost you 59$ yearly subscription it would entitle you 50 cent compensation for one month downtime. And before you try to negotiate higher indemnification, talk to you own lawyer and ask if you should sign a contract that has liquidated damages clause over 100% of contract value. Next imagine you are asking for it from SaaS firm? And guess the response. My point is that there is no realistic way to imagine a SLA between you and SaaS provider that would have real monetary indemnification. The real penalty for a SaaS provider is in the form of loss of income, increased churn, and negative publicity. Any serious SaaS procvider will do everything to avoid this.

All is well in the cloud

Seek for transparency instead of indemnification.

What I am trying to say is that instead of asking what SLA levels you receive and what kind of compensation is possible, ask what your SaaS provider is doing to minimize the downtime. It does not make sense to try to get SLA agreement as tight as possible. It makes more sense to make sure that provider is “all in” with the cloud. If service you are using truly has significant monetary value for you provider it will make sure that it will run as smoothly as humanly possible.

Make them prove that they know what they are doing, but not with a SLA. Ask about security, availability, recovery and how you can monitor uptime. For example Azure (Service Dashboard) , AzureWatch and Sopima Oy provide RSS feeds to its customers to give transparency of its service levels.

Focus on finding the signs of preemption, transparency and security – instead of indemnification in the SLA.

PS. If you want to know that 10 questions you should ask from your SaaS vendor and what are the correct answers go here.


Can You Trust Your Own Servers?

Yes, it's ugly, but it's my own!

I wrote this post originally to my company blog.

Can I trust Cloud Services? A very common question nowadays. In my opinion the question in the headline is as relevant. Very often cloud services are seen as only a potential risk, and the benefits are forgotten. The company data is kept tightly in in-premise servers, with a perfect control. A common thought goes like this: Cloud is a dangerous place and my own servers are safe, of course. Wrong. Your own server is your own server. Cloud is cloud. Let me explain.

Let me compare these two ways in the contract management context, on-premise servers and practices to cloud offerings. Is your organization sending contract drafts and contracts via unencrypted e-mail to your business partners? How are your contracts protected, both physically and technically? Who can see the contents of agreements? I dare to claim that the current cloud services solve most of these problems.

TOP3 Cloud Service Myths

Myth 1. On the Internet there is always someone attacking the Cloud. Therefore, the cloud is a threat.

Maybe. But I’d like to ask you if your servers are connected to the Internet? If so, welcome to the club. I hope you have done something about it. Additionally, I would like to say that the firewall is not a sufficient answer to this. If the server is not online, so what the heck it’s worth for ‘in the closet’? The organization must be able to utilize the stored information, as the Gigabytes will not bring any benefits to you, only the utilization of it will. One more thing: when using the Cloud Services, the administrators are monitoring the traffic and continuously checking out the logs, in order to find alarming signs. Who is monitoring your log?

Myth 2. When using Cloud Services, someone else may have access to my data. Therefore, the Cloud is dangerous.

As if hiding the in the corner of your server room would be safe. Wrong. The fact is that if you hide your wallet in your backyard it is not as safe as it is to put the safe in a bank. The expired user access combined with shared user ID’s increase the number of people who see your information if they wish to. Can you be sure about the accuracy of the user rights and access in your organization? When it comes to Cloud Services there is an automatic check point for this every month when the invoice comes.

Proper user rights management together with Cloud Services brings a better physical security: who is responsible for the costs if someone steals your servers? Naturally it is a good idea to check whether the servers of your Cloud Host are really safe. On your way to find answers to this question, check out Pasi Mäkinen’s article in Tietoviikko (in Finnish).

Myth 3. When the Internet is down, the Cloud Services may be down too, for hours. Therefore, the Cloud is not reliable.

If the Internet is down, are your own services still available to your customers, and to you? When using Cloud Services it is not likely that you get any compensation for that lost time, but do you if you have everything on your own servers? Most probably not, and on top of that, a true trade-off, is that someone (or many persons) in your organization is forced to stop the productive work and start to solve the IT service problems and correcting the situation. Costs a lot.

Don't hide your head in sand. Look up to the clouds.

My point, you just cannot say that your own server is more secure. Way too simple.

In case I’m proven wrong, you can truly be very proud, having such a well-managed environment with a reasonable cost. On the other hand I’d like to ask you if this is the key task that adds value to your business. What if you used a part of the time and energy you use for the internal data security efforts to a development of a new business idea?

Finally, a word of warning. The Cloud is not the safest environment in the world, but I would argue that it is much safer than most of the internally tuned Extranets are.

I’d like to challenge you to investigate the Online Security promise of Microsoft Azure and compare it to your data security practices. You might be surprised. And I cannot promise that it will be a positive surprise.

%d bloggers like this: