Tom Loftus| Wsj
Since the 2006 debut of Amazon.com Inc. ’s Amazon Web Services, more and more IT departments have caught on to the idea of renting online computing horsepower to test or develop business applications, host corporate human resources data and run Big Data-type analysis, among other tasks. The market for public cloud services, which are open to anyone who wants to use them, is now a $40 billion business, according to IDC.
Recent price battles between Amazon Microsoft Corp. and Google Inc. could lead customers to believe that competing cloud vendors, who make many similar promises, differentiate themselves in few ways beyond price. But Amazon and, to a lesser extent, Microsoft provide customers with certain amenities that Google’s new offering, at the moment, does not.
To illustrate these differences, CIO Journal asked Amazon, Google and Microsoft to respond to questions suggested by a number of cloud computing analysts and consultants. The questions referred only to the vendors’ respective infrastructure and platform services, and not cloud-based software services such as email or other applications.
|Custom cloud service level agreement||No||Yes||No|
|Provide product roadmap to customers||Yes||Yes||Limited|
|Provide single point of contact by name||Limited||Limited||No|
|Compensation for downtime||Service credit||Service credit||Service credit|
|Reporting uptime||Public dashboard||Public dashboard||Public dashboard|
|Publicly post audits||Limited||Limited||Limited|
|Audits of controls by customers/potential customers||No||No||No|
|Customer-led penetration testing*||Yes||Yes||No|
|Response-time to notify customers of breach||Promptly||Based on applicable law||Per contractual terms|
|Customers choose cloud storage location||Yes||Yes||Yes|
*A test on the security controls and processes of public cloud vendors meant to simulate a cyberattack.
Customizing the Cloud Service Level Agreement
The cloud service level agreement establishes the legal relationship between the cloud provider and the client. It outlines the responsibilities and expectations of each party, touching upon security, expected uptime of the cloud service and any compensation arrangements should the vendor fail to meet its obligations.
Amazon.com appears most willing to enter into customized agreements with its larger customers, a positive for those businesses who believe that a boilerplate agreement may not be sufficient to meet their needs. “The interesting thing is that many enterprises first begin using the services under our standard contract, then work with us to define terms that best meet their business needs. Projects can move forward without being held up as we work together to define the terms of the Enterprise agreement,” Amazon said.
Google’s platform as a service, Compute Engine, doesn’t yet offer any form of service level agreement because the service is still being developed and is used only by customers willing to help Google test it. ”Compute Engine will have an SLA when it moves out of limited preview,” the company said. App Engine, which combines computing power and business solutions, was launched in 2008. Its users get a service agreement, but it is not customizable. Google likewise provides customers with a “glimpse” of a product roadmap, something that could help clients plan their cloud strategy. The company said customers should consult Google’s enterprise blogs for hints of what’s to come.
However, Google said it provides customers with a named account representative to whom they can turn in case they need assistance.
Forrester Research Inc. analyst Dave Bartoletti tells CIO Journal that customers might want to at least differentiate between cloud storage and other cloud functions when discussing SLAs with vendors, because they might want more stringent SLAs for computing services than for storage. “You might want to discuss SLAs that apply to compute (servers and applications) differently than for storage. You could have two different SLAs,” he said.
Both Amazon and Microsoft offer product roadmaps to customers, but usually only once the customer has signed a confidentiality, or non-disclosure agreement. And both companies allow customers to pay for upgrades to their services that provide for a single point of contact for technical matters.
All three vendors provide the public with a record of business audits for compliance with security standards such as SSAE 16 and ISO 27001. Amazon said it provided “detailed reports of compliance and audit results” to both customers and potential customers under NDA.
All three vendors provide the public with a record of business audits for compliance with security standards. Amazon said it provided “detailed reports of compliance and audit results” to both customers and potential customers under NDA.
But when vetting standards, customers shouldn’t assume that security begins and ends with the cloud vendor, Bartoletti says. “You need to develop internal controls and procedures that you can bring your cloud vendor into, so they become part of your process,” he said.
Letting customers run penetration tests
The relative maturity of Amazon and Microsoft’s cloud services may explain why both said they allow customers to run penetration tests on their security controls. Amazon added that customers are free to simulate a cyberattack against the service, but must limit tests to servers holding their own assets within the Elastic Compute Cloud service. Both companies require customers obtain approval beforehand.
Microsoft also noted that it allows customers to inspect its cloud facilities in person. Neither Amazon nor Google allow this.
Giving customers a choice on where to keep data in the cloud
Although cloud computing, by definition, is about taking at least some computing tasks off-premises, many customers still need–for regulatory or compliance reasons–to be able to identify the physical location of their data.
All three vendors said they allow customers the option of choosing the location for where their data is stored. “Within Cloud Storage, users can specify a desired location (currently U.S. or European data centers. Data is stored at rest in the respective area the customer has chosen to deploy his/her application,” Google said.
Amazon offers a number of AWS Availability Zones based on geographic region throughout the United States and around the world, from which it says customers can select and within which their data remains.
“Don’t be spooked by large failures. There are going to be big failures,” said Bartoletti. “Because cloud vendors are learning from every single failure,” which is making them better all the time.