iaas buyer’s checklist.info.macquarietelecom.com/rs/macquarietelecom/images/macquari… · to ask...

CLOUD SERVICESProblem Solved

IaaS Buyer’s Checklist.

Yes it’s another checklist, but this one’s actually useful.

CLOUD SERVICES2 Problem Solved

Does the provider offer your required SLA/SLG? Example: 99.9%, 99.95%,100% (for example on HA solution).

Does the SLA/SLG cover 24x7x365?

Is the required SLG level included in the solution price?

Are the conditions for rebate payments acceptable? Example: No rebate for SLG violations, one day for every hour SLG breach.

Are all solution elements covered by the SLG? Example: Individual service element or entire solution uptime.

Is the maximum rebate payment limit acceptable for you? Example: One month of service charge.

Does the notification period for planned outages match your needs? Example: Not specified or five business days.

Are all critical elements covered by the SLG? Example: Server uptime, solution uptime, special SLGs such as network and storage performance (IOPS).

Are the disaster recovery SLGs state of the art? Example: 5 minutes RPO and 30 minutes RTO.

Does the vendor provide a RACI matrix for managed hosting? RACI = Responsibility, Accountable, Consulted, Informed.

How complex are the SLGs? Do you understand them? Example: Complicated definitions of “uptime percentage”, “availability” and exclusions.

Service levels.


Service and support.

Does the vendor provide direct access to the technical support team? Example: What are the support times and support channels (email, phone)?

Are support cases handled by engineers directly?

Is engineer support available 24x7?

Does the vendor provide access to technical consultants in the presales phase? Example: Support for individual solution design and scoping.

Are there customer service managers assigned to each individual account? Example: Who is your contact in day-to-day business?

Does the company provide regular business reviews? Example: Utilisation reports, face-to-face meetings to discuss potential optimisation or recent issues, QA improvement, customer feedback.

Does the vendor assign a dedicated project manager to complex orders? Example: Who assists the customer during the provisioning process to make sure that the outcome is as expected, tailored to the customer requirements, and on time?

Does the vendor start billing the customer only after successful user acceptance tests?

Do you require “Smart Hands”? Example: Engineers that perform tasks on behalf of your IT staff in the data centre to avoid travel and improve effectiveness.


Certifications.

Is the vendor Information Technology Infastructure Library (ITIL) certified?

Is the vendor ISO27001 certified?

Do you require a PCI compliant solution? If yes, is infrastructure outside your customer environment PCI certified (gateway to customer environment)?

Does the vendor fulfil Australian Government standards (ASIO T4, DSD)?

Commonly required certifications.

ITILThe Information Technology Infrastructure Library (ITIL) is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business.

ISO27001/2Is an information security management system (ISMS) standard that contains 11 domains:

• Security policy

• Organisation of information security

• Asset management

• Human resources security

• Physical and environmental security

• Communications and operations management

• Access control

• Information systems. Acquisition, development and maintenance

• Information security incident management

• Business continuity management

• Compliance.

ASIO T4 Protective Security (ASIO-T4)‘Protective security’ is a combination of procedural, physical, personnel, and information security measures designed to provide government information, functions, resources, employees and clients with protection against security threats.

ASDAustralian Signals Directorate gateway certification.

PCI DSSPayment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organisations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.


Control Objectives PCI DSS Requirements

Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data.

Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data Protect stored cardholder data.

Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

Use and regularly update anti-virus software on all systems commonly affected by malware.

Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

Restrict access to cardholder data by business need-to-know.

Assign a unique ID to each person with computer access.

Restrict physical access to cardholder data.

Monitor and Test Networks Track and monitor all access to network resources and cardholder data.

Regularly test security systems and processes.

Information Security Policy Maintain a policy that addresses information security.


Example of tasks/areas that should be considered.

• Configure operating system

• Operational capabilities

• Configure monitoring

• Configure backup

• Provide test plans

• Platform testing

• Customer acceptance testing

• License purchase/lease

• Operating system ownership

• Validate specification against requirements

• Installation (rack mount, system power)

• Configuration of networks

• Resilience configuration

• Security patching and service packs

• System re-install

• Version upgrades

• Security policy management

• System reboot

Managed hosting.

Bill Cloud Specialist

When you know you’re in safe hands,

you can focus on what’s most

important to you. Your business.


Billing.

Is there a monitoring portal that allows measuring of service consumption in near real-time?

Does the portal allow the customer to set thresholds for notifications?

Is the bill structured in a format that fulfils internal accounting needs? Example: Grouped by business unit, export formats.

Are the commercial terms fixed or negotiable?

Do you have a dedicated contact person for billing enquiries?

Do you require billing by the hour? Example: Individually designed customer solutions that include dedicated service components (non shared firewalls, load balancers and compute resources) do not allow billing by the hour due to the complexity setting up the environment. Billing by the hour is mostly only available if the solution is built entirely on shared infrastructure.

How predictable is the bill (bill-shock)? Example: Is the services consumption predictable?


Does the portal allow the setup of different accounts with individual user access policies? Example: One user to configure the firewall, one user to view the bill.

Are all portals available to you in order to manage your infrastructure? Example: Compute, network, storage, firewall, load balancer etc.

Can you order new elements online?

Do provisioning times for new elements or change requests meet your business needs?

Do you get a monitoring portal that suits your needs?

Service management.


Are critical services built on dedicated technology? Example: Full featured dedicated Fortinet firewall or shared firewall.

Do you need IaaS that uses a specific hypervisor and does the vendor support your hypervisor? Example: Some workload mobility solutions do not support multiple types (vendors) of hypervisors.

Are you running a hybrid infrastructure (colocation, private cloud, public cloud, dedicated managed servers, on-premise servers) and does the vendor support this? Example: Hybrid solutions require scalable interconnectivity solutions. Do you prefer to get everything out of one hand and limit the number of vendors?

Do you control the contention of your compute resources? Example: Public clouds do not reserve 100% of the compute resources for each client. Compute resources are assigned on demand between customers which adds latency times and could lead to “noisy neighbour” problems.

Is the technology powerful enough? Example: What specs do you need to serve your required workload? It is not always easy to compare “apples with apples” due to different performance specifications.

Does the vendor provide all the value added services you need? Example: Backup, patch management, multiple storage tiers, load balancers, global server load balancer.

Does the vendor provide the storage options you need? Example: Storage for archives, normal server load, databases or ultra high workloads.

Do the disaster recovery (DR) solutions suit your needs? Example: Price, DR location, ease of DR implementation, monitoring, maturity of DR solution.

Does the vendor offer disaster avoidance solutions that suit your needs? Example: Performance of data centre interconnects, storage replication, stretch storage (same LUN in two locations).

Technology.


Does your solution require hosting in Australia? Example: Required by law or any other legislation, personally preferred because of Homeland Security, PRISM, Patriot Act etc.

Do you prefer to do business with a local partner? Example: You are looking for a local trusted business partner.

Do you require multi availability zones for your disaster recovery or disaster avoidance solution? Example: High availability solutions could be hosted in different data centres for higher fault tolerance.

Do you prefer a contact centre located in Australia?

Do you prefer the engineers to be located in Australia?

Can the vendor offer a network connection to its services with low latency?

Global, regional, local.


The data centre.

Does the data centre fulfil all required certifications?

Is the data centre highly reliable and available? Example: A Tier III data centre (Uptime Institute) can maintain all elements without causing any outage to any services at any time.

Does the vendor provide enough transparency? Example: Tours and direct contact to the facility managers to ask questions.

How do the vendors rank in their outage history? Example: Is the vendor transparent with its outage history? What were the reasons for the outages? What technology was affected?

Does the data centre support your rack size?

How does the vendor rank in terms of efficiency? Example: Ask for the power usage effectiveness (PUE). The PUE is the ratio of the total facility energy consumption to the IT equipment energy consumption.

Does the data centre support your energy consumption per rack?

Do you have the choice when it comes to Internet connectivity? Example: Available external Internet connections.

Has the data centre enough capacity? Example: Are you likely to get more rack space when you need it in the future?


Make or buy.

Buy (Pro) Buy (Con)

• Solution maturity high.

• Solution available today.

• Portfolio of value added services.

• Solution variety (different storage tiers).

• Hybrid infrastructure out of one hand.

• Import/export capabilities (low locking risk).

• High support expertise.

• High solution design expertise.

• 24x7 monitoring and support.

• Sophisticated management portals.

• Comprehensive monitoring solutions.

• Grow as you go.

• Low Capex.

• Affordable turnkey disaster recovery solution (if offered).

• Technology lock-in (on some vendors).

• Uncertainty about vendor capabilities.

• Hidden costs and bill-shock risk.

• Support quality on entry level support offerings.

• Limited to vendor’s solution portfolio.

• Limited transparency (reporting) with some vendors.

Make (Pro) Make (Con)

• Growing in-house expertise.

• Full control over staffing.

• Self selected backend technology.

• Full control over vendors and partner selection.

• Full access to backend technology if required.

• Long term lock-in into internal solution because of long term Capex investments.

• High Capex

• Solution will mature over time.

• IT staff has to cover infrastructure and application level support.

• Expensive 24x7 support and management.

• Limited technical solution portfolio (inflexible short and long term strategy).

• Slow uptake of new technologies.

• Limited benefits of cloud services benefits – internal solutions use virtualisation but not cloud technologies (service layer on top of virtualisation).

• Service disruption and brain-drain issues due to fluctuating staff.

• High costs for consulting and engineering for solution design (especially DR).


Want to learn more? Macquarie Cloud Services provides comprehensive cloud computing solutions for businesses.

Macquarie Cloud Services 1800 004 943 macquariecloudservices.com

Managed servers, Private clouds, Hybrid clouds, and Virtual Data Centres. Our team know them all, back to front and inside out. And make sense of them for you. Cloud can seem complex. But not when you’ve got us behind you. Everyone talks about the cloud. But we make it a reality.

We are Australia’s specialists in cloud services for business and government. We create flexible, fully-certified hybrid IT solutions, built on industry-standard platforms and backed by government-approved accreditation. We’re proudly Australian, with powerful data centres based in Sydney and Canberra. All supported by a team of passionate and experienced cloud specialists.

We’ll listen, think, throw ideas around and then attack the whiteboard until we’ve nailed the best answer for you. We’ve built our business on bringing smart minds together with a can-do attitude. It’s a good feeling when our customers call us ‘part of our team’. That’s why we exist.

About Macquarie Cloud Services.

iaas buyer’s checklist.info.macquarietelecom.com/rs/macquarietelecom/images/macquari… · to ask...

Documents