2 Cloud Vs. Dedicated for Enterprise Applications: A comparison via worked example The public cloud still has a long way to go before it becomes accepted in the market place as a reliable and secure spot to host enterprise applications. Cloud works well for non-critical environments such as test and development but thatʼs as far as it goes, so the argument runs. This white paper looks to test that preconception by measuring cloud and dedicated hosting offerings against a standard matrix of standard enterprise requirements. Weʼll do it by way of a worked example, putting ourselves in the shoes of an IT director of a multinational pharmaceutical company with three pressing projects. Traditionally the company has gone with a dedicated hosting partner or kept the projects internally, but the CFO who carries more clout than the IT Director insists on looking at cloud as an option.
3 THE PROJECT The first project the IT director has to support comes from the marketing department, which needs to conduct some intense analysis on some sales data. The company has just put a new cough mixture on the market and the three month figures from its pharmacies have just been returned to the marketing department. The second requirement is for the companyʼs main corporate website, principally used for disseminating public information externally to the investor community and internally to the companyʼs employees and partners. Finally the IT director needs to look at ways of supporting the phase one of a clinical trial for a high profile new drug BUSINESS NEEDS The business priorities for the project were reliability, security, and performance. Our director knows that his C-levels are worried about the security implications of moving the cloud. The board is also worried that as the cloud is multi-tenanted, individuals are not properly isolated so it is possible for one customer to access another customerʼs data. Finally the corporate web site will host a large number of training videos and other media rich content such as medical images and the site is expected to generate high but predictable levels of traffic. The IT director took a look at the anticipated usage and traffic of the requirements and boiled them down to this specification. Each requirement needs this environment with the corporate site separately requiring 10TB of data transfer. 2 x web servers (2 x CPU, 2GB RAM, 20GB SAS Ubuntu) 1 x databases (2xCPU, 2GB RAM MySQL) 10TB transfer Given need for reliability and performance, the director also has a requirement for High Availability for the corporate website and the temporary site. He has a preference for VMware because of its ability to improve the business continuity and day-to-day management of his estate, so that too was added to the tender. Then the IT Director asked the vendors to show if they could guarantee server isolation, and what options they had in terms of web application firewalls and DDoS protection. Finally to make sure the regulatory boxes were ticked he asked the providers to demonstrate that data would stay in the jurisdiction, that data would be wiped from the providers equipment when the site was pulled down and lastly if he could audit the providerʼs infrastructure and data center. He put his requirement out to several vendors, across the spectrum and here is a distilled version of what came back. Weʼll show the results from a dedicated hoster, a private cloud provider, a commodity cloud provider and ourselves at FireHost. First off with the cloud providers the specs and pricing for everything he needed were available on the website. It was easy to configure and price the deployment above. The dedicated hosting company had instant chat on its website, but was unable to give pricing without a call with a solutions specialist and a signature on an NDA.
4 BUYING EXPERIENCE Time to quote 2 weeks 1 week 10 mins 10 mins Pricing 2 weeks 1 week 20 mins 20 mins NDA MANAGEMENT, FINANCIAL CONTROL, AND VISIBILITY Web portal and API accessible with stats available in real time Pricing, but no real time stats Predictable billing Storage PERFORMANCE, BURSTABILITY, AND AGILITY Memory controls Processor controls 2x environment on the fly
5 SECURITY, COMPLIANCE, AND DATA PROTECTION All three providers were able to support the basic requirement. But it was above the operating system that the differences began to show PCI DSS Web application firewall Up to network layer Up to network layer Up to network layer Up to application layer DDoS HA environment but big increase in price but again big increase in price t as standard Separation of dtb and web server Isolation of instances Secure SSL VPN as standard Certificate of data deletion Data in jurisdiction Audit of environment and data center COST Our IT director needed to put together an easy to understand and digest spreadsheet for his CFO. Unfortunately, the pricing indicators that came back from the service providers was not so easy to compare like with like. In network speeds for example, some quoted line speeds 10mbps others transfer 1TB. Also GB by GB the cloud emerged as a much more expensive option than dedicated. Here is how the cost matrix for the providers worked out Network 100mb IP port limited to 40mb Low (less than $400) Medium (in between $500 and $1000) High (over $1,000) High (over $1,000) Network firewall As standard As standard As standard As standard Web application firewall VMware functionality Self provisioned t available t available Medium Self provisioned Medium t available Low Cost per server (or CPU)/month Medium ($300-$500) High (over $500) Low (>$300/month) Medium ($300-$500)
6 COST cont. Cost of adding additional security hardware (DDoS) High High t available High (over $1,000) Contract term 3 year One year Monthly Monthly Billing Flat Flat with usage charges on top Usage-based Usage-based THE RESULTS As can be seen, the agencyʼs requirement was met by three quite different responses. On the face of it the commodity came in as the cheapest. But the IT Director needed to add in the additional cost of purchasing High Availability, the Web Application Firewall, and DDoS protection. Furthermore there was the additional cost in terms of employee time of maintaining all the applications and keeping them current. The commodity cloud provider seemed at first a good choice for the spiky traffic of clinical trial but its story around compliance and regulation was weak, and unlike the dedicated array the IT Director would not have the option of adding WAF and DDoS hardware for himself. Also the IT director needed to have a business continuity environment, and the high cost of transfer made the commodity cloud expensive. The virtual private server option was also initially tempting to the Director but a key flaw in the offering was the fact that the multiple tenants would share the same server and at the lower end of the scale, even the same operating system. The IT director also asked if the hosting company could isolate the instances running in its environment, and the answer came back no. With this in mind the IT director awarded the contracts as follows: For the marketing analysis project, he awarded the contract to the commodity cloud provider. The environment was only to be deployed for a month or two so a three-year contract made little sense, eliminating the dedicated provider. With no sensitive issues such as compliance or security at hand, it made more sense to go with the low cost commodity cloud. When it came to the two live sites the decisions were different. With the corporate website, the network traffic cost was the decider. The siteʼs traffic was high but also constant and predictable month in month out, and had been so for years. The dedicated hosting providerʼs network costs were substantially lower than the other three providers. As almost all the content on the site was for public dissemination meaning that security and compliance requirements were low and sufficiently met by the dedicated option. Finally the sensitivity of the content of the clinical trial and its importance to the business meant that the contract went to the only provider on the list which could realistically satisfy all the diverse aspects of the requirement that is to say FireHost. The C-levels were felt secure that although the site was being hosted in the cloud, it was adequately protected and placed in a fully compliant environment. Additionally FireHost was able to offer a CDN solution that enabled the agency to stream the videos cheaply and effectively for their client.
7 CONCLUSIONS There is no one-answer-fits-all for a hosted deployment, sometimes commodity cloud is the answer, sometimes dedicated and sometimes an enterprise grade cloud like FireHost Ltd Establishing the business requirement and is key, if it is not understood it is likely that the wrong choice will be made For a stable state predictable workload type application with no peaks and troughs in usage over time, a dedicated hosting option is most appropriate For projects that are not handling mission critical applications such as test and development, the commodity cloud is appropriate For applications where reliability, security and compliance are paramount, that is to say for all enterprise applications, FireHost is the optimal choice Media Contact Sarah Hawley Ubiquity PR