Wednesday, February 15, 2012

Thinking about going cloud? Have you asked these questions.

We use a lot of cloud applications and recently started asking a lot of questions. Frankly not all cloud applications or vendors are created equally and spending some time understanding what they really do can help avoid a disaster later.

This is the list of questions we ask. We send this list out and then do an hour or so phone call to review the answers with the vendors. We then use these answers to rank them in a weighted spreadsheet to help us make our decision. We also add in things like company relationship, user testing etc, but those aren't really things we ask the vendors about.

Anyway here is the list. I'd love feedback on what others ask.

Disaster Recovery and Business Continuity
Do you have redundant sites designed for auto-failover?

How long does it take for the redundant site to take over.

Does this include the time to decide to fail over?

What kind of RTO/RPO are in place and are they actually tested against?

Do you have geographic redundancy?

Can you restore accidentally deleted or corrupted data? How far back can you restore from?

What impact does a failed HD, server, cabinet, switch, data center have?

Is it possible?

Can we do legal holds by user, file, keyword?

Can we get access to “access logs” in the event we need to?

If so how far back can we get?

What does it show us?

Can we see who our users are sharing with?

If so can we easily remove access from an enterprise level?

Do you have a site like for transparent operations?  

Is it automatically updated with outages or performance alers?

Is code/data in escrow? If so how often does it get updated?

What is the migrate out plan like?

Can we request a backup of our data including any customizations?

Company financials
Are you private or publicly owned?

Are you cash flow positive? If not what is the cash burn rate and reserve?

Are you adding new customers? How many?

Do you track your NPS (Net Promoter Score)?

Do you support automatic provisioning and de-provisioning of user accounts?

Do you support LDAP.RADIUS or even better SAML authentication and authorization back to us?

Do you use encryption? If so is it for data in flight, at rest or both? What kind of encryption is it?

Compliance and Privacy
Do we get notified of an investigation?

Can our data be seized as part of another companies investigation?

Is our data recoverable by your organization? 

Do you have an SSAE16 or ISAE3402?

Are we allowed to have our third party auditors (or internal auditors) to audit your organization?

Please attach a copy of our master services agreement, terms and conditions or other contracts that we are using.

If you get bought by a competitor can I get my data out and go?

Are there financial penalties for service level agreement failure.

Are maximum increases baked in?

How much notice do you need to give us to terminate?

How much notice do we need to give them if we want to leave?  I

Does the contract auto-renew? If so what are the terms?

Are you globally load balanced? If so explain.

Do you use Akamai or other CDN for better performance?

Who do you use for WAN connectivity?

Do you offer “offline” ability? If so it is automatic, or does the user need to know that they will be offline and plan accordingly?

Do you offer built in integration tools to existing systems like SAP,, etc.

If not, how hard is it to build them?

What toolset is used for “custom development”

Are you staffed 24/7?

Can we proactively request assistance if we are doing something off hours?

Is it onsite, email, phone, web or all?

What sort of response time is available?

What is the average tenure of the tier1 staff?

Is there a public knowledgebase available? Is it the same as the internal one or is it filtered?

Can anyone from Enterasys call, or do we only get a certain amount of “authorized users”?

How quickly do new features show up?

Do we need to do anything or do we “magically” get them?

How much notice do we get for training users?

Is the system a true multitenant system?

Do you support multiple clients, like iphone, android, blackberry as well as tablets?

Is it strictly HTML5/browser based? If so which browsers and versions are supported?

Does the system support delegated administration?

How easy is it to automate tasks?

Can we apply roles to groups?

Do we get visibility into what is shared outside of the company, or what access has been granted to third party applications?

Can we enforce enterprise wide restrictions?

Monday, February 6, 2012

What will IT organizations look like in 2016

If you have been reading this blog or following me on twitter you know I'm a big believer in cloud and consumerization of IT. In the next few years I expect Google's vision of 100% web to be the norm. Users will be able to use any device to access their data with or without IT's help.

So what does this mean for IT organizations, and how should we structure ourselves to be relevant in this new, and frankly for some people, scary new world?

I think of IT as several groups today. There is the most important group, the service desk (or helpdesk). This is the most important group since it is the "face of IT". Frankly if you have a great service desk it can really help hide other issues which, if you as a CIO are paying attention, can fix before they get you in trouble.

Typically then there is either a split with Applications and Operations, or Maintenance and New Projects. Sometimes there is a third group that covers more of running IT as a business type stuff, like service management, financial management, customer relationship managers etc.

In the future though most of the operations will be done by cloud providers. Even now, I hardly ever get involved in any issues. Partly because we don't really have any issues, but if we did it would be to verify connectivity through the Internet to their data center. Beyond that it's a contracts issue.

If we move to Google Apps, which is pretty likely, our email and storage service goes the same way. What changes though it is the pace of innovation. We will really need people focused on discovering pain points, and solutions to resolve them, before users can find the solution and implement it on their own.

Dan Petlon tells the story about when he decided social media was important. The short version is that he read an article about the relevance of the CIO and the quote was "How can you expect to remain relevant when your CEO has to learn about Facebook - the most successful application ever, from his 12 year old daughter."

I want to make sure that IT knows about and understands the next Facebook before the CEO's daughter tells him about it. To do this I think a dedicated group is needed to ensure that we hear about new technology and also encourage adoption of it. This "Change Management" group fills that role. This is a huge shift but with Google releasing 200+ new features a year alone making sure that the users understand the features and can leverage them is going to be the difference between the good companies, and the dead companies.

Development also changes. Many of the cool features in a cloud environment are really integrations between various exisitng cloud applications. Also many times simple applications will be able to be done by power users, assuming the change management team does a good job training on the new tools, so that should free hard core developers up to really work on integrating and making an excellent user experience. Things like single sign on, consistent look and feel etc. will be table stakes to new applications.

Finally the contracts and vendor management piece gains importance since so much depends on vendors providing what they promise. Infrastructure really will become the network and Internet connectivity to allow users to get to the cloud. Clients will be whatever the end user likes and will likely be purchased and supported from the vendor, whether that be Apple Ipad's, Google Chrome or Android devices.

The break down of resources will probably look something like this.

You can see the two biggest departments in IT are really "change management" and "integrations and development".

Anyway this is what I think. I'd love to hear feedback on what others think.