9. How does your cloud provider keep track of failed server instances and how long does it take them to respond, fix, and notify you of this outage?
Some providers offer more in terms of monitoring of their virtual servers. For example, Amazon has its CloudWatch service that can monitor and report on particular events in your cloud environment such as CPU demand and network traffic.
For the most part, you are on your own to keep track of what your collection of virtual servers is doing. The Terremark service at least shows on its main portal page a history of all actions that you have recently taken in terms of powering up and down servers adding services and creating servers to your account. "Understand what kinds of support are possible in the cloud. If you are not monitoring the performance by your own staff, you may want your service provider to do that," says Savvis' Doerr.
Amazon's CloudWatch can tell you about resource usage, CPU demand and network traffic within your cloud environment.
10. Do you have a fast enough Internet pipeline to support your cloud-based applications?
Any cloud-based installation is going to be adding traffic across your Internet connection, so it is important to ensure that you have purchased enough bandwidth and it can handle the peak loads when your cloud applications will be sending data to your own network. It really isn't about the raw bits per second, whether you have a T-1 or an OC-3, but the actual latency that it takes your packets to transit the Internet to get from the cloud to your office network. For example, if you have lots of network hops, that adds latency to the connection and that means you are going to wait and wait while your browser opens up a server. Particularly if you are navigating full-screen hi-res desktop windows remotely, you could be watching a lot of screen refreshes and it could be painful or almost unusable to remotely control your cloud-based VMs.
Bottom line: You should instrument your Internet connection or have your provider ensure that you aren't running into any bottlenecks as you expand your cloud presence.
11. Are there any fine-grained access controls to your cloud resources, or does every user have access to all of the running virtual servers?
One place that the cloud vendors are still playing catch up to the mainframe computing world has to do with security policies and access controls. In many cases, access is an all-or-nothing proposition, meaning that once a user authenticates to the cloud, they have the freedom to do a lot of unintentional damage to start and stop a virtual server or make other mayhem inside the entire cloud environment.
Some cloud providers are better about this than others, and allow virtual networks within a particular environment or other means of segregated access for individual users. There are also third-party security tools, such as Hytrust's Appliance for VMware and Reflex Systems vTrust. Both of these allow more granularity so that users can run the applications on a virtual server but not reconfigure or turn off the server itself.
Hytrust's appliance allows you to set policy rules, so that individual users can't move, stop or otherwise alter a particular running VM.
12. Are your Web applications protected automatically by something the provider does or do you have to supply various firewalls and security appliances in the cloud yourself?
Certainly, the least secure aspect of any cloud deployment is in its Web applications and how they are connected to the rest of the cloud-based infrastructure. The challenge is being able to virtualize as many of your protective devices as you have for your on-premises servers, such as load balancers, intrusion prevention appliances, firewalls, and other gear. The major cloud providers are beginning to add these tools to their list of services so that IT developers can migrate their applications over to the cloud and still maintain the level of security that they have come to expect with the ones running inside their own data centers. Most of the cloud providers allow you to create your own firewall rule sets for your servers to protect them from inappropriate traffic. And there are companies such as Vyatta.com that specialize in providing virtual firewall protection to cloud-based resources.
For example, Amazon's cloud-based servers can't send spoofed network traffic, no matter which operating system they are running. The Amazon firewalls will only allow traffic using its own source IP or MAC network address, which is a nice safeguard.
VMware has only recently added a level of security to its vSphere line of products. Its vShield Zones product includes a hypervisor-based firewall to enforce network and port connections on each virtual server, and set up a full collection of policies and firewall rules within the virtual environment. Most cloud providers can set up firewall rule sets by port and protocol for each virtual server, as you can see in this screenshot for Terremark's service. But that only protects each virtual server from bad-behaving applications.
Terremark can set up specific security rules, similar to most firewalls, to enable or disable access to particular ports and protocols.
As you can see, there are many questions that you need to ask your cloud computing provider, and hopefully with these 12 you are off to a great start in your new virtual environment.