Abstract: Cloud computing is when you use a computer attached to the internet that is owned by someone else. The term “the cloud” comes from computer network diagrams that depicted the Internet as a vast cloud.
Intro What is Cloud computing?
Chapter 1 Preamble
Chapter 2 Companies with only 1 employee
Chapter 3 Strategy and Planning
Chapter 4 What should I buy
Chapter 5 Backups and backup strategies
Chapter 6 Companies with only 2+ employees
Chapter 7 Moving from a Startup to an Enterprise
Chapter 8 Security and Privacy
Chapter 9 Governance
Introduction – What is Cloud computing?
Cloud computing is when you use a computer attached to the internet that is owned by someone else. The term “the cloud” comes from computer network diagrams that depicted the Internet as a vast cloud.
For users, cloud computing arrangements can bring about major cost reductions and efficiencies. A computer “in the cloud” is just a computer attached to the internet that is set up for a special purpose. These purposes include things like:
- Providing on-demand computer power to run your own programs – e.g. amazon, google, azure, etc.
- Providing online storage to keep all of your files, programs, pictures, etc.
- Providing access to online programs that you can use from where ever you are – e.g. office 365, email, salesforce.com, etc.
- Providing you with the ability to easily share and collaborate on documents, presentations, and files.
- Providing a service that you would previously have had to purchase your own equipment – e.g. online telephone systems, eFax, etc.
- Providing a development environment to test and develop your applications
- Providing backup services to keep a copy of your documents and files offsite
For most startup ventures, using the cloud is your most cost-effective choice. By putting your application in the cloud, you do not have to worry about buying and maintaining your own computer servers. This is a key point. In the cloud, the cloud provider has already purchased the computers and is selling you a portion of the server based on what you use each month. They also have hired systems engineers who keep those computers running and handle any computer or network problems. As you grow you can buy more and more computers, storage, and bandwidth from the cloud vendor. This is and will be significantly cheaper to you until you grow to a size where you can hire people, buy computers, and maintain a full time high speed link to the internet.
Types of Cloud Computing Services
The examples of the services above are sometimes categorized as to the type of service. This is not important, but I am including this for completeness of the discussion. Cloud computing service types include:
Software as a Service (SaaS)
The most common and widely known type of cloud computing. SaaS applications provide the function of the software that would normally have been installed and run on the user’s desktop. With SaaS, however, the application is stored on the cloud computing service provider’s servers and run through the user’s web browser over the Internet. Examples of SaaS include: Gmail, Google Apps, and Salesforce.
Platform as a Service (PaaS)
This provides a place for developers to develop and publish new web applications stored on the servers of the PaaS provider. Customers use the Internet to access the platform and create applications using the PaaS provider’s API, web portal, or gateway software. Examples of PaaS include: Saleforce’s Force.com, Google App Engine.
Infrastructure as a Service (LaaS)
This eliminates the need for customers to have their own data centers. IaaS providers sell customers access to storage space, servers, and Internet connections. The LaaS provider owns and maintains the hardware and customers rent space according to their needs. An example of LaaS is Amazon Web Services.
Another way to look at the types of Cloud Computing Service
The examples of the services above are sometimes categorized by whether the service is private or shared. Small companies will almost always go with public cloud service as it is the most flexible and cheapest cost. Once you have a large organization you can determine if private or hybrid cloud services make sense. Cloud computing service types include:
Public Cloud, lowest cost
Public cloud is a way contract IT resources on demand, without having to maintain too many infrastructure components, applications or development resources in-house. In this scenario you also get the support and security that is provided to everyone who uses the service. So be careful to select a vendor who provides the services you need. Cheaper is not always better.
Private Cloud, higher costs
In private cloud, your services and infrastructure are maintained on a private network. This gives you full control but requires that you know what to select. You have to purchase the software, infrastructure and high cost of management but it will be for your exclusive use.
Hybrid Cloud, most options, requires the most knowledge
With the hybrid cloud, you can have a combination of both public and private services. For example, you could host your public facing website within a public cloud and your internal systems on a private cloud. But this requires you have the most knowledge to set it up properly but it can cost less than only maintaining a private cloud.
I hope this helps and doesn’t make you more confused. BUT, If you have any questions or need more detail, please feel free to reach out to me Greg@Taffet.org
Chapter 1 – Preamble
There is a big marketing push to put everything in the “Cloud”. This is a big decision for a startup company. There are many reasons to use the cloud and many not to. I will be focusing on whether it is appropriate to put your computer servers in the cloud. I will give simple guidance, which is my opinion on the pros and cons of using the cloud. There is no right answer. It depends on many factors including but not limited to:
- The type of company
- The size of the company
- Your finances
- Your location
- Your technology knowledge
- Governance requirements
- Security requirements
- Your time
- Your risk tolerance
- Your rate of growth
- Specific business drivers, needs, and goals
There are many other factors, for some companies the other factors may be more of a concern than the ones I have listed but for most startups, you will find that one or two of these factors far outweighs the others.
And if you have been around for a while you know that there is one other factor which is:
What technology is available for you to use.
Over time technology changes which swings the decision pendulum from one extreme to the other. The current cloud is just a new version of what used to be called “timesharing” many years ago. The underlying technology of the cloud is very different from the technology of timesharing but the business decision you need to make does not depend on what technology the vendors use behind the scenes.
Some of the reasons to go with the cloud could be:
- Reduced costs
- Anytime, anywhere access
- Better collaboration
- Greater scalability
- Faster deployment
- Environmental friendliness
- Improved security
You should look at each of these factors and determine if it is appropriate for you.
This can and should be a very simple decision for any startup business. Read the following chapters on different segments of a startup company’s life cycle and how these may and should affect your decision.
I would also like to make this very interactive so please send me your scenarios to help me target these blogs to your needs.
But always remember: The benefits for migrating workloads to cloud must outweigh the costs and risks of doing so.
Note: many companies that have moved their apps to the cloud have moved some back on-prem because they did not fully understand the full impact of using the cloud!
Note2: While this document is specifically targeted to using the cloud, most of the content is also appropriate for determining what you should do if you want to keep your systems onsite. Sometimes people talk about Multi-Cloud. This is using more than one cloud service provider to host your applications. At this point you should primarily look at using only one cloud vendor but if there is a good reason to use multiple vendors do not shy away from doing so.
Chapter 2 – Companies with only 1 employee
Let’s talk about what is critical at this stage
- Do you need a website?
- Do you need a computer?
- Do you need to use the Cloud?
Where should you spend your money?
Do you Need a website?
If you are a company, that is marketing a retail product to consumers, you probably need a website. The concern here is whether your customers will be using the internet to find your product. If you are selling to local people in a storefront, a website might not be necessary. But assuming you want to sell to a larger market, a simple single-page placeholder site that gives an overview of your company and how to contact you should be sufficient initially. You can invest more into the website later, as the company grows.
If you are not in the retail space you may or may not need a website. But you should probably pick a URL for your company and reserve it whether or not you put up a website.
Do you need a computer?
Let’s assume this is not a stupid question since you must be using a computer of some sort to get access to this site. Does the question then become how powerful a computer do you need? Should you buy one or lease one. But you have options if you just need a machine to do email, web research (surfing), and some word processing and spreadsheet work. You have many options from tablets, Chromebooks, and even possibly using a cell phone (but only if your eyesight is better than mine). The biggest mistake I see people making is buying a screen that is too small and hard to use or buying a screen that is too large and too heavy to carry. What is the battery life that you need? This may be the overriding constraint in the consideration of the machine you will buy.
But the single most important constraint on what computer you need is what do you need to do with it?
I will go out on a limb here and say if you are reading this then you can and should get an email address on Google or Microsoft and use their word processing, spreadsheet, email, calendar, contact, etc. applications. You should seriously consider these applications before you buy any other software. They are free to most people and will do almost anything a small startup company needs. If you are a specialized company that needs other functions or software these may still suffice and save you money, so you can spend it in your area of specialization.
The MOST important thing you must do now is BACK UP your files! Just putting them on the cloud does not make them safe! What if you accidentally delete a critical document? Make sure you backup. Let me repeat that – BACK UP is critical. You can pay for a service. Or the simplest, cheapest way is to keep a copy on the cloud and a copy locally with you on a thumb drive. But if you are running a business that collects the information you will need a backup strategy that I will focus on in the future.
Do you need to set up a server? In the cloud or locally?
Unless there is an unusual situation, you do not need to think about a server now. This is the simplest decision. Until your business gets a lot larger or you have a specific computational requirement a server is not something you should be considering at this time.
However, if you are a technology company that is developing an app or a software program you will have other considerations.
- If you are developing an app or software program, is it just downloaded and run by the end-user?
- Is it going to collect information and be used by other people (e.g. collecting medical information to help in diagnosis, etc.)? if so a server may be in your immediate future.
Chapter 3 – Strategy and Planning
Before I continue with how to select a cloud-based system we have to stop and discuss a topic people want to avoid
What Is my exit strategy?
While this is not something you want to think about, it is critical to do it before you make a selection. The reasons you may want to exit your cloud vendor are numerous but a few of the top ones are:
- The vendor changed their pricing
- You want to move to a new strategy
- They don’t offer a function you require
- You outgrow the current vendor
But even if this is not your reason you need to think about what you will do when, not if, you want to change cloud vendors.
- Can you just walk away and start with a new vendor?
- Do you have a copy of all of your documents, and data?
- Can you just do a move in one step or do you need a transition plan?
- Are there any special services provided by the cloud vendor that is critical to be replaced?
- Are there any special applications provided by the cloud vendor that is critical to be replaced?
Make a list of the key concerns you have and what you will need to do to move away from your current vendor. Can you negotiate key points upfront before you start? Can your business survive a move?
A special note: While most cloud companies do not charge for data being loaded to the cloud. Most companies charge for data taken from the cloud, or even moved to a different region in the same cloud. That means when you copy data from the original location to the cloud the vendor does not charge you. But if you are copying data from the cloud to another source (e.g. backing up, downloading to a spreadsheet, etc) they charge you for all the data you copy. Buyer beware!!
What Is my startup strategy?
- Can you make these decisions on the points in this paper on your own?
- Do you need third party support to determine the right choice?
- After you choose the proper vendor, can you set up everything yourself, what setup will the vendor provide, what do you need to get help with?
- Do you need help migrating an existing app to the cloud or do you start from scratch.
What Is my general strategy?
- Do you need a Service Level Agreements (SLAs)
- What security architecture is required
- What level of data access and flow is needed
- Consider migration paths required by different workloads
- Are there any data replication requirements
- Do you have a full financial model for workloads moved to the cloud?
- Can you manage the risk factors of the move to the cloud?
Can you protect yourself from a single point of failure?
In an on-premises data center, that might mean backup copies stored locally on disk or in the cloud, or, offline backup tape. The opposite may be true for the cloud that you would store a copy locally on your premises.
Chapter 4 – What should I buy?
For most startup ventures, using the cloud is your most cost-effective choice. By putting your application in the cloud, you do not have to worry about buying and maintaining your own computer servers. This is a key point. In the cloud, the cloud provider has already purchased the computers and is selling you a portion of the server based on what you use each month. They also have hired systems engineers who keep those computers running and handle any computer or network problems. As you grow you can buy more and more computers, storage, and bandwidth from the cloud vendor. This is and will be significantly cheaper for you until you grow to where you can hire people, buy computers, and maintain a full-time high-speed link to the internet.
Do a workload assessment
Determine the resources required to support each application such as compute, network, and storage. If you have an application with a web instance, a database, and a business logic layer you might need different sized resources for each layer. Can the components be separated, sized, and perform better than if they are all on the same platform?
If you have multiple applications do this for each application. Then look if there are synergies between the apps (e.g. can several apps share the same database server, etc.)
What are your uptime requirements?
What level of resilience do you need? Resilience is the level of fault tolerance built into the data center. How many things have to fail to cause a problem that you will notice? Are your applications running on systems with redundant hardware and failover components? Can you tolerate 1 second of downtime, 1 minute, 1 hour, or 1 day?? The more resilient the configuration the more it will cost with the expectation of higher uptime. Note I did not say guarantee, the more resilient the lower the risk but you can never expect a guarantee, and there is only a penalty if they don’t meet their SLA.
Chapter 5 – Backups and backup strategies
Even though you put your information in a safe cloud, you still have to backup.
To determine what and when to backup you need to consider your RTO and RPO
- RTO is your Recovery Time Objective. This is the targeted duration of time within which a business process must be restored (for example, within 24 hours)
- RPO is your Recovery Point Objective. It refers to the amount of data at risk, meaning the amount of data that could potentially be lost. (for example, an RPO of 15 minutes, means that a maximum of 15 minutes would pass between a backup and a disastrous event)
Note: the shorter, stricter your RTO/RPO goals are the more you will pay.
Many hosting companies backup their systems on fixed intervals for their protection (e.g. once a day at midnight). But this may not give you a viable recovery of a day’s work if your processes finish at 1 am. The hosting provider may also keep the backups for only 30 days. Is that sufficient for your business? Will it satisfy all regulatory and auditing requirements?
Consider what you need to save for a day, a week, a year, and forever. Create a backup schedule to match your needs.
Also, consider if you need to take a “snapshot” of a particular set of data at a specific time. Do you need a snapshot of your financial data as the last step of a month-end close process?
Chapter 6 – Companies with only 2+ employees
More to come…
Chapter 7 – Moving from a Startup to an Enterprise
This is simple. Everything has changed and nothing has changed. Reread this whole e-book and check what you need to do differently now.
Chapter 8 -Security and Privacy
Unless specifically stated to the contrary a cloud service provider does NOT provide:
- Data privacy
- Data protection
- Regulatory compliance
What are your potential security, governance, and compliance risks or requirements? Do you need to comply with CJIS HIPAA, HITECH, PCI, SOC, and/or SSAE16, etc.? If so you need to choose a vendor that explicitly says they conform to the specific security protocol that you require.
- CJIS – Criminal justice Information Services
- HIPAA – Health Insurance Portability and Accountability Act
- HITECH – Health Information Technology for Economic and Clinical Health Act
- SOC – Sarbanes Oxley
Some questions to ask in these areas might include:
- Should my applications or data live in only one cloud or multiple clouds?
- Should I have 1 path or multiple paths to get to my application and data?
- Should my data live in the cloud or on prem?
- What happens if the provider or internet has an outage?
- What levels of encryption are needed in the application and when I send data back and forth?
- Who has access to my data?
- Are different applications appropriately separated and protected?
- Do different applications have access procedures and processes with separate user logins and passwords, to prevent unwanted or accidental access to important information?
Security and privacy is your responsibility. It is NOT the responsibility of the service provider! The service provider only provides you a platform to operate they do NOT handle data privacy, regulatory compliance, data protection, guarantees against outages, nor provide backups. They may have addon services that you can buy for extra cost for some or all of these services, but they are not included in the base price of the service. Let me repeat at this time that the service provider provides 3 resources: compute power, storage, and network. NOTHING ELSE unless you pay extra for it. And even then, you have to determine if it is the right level for your company.
Three areas you should pay attention to:
- How many people have admin rights to manage your app? Is it the right people?
- Do you have a process for disabling users who should no longer have access to the application? Many companies do not disable access timely for former employees
- Do only the right people have access to the right data. Due to the sheer power of many apps, users give access to people who should not have access.
Chapter 9 – Governance
You must consider the governance required and ensure that the IT governance processes and policies are inclusive of your use of the cloud. This includes privacy, security, reliability, suitability, monitoring, and determining who is responsible for managing the cloud environment. Just because you moved the application to the cloud, it does not mean you have discharged your responsibility to manage that it is being governed properly!
Make sure you document your processes and procedures and then make sure you follow them.
Appendix 1 – Major providers of Cloud services
As of 2018 the following is a list of the major providers of cloud services:
- AWS – Amazon
- Azure – Microsoft
- Google Cloud – Google
- IBM Cloud – IBM
- VMware Cloud – Dell
- Oracle Cloud – Oracle
- Your local or regional provider – Multiple