Thinking about going cloud? Have you asked these questions.

We use a lot of cloud applications and recently started asking a lot of questions. Frankly not all cloud applications or vendors are created equally and spending some time understanding what they really do can help avoid a disaster later.

This is the list of questions we ask. We send this list out and then do an hour or so phone call to review the answers with the vendors. We then use these answers to rank them in a weighted spreadsheet to help us make our decision. We also add in things like company relationship, user testing etc, but those aren't really things we ask the vendors about.

Anyway here is the list. I'd love feedback on what others ask.

Disaster Recovery and Business Continuity
Do you have redundant sites designed for auto-failover?

How long does it take for the redundant site to take over.

Does this include the time to decide to fail over?

What kind of RTO/RPO are in place and are they actually tested against?

Do you have geographic redundancy?

Can you restore accidentally deleted or corrupted data? How far back can you restore from?

What impact does a failed HD, server, cabinet, switch, data center have?

E-discovery
Is it possible?

Can we do legal holds by user, file, keyword?

Can we get access to “access logs” in the event we need to?

If so how far back can we get?

What does it show us?

Can we see who our users are sharing with?

If so can we easily remove access from an enterprise level?

Stability
Do you have a site like trust.salesforce.com for transparent operations?  

Is it automatically updated with outages or performance alers?

Is code/data in escrow? If so how often does it get updated?

What is the migrate out plan like?

Can we request a backup of our data including any customizations?


Company financials
Are you private or publicly owned?

Are you cash flow positive? If not what is the cash burn rate and reserve?

Are you adding new customers? How many?

Do you track your NPS (Net Promoter Score)?


Authentication
Do you support automatic provisioning and de-provisioning of user accounts?

Do you support LDAP.RADIUS or even better SAML authentication and authorization back to us?

Do you use encryption? If so is it for data in flight, at rest or both? What kind of encryption is it?

Compliance and Privacy
Do we get notified of an investigation?

Can our data be seized as part of another companies investigation?

Is our data recoverable by your organization? 


Do you have an SSAE16 or ISAE3402?


Are we allowed to have our third party auditors (or internal auditors) to audit your organization?

Contract
Please attach a copy of our master services agreement, terms and conditions or other contracts that we are using.

If you get bought by a competitor can I get my data out and go?

Are there financial penalties for service level agreement failure.

Are maximum increases baked in?

How much notice do you need to give us to terminate?

How much notice do we need to give them if we want to leave?  I

Does the contract auto-renew? If so what are the terms?


Performance
Are you globally load balanced? If so explain.

Do you use Akamai or other CDN for better performance?

Who do you use for WAN connectivity?

Do you offer “offline” ability? If so it is automatic, or does the user need to know that they will be offline and plan accordingly?


Development
Do you offer built in integration tools to existing systems like SAP, salesforce.com, etc.

If not, how hard is it to build them?

What toolset is used for “custom development”

Support
Are you staffed 24/7?

Can we proactively request assistance if we are doing something off hours?

Is it onsite, email, phone, web or all?

What sort of response time is available?

What is the average tenure of the tier1 staff?

Is there a public knowledgebase available? Is it the same as the internal one or is it filtered?

Can anyone from Enterasys call, or do we only get a certain amount of “authorized users”?

Architecture
How quickly do new features show up?

Do we need to do anything or do we “magically” get them?

How much notice do we get for training users?

Is the system a true multitenant system?

Do you support multiple clients, like iphone, android, blackberry as well as tablets?

Is it strictly HTML5/browser based? If so which browsers and versions are supported?

Administration
Does the system support delegated administration?

How easy is it to automate tasks?

Can we apply roles to groups?

Do we get visibility into what is shared outside of the company, or what access has been granted to third party applications?

Can we enforce enterprise wide restrictions?

What will IT organizations look like in 2016

If you have been reading this blog or following me on twitter you know I'm a big believer in cloud and consumerization of IT. In the next few years I expect Google's vision of 100% web to be the norm. Users will be able to use any device to access their data with or without IT's help.

So what does this mean for IT organizations, and how should we structure ourselves to be relevant in this new, and frankly for some people, scary new world?

I think of IT as several groups today. There is the most important group, the service desk (or helpdesk). This is the most important group since it is the "face of IT". Frankly if you have a great service desk it can really help hide other issues which, if you as a CIO are paying attention, can fix before they get you in trouble.

Typically then there is either a split with Applications and Operations, or Maintenance and New Projects. Sometimes there is a third group that covers more of running IT as a business type stuff, like service management, financial management, customer relationship managers etc.

In the future though most of the operations will be done by cloud providers. Even now, I hardly ever get involved in any salesforce.com issues. Partly because we don't really have any issues, but if we did it would be to verify connectivity through the Internet to their data center. Beyond that it's a contracts issue.

If we move to Google Apps, which is pretty likely, our email and storage service goes the same way. What changes though it is the pace of innovation. We will really need people focused on discovering pain points, and solutions to resolve them, before users can find the solution and implement it on their own.

Dan Petlon tells the story about when he decided social media was important. The short version is that he read an article about the relevance of the CIO and the quote was "How can you expect to remain relevant when your CEO has to learn about Facebook - the most successful application ever, from his 12 year old daughter."

I want to make sure that IT knows about and understands the next Facebook before the CEO's daughter tells him about it. To do this I think a dedicated group is needed to ensure that we hear about new technology and also encourage adoption of it. This "Change Management" group fills that role. This is a huge shift but with Google releasing 200+ new features a year alone making sure that the users understand the features and can leverage them is going to be the difference between the good companies, and the dead companies.

Development also changes. Many of the cool features in a cloud environment are really integrations between various exisitng cloud applications. Also many times simple applications will be able to be done by power users, assuming the change management team does a good job training on the new tools, so that should free hard core developers up to really work on integrating and making an excellent user experience. Things like single sign on, consistent look and feel etc. will be table stakes to new applications.

Finally the contracts and vendor management piece gains importance since so much depends on vendors providing what they promise. Infrastructure really will become the network and Internet connectivity to allow users to get to the cloud. Clients will be whatever the end user likes and will likely be purchased and supported from the vendor, whether that be Apple Ipad's, Google Chrome or Android devices.

The break down of resources will probably look something like this.

You can see the two biggest departments in IT are really "change management" and "integrations and development".

Anyway this is what I think. I'd love to hear feedback on what others think.

Nice customer service story

I, like most of us, am pretty used to bad customer service. I mean the number of times I've been delighted is much less than the amount of times I've walked away frustrated by the lack of caring.

But I was pleasantly surprised by VW of America. They had sent me a recall a month or so ago for a fuel line issue. Now I wasn't really annoyed or even phased by this. Every one has recalls and I knew I'd just schedule time to get it done. No big deal.

But VW did something that really shows great customer service, they actually sent a $50 gift card to their customers to make up for the inconvenience. In it they apologize for the problem, re-iterate their desire to avoid repeating the problem in the future, and for the paranoid in all of us, explain there are no strings attached.

We all make mistakes, but great companies not only fix them and apologize for them, but make it right for the customers, Great job VW!

Employee privacy and corporate liability...

I just read this blog post from

@CesareGarlati 

http://bringyourownit.com/2011/12/19/consumerization-101-employee-privacy-vs-corporate-liability-2/

It's a great, thought provoking post. Here's my take on it, for what it's worth. Also thanks to my friend Mark Townsend for pointing me to the blog. Lots of great stuff.

If you are too lazy to read the above, basically a company wiped a users iphone that was connected to the corporate email system. She had signed an acceptable use policy but it had a picture of her son that had just passed away from cancer. She sued and collected 5M...

Cesare asked about that, as well as the company's right to track location and what the company should do about questionable content...

We tell people if they want to use their personal device to get their corporate email. that they need to be aware that we have the right to wipe. if you don't like it, we will get you a corporate device.... but... not sure that this will protect us since in this case, she had signed an AUP, which I assume had the same sort of language in it that we use in ours. Which basically says, if you connect it to us you give us the right to wipe all data off of it.

Now I feel bad about it, but if she had lost the photo because she dropped the iphone would she have sued apple? Would the building owner be responsible for having too hard of a floor? Would the flooring people be responsible? At some point people need to be responsible for backing up data that they want to keep. I mean she had the picture for a few weeks...

Regarding tracking location. If you don't want the company to do that, don't use it to connect to corporate, turn it off, or leave it on your desk. After all we aren't tracking the user, we are tracking a device that is accessing corporate resources. Is that much different than tracking IP's on a website? Other than the granularity I would say no... 

As far as accessing questionable websites while at work. I would say if it was done using the corporate LAN (or WLAN) the company has the right to monitor. If on your personal cell phone plan then no.  My network, my rules. IMHO

The trickier piece is if we let you bring your device to work and it already has questionably, or even illegal content on it (piracy, inappropriate etc) is the company liable? Do we have the right or obligation to report it if we see it? We had a case many years ago where a field guy sent his laptop in for repair and it had illegal files on it. Our policy was not to look. but if we saw something illegal to report it. Clear enough if it is a company owned machine, but if it's not what should we do??? I mean if someone has a bag of pot in their car in our parking lot are we liable?

Tricky issues and while I think my answers make sense, that doesn't mean the law will agree. I would not want to be the test case...

Collateral damage of the browser wars

Is it just me, or is starting to become a real pain to use web applications? I mean they are great, and I love the idea of 100% web, but it seems like I need 3 or 4 browsers to be able to use all of my apps.

Some work fine in IE but not chrome, others only work is firefox. Then some only work in chrome. So if I want to use Okta to get into ADP, i need to use IE. But if I want to get my email, chrome works better.

What would be cool, I mean besides all applications working in all browsers, would be a way to track which sites get opened with which browser and automatically start the right one when I click on the URL. Microsoft sort of does this with their application virtualization stuff. At least in the demo it knew to open site A in IE6 and site b in IE9.

It just seems way to confusing to me. I can only imagine what our users must think when we have to say things like "Open your email with google chrome, unless it's encrypted then use Firefox, but if you follow a link to sharepoint you need to use internet explorer"

I'm hoping, though not very optimistic that HTML5 will fix this. Anyone find any cool tools that make this better? If so I'd love to hear about them.

Linked > Monster

I'm actually working on a social media class for our employees on LinkedIn. We've already done classes on salesforce.com Chatter, and Twitter so LinkedIn is next.

Facebook is on the list as well but frankly I haven't figured out what to talk about with Facebook yet, and am still of the mindset that Facebook is more personal than professional. I think that's me being old fashioned, but hey, if someone else wants to do the Facebook class, they are more than welcome to. The last think I really need is the whole company to see my prom picture from 1985. For those that have seen it I'm sticking to my story that it was a cool look back then.

OK but back to LinkedIn. When I mentioned I was thinking about doing the class, someone said "Why? Do you want people to find other jobs?". Which of course made me realize that the impression about LinkedIn is that's where you post when you are looking for a new job.

Now LinkedIn is a great place to network, and if you are looking for a new job networking is a great way to help with that. Networking though is only a  piece of the puzzle when job hunting and since I'm not writing this post to help people find jobs I'll leave it alone, maybe another post later.

The reality though is LinkedIn is way more than a job board. It has a whole section on company, including what products they sell, recommendations from your connections, research on employees - like which schools people went to, what type of degrees they received, and how much experience they have as shown below.

Pretty cool right. Does it matter that 52% of our employees have 15+ years experience? Yeah, it does. There is a big difference between getting someone with 15 years experience helping you troubleshoot a network issue when you first call in for assistance, and getting someone with 6 months experience who will gladly take your contract info and have someone call you back.

You can also see News headlines that you care about. Search for new connections (great if you are in sales),  I can give recommendations to people I know (which I really need to do more of) and keep in touch as people move around.

My favorite section though is groups. There are groups on practically everything. Some groups are very good, some not so good. I have found them to be incredibly useful though when looking for new technology or even just new ways of working, like Agile programming or Scrum project management. Generally if you are struggling with an issue, there is probably a group that can help solve it. If not solve it, they can at least sympathize with you.

There are a host of other interesting applications, like slideshare.net or twitter integration. You can link to amazon so people can see what you are reading, or and I just found this, you can link blogs right into your LinkedIn profile and see what your connections are blogging about. Not sure how cool this will be, but it sounds cool and based on the 90 second analysis I just did, it is pretty cool.

The summary though is this LinkedIn is way more than a tool to find your next job. Who knows,it may even help you keep the one you already have.

When long tenure is bad..

I'm pretty lucky, most of my staff has worked with me for 10+ years. There are some great benefits to that, like the wealth of institutional knowledge in the group, and the fact that we can eliminate a lot of bureaucracy and that frankly we work well together.

There is a dark side to though. We are pretty spoiled with our network management toolset and don't even realize how lucky we are. Two examples came up the last week when we we're talking to customers. They were really excited to see these features and frankly we were shocked that other vendors don't have them. In some cases we have had this ability for almost 20 years

If you are a long term Enterasys customer you have probably used these features a lot too and you may also be surprised that not everyone has these.

Compass
The first one is "compass". At it's simplest it lets you find a device on the network. You can locate them by MAC or IP address or if you use authentication you can find them by name. Now this is very helpful if you have a device behaving badly. You can simply type in the address and find out which switch and port it is plugged into.

Or if you have a user that calls in with an issue, you can simply search by their username. Most people know their username, very few actually know what a MAC address is and even less have memorized theirs. I know mine has an 8 in it, but that's as far as I remember. Being able to search on username just makes it that much easier and quicker to resolve a users issue.

History lesson on Compass: Many years ago it would list all of the ports, including uplinks, that the device was seen on, but over time it's gotten pretty good about just showing the one port that it is physically connected to.  The early prototype was a unix shell script that required the user to manually convert the MAC address to decimal and enter it that way. It's way better now.

Third Party devices
The second "feature" is the ability to manage third party devices in our network management software. I sort of thought everyone did this but several people told me the product they are using (I didn't ask whose it was) only supported their products. To me that seems odd since SNMP has been around for a long time.

Now the fact that we can manage the entire network as one entity, whether it is wired or wireless, I can see that being unique, but being able to add something like a printer or UPS, seems pretty basic to me.

I'm glad I have these two things but honestly I've gotten so used to having them I can't imagine trying to run a network without them. I almost want to go run a competitors network for a few weeks so I can appreicate how lucky I am.

Almost...