Over the past year, I’ve had many discussions with clients and prospects regarding the use of SaaS and cloud services. As we move through the discussions, balancing risk, productivity, and cost is always a challenge. Here is a list of questions that have really helped me to help other CEOs, business owners, and management better understand the contracts that are sometimes just a little too easy to click ‘AGREE’ to – maybe they will help you as well:

1. Where’s the Production Data?: Where is the production business and customer data stored? Specific region(s) or state(s). What is the RTO in the event that the primary datacenter encounters a failure?
2. Where are the backups stored? Are the backups written to a separate storage system by a separate vendor? How can the client access the backups?
3. How are SLAs Defined?: Generally speaking, major cloud providers offer 99.9% (three-nines) uptime guarantees to partners and end-customers. But here’s the fine print: Does the SLA included planned downtime? Be sure to double-check, because planned downtime can vastly impact client access to the cloud. What is the credit if the SLA is missed?
4. What Security and Privacy Standards are In Place?: Is data encrypted? Does information sit on a shared server with other clients (ie, multitenant)? If so, what precautions would prevent data from being accessed in clear-text if front end servers were compromised? Some industries require auditing standards such as SAS 70 Type II.
5. Is the Data Easily Portable?: If the client decides to switch service providers or cloud providers, how long does it take to gather the customer data/business data from the current cloud, and move it to a new service provider?
6. Does Your NOC/Help Desk Speak American?: Notice how this question is worded. There’s a difference between speaking English vs. speaking with an American dialect. Cloud help desks often outsource support to NOCs (network operation center) support teams that may not understand American dialect fluently.
7. How is the Cloud provider Insured?: If the cloud provider’s business implodes, what are the potential implications to clients?
8. What are the Terms/Conditions on who owns the data?: Some agreements, such as Google Docs, state that they hold exclusive rights to redistribute your data.
9. How is the system managed? Can new users be added/deleted via a portal? Do auditing reports exist for all authentications?
10. Recovering lost data: In the event that an employee deletes critical data from the cloud service, what is the process and cost for reverting the data back to a previous ‘instance’?

In the wake of the Amazon Cloud Failure, it just re-emphasizes that due diligence is definitely required when making the decision to trust others with your corporate assets.

Alan