When Creative Solutions in Healthcare, which owns 75 nursing homes in Texas, first headed to the cloud nearly five years ago, it chose a local managed service provider (MSP).
"We wanted to support a Texas business and hoped they would ride the train with us as we grew," says Shawn Wiora, CIO and chief security officer at the Fort Worth-based organization. "Unfortunately, that didn't happen."
Instead, as Creative Solutions in Healthcare grew to its present size of 6,000 employees and thousands of nursing home residents, the MSP fell behind. With an all-physical server infrastructure, it didn't have the skills to handle the virtualized environment that Wiora required to scale up back-office applications, including accounting, purchasing, business intelligence and document management systems.
Also, as Creative Solutions in Healthcare expanded, the service provider lacked the expertise and technology to assist Wiora and his team with important issues such as HIPAA compliance, data privacy and overall security in the cloud.
It became apparent that Creative Solutions in Healthcare had outgrown the MSP and needed to jump to a new cloud platform. "We still feel like we made the right decision going with the smaller player at the time, but they definitely didn't have what we know we need now," Wiora says.
After piloting but rejecting Microsoft's Azure public cloud platform — the licensing didn't work out — Wiora migrated to VMware's vCloud Air public cloud platform. "We went from a 100% physical environment to a 100% virtualized environment at a provider skilled in virtualization," he says.
A comprehensive RFP drew in 16 vendors. Wiora narrowed the field down to three and then opted for VMware.
The vendors had to show that they had proficiency in compliance and offered redundancy and access to tools for transparency, reporting and analytics. Wiora says migrating cloud-to-cloud was far easier than the initial move to the cloud, but the effort still required a team of experts on each side — not something to be taken lightly. "Support is going to be a much bigger issue for companies going forward with the cloud," he says. "You need help with migration and ongoing operations."
Wiora is far from alone. With the maturation of the cloud and the emergence of platforms that are cost-efficient and feature cutting-edge technology, many IT leaders are rethinking their initial partnerships.
Seth Robinson, senior director of technology analysis at industry trade association CompTIA, says he has observed more cloud switching of late, mainly public to public, public to private and — in some cases, for security and control — from public back to on-premises.
Seth Robinson
"Businesses are learning what it's like to be in the cloud and how to match their needs and business objectives with the available models," Robinson says. "They are starting to ask more intelligent questions and dig deeper into the provider's business."
Overall, Robinson says, "the need to examine cloud providers is very much in line with the need to examine IT shops. In both cases, the end client needs to carefully review service-level agreements to understand what the provider offers and what additional measures they may want to take for areas such as security or availability."
Signing on too quickly
When companies first started to embrace "as-a-service" computing, many did so blindly, according to Robinson. They wanted to be on the leading edge of technology and, therefore, moved quickly into contracts and environments they didn't fully understand.
For instance, cloud vendors often house systems for multiple customers within a single server environment, a practice that introduces security, reliability and performance risks. "Companies migrated their applications and data with the assumption of cloud provider security," Robinson says. But in reality, he explains, they're often given the lowest common denominator — the level of service that meets the needs of a group of customers. "If they wanted anything beyond that, they would need to bridge it either by adding services or building it themselves," he says.
Another problem faced by many early adopters was that they chose smaller providers that couldn't compete with the larger cloud vendors in terms of expertise, infrastructure updates or help desk support. "Smaller companies that identified themselves as public cloud providers were left struggling with economies of scale," Robinson says.
That's certainly what Wiora experienced with his local service provider. But Ashwin Rao, vice president of engineering at Knovation, encountered a different obstacle.
What you don't know
A Cincinnati-based education technology company, Knovation provides advanced, personalized digital learning tools to more than 32 million students and 1.2 million teachers across the U.S. Key elements of Knovation's service are its website and a MySQL database that contains all of its product and customer data.
Ashwin Rao
In 2012, Knovation decided to convert its bare-metal installation to a cloud-based platform to reduce costs and improve scalability, and to ensure that the infrastructure would be monitored for maintenance needs — patches, security updates, backups and the like. In the process, it also moved from two hosting providers to one.
Almost immediately, Rao noticed performance woes with the new setup, and his company was plagued with security problems, including a denial-of-service attack. "We were not getting the support that we needed — and that our customers deserve," says Rao. "We had to make a change to continue providing the high-quality services that our customers have come to expect in a way that wouldn't overburden our internal team."
In addition, and perhaps more significantly, the provider struggled to make Knovation's MySQL database operate properly in the cloud. "MySQL was sensitive to how VPUs [virtual processing units] operated, and virtualized servers have a different behavior that impacts synchronization and replication," Rao says. "We were in a quandary, trying all kinds of configurations to fix the various issues and couldn't get to them all."
Rao was rapidly souring on the cloud. Then he reached out to one of the hosting providers he had previously abandoned, INetU, which also supported cloud environments. After what he calls "a lot of due diligence," he decided to give the cloud another go with INetU in December 2013.
That switchover was far more strategic than the first move to the cloud, he says, and included a dedicated onboarding team with people from both parties. Rao says they identified as many risks as possible upfront and created methodical checklists to mitigate them. "We noticed weak points to address before the move and after," he says.
For instance, because of the issues with MySQL in the cloud, Rao decided to keep the database as a bare-metal installation at the new provider, and block devices were used to form high-availability clusters for replication. All other servers, including the development, staging, sandbox and production environments, were migrated into the INetU cloud.
Rao refers to this approach as a "hybrid," adding, "I'm not a purist; I just want to use things that work."
Call me, maybe
As perplexing as the technical issues were, Rao found the lack of communication from his former cloud provider infuriating. "We tried to instill the need for dialogue, but they stopped showing up," he says. "Communication needs to be built into the contract for the betterment of the relationship."
Justin Stanford, senior systems engineer at The Leukemia & Lymphoma Society (LLS), couldn't agree more, especially after enduring a bad cloud support experience.
Justin Stanford
A majority of the organization's workforce applications, including Microsoft Office 365, Cisco WebEx and Box, are cloud-based. With more than 2,000 users and high turnover among seasonal and temporary workers as well as interns, provisioning access for employees was time-consuming.
IT automated the task with cloud-based single sign-on, which taps into the White Plains, N.Y.-based organization's payroll application and Active Directory. Stanford signed a one-year contract with a promising identity management provider that offered attractive pricing. He soon found out, though, that the provider's sudden growth would lead to headaches for him.
"They were swamped and unable to address our support needs in a timely fashion," he says. "Anytime we had anything beyond some training issue or support, the trouble ticket went off to engineering and had a long lead time before we got a response."
A change in the provider's code caused an issue with user access to a cloud application that LLS uses. Code running on the provider's system associated with the process of new user creation would lock an existing employee out of his account, yet grant others access to it and the data within. Stanford says the problem, which occurred each time a new user was created in the SaaS app, took two to three months to solve.
When the one-year contract ended, Stanford switched to identity management provider Okta, after grilling the vendor about support levels and escalation. "We aren't just thrown into the support pool. We have access to an account manager and a technical manager," he says. When LLS experienced a problem with user group creation within its Box.com account, Stanford says Okta escalated the matter directly to the highest levels of support and product management, and the problem was resolved quickly.
As Stanford and his team found, price is nice, but it's not everything. Mike Bennett, a partner in the Chicago office of law firm Edwards Wildman Palmer LLP, says that's a lesson that companies often learn the hard way.
"The attraction of price in the cloud can be irresistible but it's also dangerous," he says, adding that IT isn't always at the table when contracts are signed. "As cloud services get easier [to click and buy], lines of business are jumping in and not seeing the triggers that IT and other [critical stakeholders] would."
Hastily signed contracts can cause serious problems. For instance, Bennett says business execs sometimes unwittingly agree to export data across international borders, which may be in violation of data export rules. "IT and legal would have asked where data travels in the provider's cloud," Bennett says.
Bennett cites another instance in which a provider assured one of his clients, an organization in a highly regulated industry, that its cloud servers were in a domestic location. And while that was true, the client later realized that the help desk was located abroad and workers there would have had access to its data — a setup that violated regulations.
Bennett recommends that all cloud customers review their contracts regularly with the IT, legal, finance and HR departments. All of those parties bring knowledge to the table that could help avoid mishaps. For instance, in a lawsuit, organizations are asked to provide certain documents, including backups. Legal, IT and HR would be instrumental in figuring out a document-retention process that would ensure that the organization was ready for legal proceedings.
Bennett also encourages companies to think about their own risk tolerance when evaluating a provider's services. Instead of having to jump from a provider that wasn't a good fit, a company might choose to pay more for a higher level of security or support.
Stanton Jones
Stanton Jones, an emerging technologies analyst at Information Services Group, a sourcing advisory firm, says companies should do more negotiating with cloud providers. "You find out a lot about your provider in the course of negotiations — especially what they will and will not do," he says.
For example, you can insist that a provider notify you of changes, including to its infrastructure and support staff. That way, if a help desk is moved overseas, you can find another provider before you violate any regulations.
A newbie's concerns
James Edmunds, IT director at American Infrastructure, has those concerns in mind as he experiments with Microsoft Azure and Amazon Web Services.
A heavy construction company and materials supplier in Worcester, Pa., American Infrastructure has two data centers that support 1,800 employees. Edmunds plans to gradually migrate to the cloud over the next two years in hopes of gaining flexibility and access to a best-in-class computing infrastructure. But he's being cautious and is digging deep into what each provider offers.
He's investigating the technologies that providers use to store data and manage applications, and he's assessing how they arrive at their uptime guarantees.
James Edmunds
"We don't want to find ourselves in a situation where the security and partitioning aren't as mature as our data center," he says. "We have to make sure we're buying the right level of security and configuring it properly."
For instance, in his own data center, he might allow all servers to connect relatively freely, but in the cloud he'd restrict server-to-server communication to only what is necessary.
He also is devising an exit strategy to avoid vendor lock-in and because he's sure he will at some point have to switch providers. "We want to know how our data is structured and formatted and what risk [changing providers] poses," he says. "In a data center, you can keep a legacy server forever. The cloud forces you to figure out upfront how you'll jump providers."
At Creative Solutions in Healthcare, Wiora says he's far more confident with his cloud decision this time around. But he still thinks its wise to keep his options open — a strategy that includes retaining in-house IT staffers — to be able to jump again if need be. "We want function over price and no vendor lock-in," he says. "We want to be able to control our own destiny."