How to Choose the right Cloud hosting services

The cloud provides an alternative way of procuring IT services that offers many benefits, including increased flexibility as well as reduced cost. It extends the spectrum of IT service delivery models beyond managed and hosted services to a form that is packaged and commoditised. 

However, in a recent survey by global IT association ISACA, 30% of the 3,700 respondents said cloud computing is one of the top issues expected to impact their enterprise’s security in the next 12 months. Clearly, a good understanding of cloud is critical, as is effective governance over the cloud.

The cloud is not one thing; it covers a wide spectrum of types of service and delivery models, ranging from in-house virtual servers to software accessed by multiple organisations over the internet.

It is important to understand the variety of cloud services and deployment models to choose the one most suitable for your needs.

Choose the right cloud deployment model
Public cloud services are available for anyone to subscribe to and use. The key benefit of a public cloud approach is one of scale – the cloud provider can potentially offer a better service at a lower cost because the scale of their operation means that they can afford the skilled people and state-of-the-art technology.

The public cloud model inherently provides service on demand. The cloud provider can dynamically reallocate resources as they are required. Spreading the service delivery across multiple locations also improves resilience. Local problems with power supplies, telecommunications, natural disasters, and so forth, can be managed more effectively when there are several datacentres in multiple geographies.

The downside of the public cloud is the risks of compliance and data security. For example, data privacy laws in the EU mandate that personal data must be processed within defined guidelines. The cloud service customer, which is the “data controller”, is responsible in law, and needs to ensure that these guidelines are adhered to. Large cloud providers have recognised this need and can offer compliant services. Sharing applications and infrastructure with unknown co-tenants can lead to concerns over data security and data leakage. There are standards and best practices for this, and it is essential to check that the cloud provider is externally certified as adhering to these.

The HMRC online tax filing service is software-as-a-service with a public deployment model and this has been praised by the Audit Office, although it unclear whether it provides value for money.

A private cloud service is used exclusively by a single organisation. The private cloud allows organisations to outsource the management of their IT infrastructure while retaining tighter control over the location and management of the resources. The price to pay for this is that the costs are likely to be higher because there is less potential for economy of scale, and resilience may be lower because of the limit on service resources available.

Choose the right type of cloud service
Infrastructure-as-a-service (IaaS) provides basic computing resources that the customer can use to run software (both operating systems and applications) and to store data. IaaS allows the customer to transfer an existing workload to the cloud with minimal, if any, change needed.

The customer does not manage or control the underlying cloud infrastructure, but remains responsible for managing the OS and applications. IaaS removes the need to buy, house and maintain the physical servers and can provide the ability for an organisation to respond quickly to changing demand.

Platform-as-a-service (PaaS) provides an environment upon which the customer can use to build and deploy cloud applications. These applications may be for use by the customer or offered as a service to others. Building applications using PaaS means that they are inherently cloud-enabled and the PaaS provider also provides the service upon which these applications run. The benefits include no need for capital hardware investment and rapid deployment. The major downside is “lock-in” – most PaaS platforms are based on proprietary programming interfaces (APIs), so it can be very difficult to change provider at a later date.

Software-as-a-service (SaaS) provides an application and data that can be accessed via a network (usually the internet) using a variety of client devices such as web browsers and mobile phones.

The major benefit of SaaS is the immediate availability of a working solution for a specific business problem with no need for upfront investment. This is particularly valuable for areas such as mature business processes which are essential, well understood and need to be delivered at minimal cost. SaaS provides an opportunity for service providers to offer the best solution to this kind of problem at the lowest cost.

The risks associated with SaaS include loss of governance, data privacy issues and return of customer data. Mature business processes are often subject to regulations and laws, and organisations have invested heavily in IT to ensure compliance. Using SaaS means devolving control to the SaaS provider, and it is essential to have independent confirmation that the provider will comply with the regulatory requirements.

The SaaS provider also has control of the business data held by the service. Contracts need to specify how this data will be returned in a useable form at termination of contract to allow business continuity and provide flexibility to switch provider.

Choosing cloud services that work for your business
When moving to the cloud it is important that the business requirements for the move are understood and that the cloud service and deployment models are selected to meets these needs. Taking a good governance approach, such as COBIT, is the key to safely embracing the cloud and the benefits that it provides:

  • Identify the business requirements for the cloud-based solution. This seems obvious, but many organisations are using the cloud without knowing it.
  • Determine the cloud service needs based on the business requirements. Some applications will be more business critical than others.
  • Develop scenarios to understand the benefits and risks. Use these to determine the requirements for controls and questions to be answered. Considering the risks may lead to the conclusion that moving to the cloud is not appropriate.
  • Understand what the certification and accreditations offered by the cloud provider mean and actually cover, and how these support your needs.
  • In most organisations, cloud computing will co-exist with other IT service delivery models, so an approach to governance and management is needed which covers both traditional and cloud models.