Hosting and other XaaS offerings enable enterprises and other organizations to outsource lots of things, but the expectations of customers and regulators aren't among them. Hence the importance of making sure XaaS contracts spell out every last thing that the provider must deliver.
Service-level agreements (SLAs) are one way to codify expectations, but they're often used more for creating a shortlist of potential providers than as a way to keep the chosen one in line.
"SLAs are more of a way to eliminate vendors than a weapon you can wield if it comes to that," says Melanie Posey, an IDC research vice president who covers the infrastructure-as-a-service (IaaS) and managed network services markets.
Some as-a-service (XaaS) applications are new to the point that providers and customers alike are still hashing out their requirements. Take the example of a mobile operator that decides LTE's cloud RAN capabilities are an opportunity to have a third-party host that infrastructure. Other types of IT and telecom applications would be fine if a server failure shifts that workload to a data center across the country. But LTE's RAN latency requirements mean the backup server must be closer: as in no more than 40 miles away from the cell sites it would have to take over. (See Virtualization: Enabling Mobile Operators to Outsource Networks.)
This example also shows how an application's requirements affect whether an XaaS provider can or should pursue that market. A data center operator with a handful of facilities around a country wouldn't have ones close enough together to support LTE. But it could be a viable opportunity for a telco that has multiple central offices around each metro and has converted them to double as data centers.
Even with established, widely used applications, it still can be challenging to determine whether a provider can deliver exactly what's needed to fulfill regulatory requirements, industry best practices, customer expectations or all of the above. Two examples are applications governed by the Health Insurance Portability and Accountability Act (HIPAA) or the Payment Card Industry Data Security Standard (PCI DSS).
"Labels like HIPAA compliance and PCI compliance get thrown around by some providers as marketing buzzwords," Posey says.
Such claims should be verified with audits, where the hosting customer and/or a third party has staff certify that each data center has the policies, equipment and other things necessary to ensure compliance. These audits also are another tool for winnowing down the shortlist of providers to the one that ticks all the boxes.
"You have to map compliance to the level of service you're getting from the provider," Posey says. "Then you can tease out who's responsible for what and what it means when this provider says it's HIPAA compliant versus when this other one says it."
This detective work gets even more involved when the application serves customers in multiple countries with different legal requirements. For example, if one country says its citizens' data can't be stored in foreign facilities, it's important to ask potential providers how they automate load balancing to ensure that traffic isn't inadvertently shifted abroad. In the New IP world, the sheer nature of virtualization makes enacting and enforcing these kinds of policies easier said than done.
"If you spin up a virtual machine (VM) to do something on AWS, you have to make sure that this VM not only always lives in this AWS availability zone, but also that it always lives on this particular physical server in this particular data center," Posey says. "You have to make sure that you know where stuff is running and where the data is stored at all times. In the cloud world, where everything is self-service and everything is virtualized, that might not be as straightforward as you might think."
Another example is how hosting customers frequently share servers in a data center. The contract should specify exactly what the provider will do if, say, law enforcement wants to seize a server because it's investigating one of the tenants. Is it realistic to demand that the provider wipe the server of the other tenants' data before handing the box over to law enforcement?
The answer depends on the host and the legal jurisdiction, but it's the kind of question to ask -- preferably early on in the vetting process. Ditto for other questions related to security and privacy, which are tied partly to how much visibility and control a provider grants its tenants.
"The first question to ask is, how can I maintain compliance and visibility and control using your infrastructure?" Posey says. "Make them answer that question first. Then you can get into RAM, CPUs, storage and all of that other stuff."
— Tim Kridel, Freelance Contributor, special to The New IP