Buyer Beware—Which Rules Still Apply in the Cloud?

“Caveat emptor” is Latin for “Let the buyer beware.” In the realm of the modern information technology cloud, this sage advice rings especially true.

As organizations migrate increasingly higher percentages of their critical infrastructure into the cloud, it is essential that IT professionals understand the convoluted labyrinth of software licensing. They must understand what they are getting, what they are not getting, what they are responsible for, what the cloud provider is responsible for, and who is paying for the many licenses they will inevitably need.

A few years ago in the far reaches of the dataverse, the term “galaxy licensing” emerged. This dripping sarcasm was directed at a well-known software vendor that claimed it was owed licensing fees for any server that its software could potentially run on at any time or any place. To this mega-vendor, it did not matter if its software had ever run on the particular server in the cluster, data center, or even on the continent. If those servers were somehow loosely connected, as in the case of a shared storage array, this software vendor claimed it should be paid a license fee for all the servers that touched that array. The premise was obviously absurd, but the mindset was pervasive. Extending this philosophy of entitlement to its ultimate conclusion in this new world of “the Internet of Things,” isn’t everything somehow connected to everything else? Now, imagine what would happen today if this vendor demanded an audit and some of your infrastructure was in the cloud?

Experience has taught us that when dealing with licensing issues, it is important to always consult the contract to determine your obligations. According to the specifications of the contract between the vendor and the customer, all vendors are entitled to be paid for the software they created. Not all vendors are equal when it comes to their approach to cloud-based licensing. Make sure you are properly licensed in the cloud, or it could create an unpleasant experience if auditors show up at the door.

Shared Responsibility

Compliance is a hot topic these days. Each industry has unique compliance and regulatory requirements, including HIPAA, PCI, SOX, and others. It is important to understand the particular compliance expertise each cloud vendor brings to the table to help you achieve, maintain, and stay apprised of your ever-evolving regulatory requirements.

As operations in this modern environment evolve, it is easy for changes to be made that subtly invalidate the environment from a compliance perspective. For example, consider a situation in which someone on your staff or the vendor’s staff opens port 80 in a PCI environment. The cloud environment may no longer be in compliance. It is axiomatic from the perspective of overall IT security and compliance that maintaining required standards is a shared responsibility.

Here are some important questions to consider:

  • What are the vendor’s change management processes?
  • What is the vendor’s ability to audit the environment to ensure changes have not been made that invalidate the compliancy requirements?


As an organization increasingly utilizes cloud architectures for critical applications and databases and as more important workloads are moved to to the cloud, security considerations are top of mind for every executive. It is necessary to establish which security components are included with a particular cloud infrastructure service along with which additional security options and features are available from the vendor. It is important to accept the inevitability that your security system will eventually get breached. We refer to this as “being hacked.”

Let us say that again: It is just a matter of time until you get hacked.

It is critical that your chosen cloud infrastructure provider has a sophisticated and up-to-date security framework as well as a strong security team. Ask the vendor about its contingency plans pertaining to potential future hacks. Ask about its relationships with law enforcement, including the FBI. Don’t wait for an impending crisis to ask these questions.

Important attributes for the cloud provider to offer include simple but classic rules of thumb such as “log everything” and “encrypt everything important.” If the cloud provider doesn’t generate comprehensive and well-organized logs the individual customer can access, or if advanced encryption features are not available, then shopping for a new cloud provider is advisable.

Unified Cloud

To quote a statement that was made at a recent conference “AWS [Amazon Web Services] is bigger than the next four cloud infrastructure providers in total.” Anyone ever served by an airport that has only one or two airlines knows firsthand the dangers of vendor domination in a market segment. In the airport example, the plane ticket always seems to cost twice as much and the quality of the service always seems to diminish precipitously.

Adopting a vendor that offers a “unified cloud” solution is the best defense against vendor domination or “lock-in.” A unified cloud integrates private and public cloud deployments, providing users with a centralized way to manage it all.

This implies that a customer working with a vendor who offers a unified cloud solution can consider a given workload—and place that application and workload on the most appropriate platform—at the right time and in a safe, secure manner. The customer might have certain workloads on Amazon AWS, and others on Microsoft Azure, but the most critical workloads on a private cloud. Cloud service providers that offer a unified cloud approach put the pieces of the infrastructure puzzle together in the way that best supports customers in the most efficient manner with “one throat to choke” and one place to manage it all. If the cloud vendors you are considering haven’t moved to this model, it may be prudent to continue the search.

Stamps of Approval

When business is transacted with any vendor, it’s always important to ascertain their capabilities. Not all vendors are created equal. There are a number of third parties to help validate if you are doing business with a quality vendor. Examples of third-party accreditations and attestations you should look for include:

  • MSP/Cloud Verify from MSP Alliance
  • SAE16 (formally SAS-70)
  • Attestation of PCI Compliance
  • Attestation of Security

Look at the organization that provides the certification and the steps it takes to obtain the certification. Make sure it’s more than just sending in a fee and answering some questions. Yes, there are certifications available that require nothing more than paying a fee and filling out a form, but always remember the adage “Buyer beware.” It is essential that a third party validates the quality of the services that the cloud vendor provides. The “MSP/Cloud Verify” from the MSP Alliance is an excellent example of a certification that has value.

When examining the reports the vendor provides from the certification process, always pay special attention to the exceptions noted. No organization is perfect, but what you are looking for is an organization that is taking steps to maintain the quality of service.

The New Standard/Paradigm

There are many compelling reasons for organizations to adopt cloud computing as the new norm. Any organization that survived Hurricane Sandy on the East Coast or Hurricane Katrina in New Orleans understands the power of the cloud.

Quite simply, those organizations that adopt cloud infrastructures and face calamities are better insulated from the negative effects of those disasters. Intelligently adopting a cloud paradigm will provide your organization with a degree of flexibility and agility that was impossible 10 years ago. The question no longer is whether you should move toward the cloud, but when and with whom.

Image courtesy of Shutterstock.


Subscribe to Big Data Quarterly E-Edition