Cloud storage cost have plunged in recent months, and in many organizations the case for making use of it is now compelling.
There’s no shortage of cloud storage service providers to choose from, and leading services include:
Amazon S3, AT&T Synaptic Storage as a Service, Google Cloud Storage, HP Cloud Storage, IBM SoftLayer Cloud Storage, Microsoft Azure Storage and Rackspace Cloud Files
If you had looked at a similar list of cloud storage providers a few years ago, that list would also have including Nirvanix. But this pureplay cloud storage provider went out of business suddenly in 2013, leaving its customers scrambling to retrieve their data before the company shuttered its storage services for good and filed for US Chapter 11 bankruptcy.
The Nirvanix story illustrates an important fact: when it comes to cloud storage, not all providers are equal. Companies that don’t make money go out of business, so when choosing a storage service its vital to pick one with demonstrably strong financial resources or a big name (like IBM or Microsoft) behind it.
But beyond financial security, there are other things that it is important to establish before choosing a cloud storage service provider. Here are ten key questions to ask:
1. How much will I end up paying per month in practice?
Many cloud storage service providers advertise a headline cost – 1c per gigabyte per month, for example. But that’s not the whole story. That’s because many providers have a sliding scale of charges depending on how much data you want to store.
To complicate things further, providers like Google and Amazon have two or three levels of storage (Standard, Reduced Redundancy and Glacier in Amazon’s case, and Standard, Durable Reduced Availability and Nearline in Google’s) all with slightly different access and redundancy characteristics, and all with different pricing.
And then there support costs and all the extra costs that accrue as you use your data. These include charges for data requests (often priced per 1,000 or 10,000 requests), charges for data retrieval (usually from archive services) and charges for data transfers.
Transferring data in to cloud storage is usually free, but transferring it to a data center operated by the storage provider in another geographical region may incur small costs. Egress from cloud storage back to your data center can be very expensive and in some circumstances can cost about ten times the monthly storage fee.
2. What SLA do you offer?
One of the most important things for look for is availability – effectively how many nines does the provider aim for in its cloud storage service level agreement (SLA.) Four nines (99.99%) uptime boils down to about 50 minutes per year when your data may be unavailable.
It’s also worth finding out what compensation is offered if the provider fails to meet its availability targets as set out in the SLA – most offer service credits, which may not equate to your financial loss if your data is unavailable even for a relatively short period.
3. How likely are you to meet the terms of your SLA?
If possible try to establish the provider’s downtime history, and the causes of any outages. This should give you an idea of whether the provider is facing ongoing service problems or whether any past problems were due to some factor (such as moving to a new data center) that is unlikely to reoccur.
4. What security measures do you take to protect data?
The answer to this question should include details of the physical security of the company’s facilities, technical measures such as firewalls and access controls, and information about data encryption. Depending on the industry you are involved in in you may need the service provider to comply with PCI-DSS or FIPS 140-2 encryption standards.
One crucial piece of information concerns key management, and who has access to the encryption keys. Ideally you, as owner of the data, should be the only party that has possession of the keys.
5. Have you had a security audit in the last year?
If so, is the provider willing to share the results of the security audit?
It’s also worth asking if it has any certification such as SSAE 16, or a listing with the Cloud Security Alliance Security, Trust and Assurance Registry (STAR).
6. What is your breach history?
The previous two questions look at how secure your data might be in theory, but the answer to this question gives a better indication of how secure your data might be in practice. (It’s also possible to make the argument that a storage provider that has been breached in the past is likely to have learned some painful lessons and will therefore be more secure now than in the past.)
In any case, extra questions you should ask include what commitments they are willing to make in terms of notifying you of a breach within a specified time, what action they will take should they suffer a breach, and what plans they have in place to deal with distributed denial of service (DDoS) attacks on their data center.
7. How will my data be protected from loss?
It’s important for data stored in the cloud to be replicated to multiple locations and multiple devices, and for you to understand the extent to which this will be done.
For certain types of reproducible data, or data which is also stored in your data center, it may be acceptable to use a service that uses a lesser level of redundancy if the cost is lower.
For example, Amazon S3’s Standard and Reduced Redundancy options both store data in multiple facilities and on multiple devices, but with the lower cost Reduced Redundancy service, data is replicated fewer times. Standard storage is designed to provide 99.999999999% durability and to sustain the concurrent loss of data in two facilities, while Reduced Redundancy is designed to provide 99.99% durability and to sustain the loss of data in a single facility.