INFRASTRUCTURE AS A SERVICE BUYER S CHECKLIST

Transcription

1 INFRASTRUCTURE AS A SERVICE BUYER S CHECKLIST

2 2 CONTENTS SERVICE LEVELS 3 SERVICE AND SUPPORT 4 CERTIFICATIONS 4 MANAGED HOSTING 7 BILLING 8 SERVICE MANAGEMENT 8 TECHNOLOGY 9 GLOBAL, REGIONAL, LOCAL 10 THE DATA CENTRE 10 MAKE OR BUY 11

3 3 CHAPTER 1: SERVICE LEVELS Does the provider offer your required SLA/SLG? Example: 99.9%, 99.95%,100% (for example on HA solution). Does the SLA/SLG cover 24x365? Is the required SLG level included in the solution price? Are the conditions for rebate payments acceptable? Example: No rebate for SLG violations, one day for every hour SLG breach. Are all solution elements covered by the SLG? Example: Individual service element or entire solution uptime. Is the maximum rebate payment limit acceptable for you? Example: One month of service charge. Does the notification period for planned outages match your needs? Example: Not specified or five business days. Are all critical elements covered by the SLG? Example: Server uptime, solution uptime, special SLGs such as network and storage performance (IOPS). Are the disaster recovery SLGs state of the art Example: 5 minutes RPO and 30 minutes RTO. Does the vendor provide a RACI matrix for managed hosting? RACI = Responsibility, Accountable, Consulted, Informed. How complex are the SLGs? Do you understand them? Example: Complicated definitions of uptime percentage, availability and exclusions.

4 4 CHAPTER 2: SERVICE AND SUPPORT Does the vendor provide direct access to the technical support team? Example: What are the support times and support channels ( , phone)? Are support cases handled by engineers directly? Is engineer support available 24x7? Does the vendor provide access to technical consultants in the presales phase? Example: Support for individual solution design and scoping. Are there customer service managers assigned to each individual account? Example: Who is your contact in day-to-day business? Does the company provide regular business reviews? Example: Utilisation reports, face-to-face meetings to discuss potential optimisation or recent issues, QA improvement, customer feedback. Does the vendor assign a dedicated project manager to complex orders? Example: Who assists the customer during the provisioning process to make sure that the outcome is as expected, tailored to the customer requirements, and on time? Does the vendor start billing the customer only after successful user acceptance tests? Do you require "Smart Hands"? Example: Engineers that perform tasks on behalf of your IT staff in the data centre to avoid travel and improve effectiveness. CHAPTER 3: CERTIFICATIONS Is the vendor Information Technology Infastructure Library (ITIL) certified? Is the vendor ISO27001 certified? Do you require a PCI compliant solution? If yes, is infrastructure outside your customer environment PCI certified (gateway to customer environment)? Does the vendor fulfil Australian Government standards (ASIO T4, DSD)?

5 5 CHAPTER 3: CERTIFICATIONS COMMONLY REQUIRED CERTIFICATIONS ITIL The Information Technology Infrastructure Library (ITIL) is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. ISO27001/2 Is an information security management system (ISMS) standard that contains 11 domains: Security policy. Organisation of information security. Asset management. Human resources security. Physical and environmental security. Communications and operations management. Access control. Information systems. Acquisition, development and maintenance. Information security incident management. Business continuity management. Compliance. ASIO T4 PROTECTIVE SECURITY (ASIO-T4) Protective security is a combination of procedural, physical, personnel, and information security measures designed to provide government information, functions, resources, employees and clients with protection against security threats. ASD Australian Signals Directorate gateway certification. PCI DSS Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organisations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.

6 6 CHAPTER 3: CERTIFICATIONS CONTROL OBJECTIVES PCI DSS REQUIREMENTS Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware. 6. Develop and maintain secure systems and applications. Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. Maintain an Information Security Policy 12. Maintain a policy that addresses information security.

7 7 CHAPTER 4: MANAGED HOSTING Example of tasks/ areas that should be considered: Configure operating system Operational capabilities Configure monitoring Configure backup Provide test plans Platform testing Customer acceptance testing License purchase/lease Operating system ownership Validate specification against requirements Installation (rack mount, system power) Configuration of networks Resilience configuration Security patching and service packs System re-install Version upgrades Security policy management System reboot

8 8 CHAPTER 5: BILLING Is there a monitoring portal that allows measuring of service consumption in near real-time? Does the portal allow the customer to set thresholds for notifications? Is the bill structured in a format that fulfils internal accounting needs? Example: Grouped by business unit, export formats. Are the commercial terms fixed or negotiable? Do you require billing by the hour? Example: Individually designed customer solutions that include dedicated service components (non shared firewalls, load balancers and compute resources) do not allow billing by the hour due to the complexity setting up the environment. Billing by the hour is mostly only available if the solution is built entirely on shared infrastructure. How predictable is the bill (bill-shock)? Example: Is the services consumption predictable? Do you have a dedicated contact person for billing enquiries? CHAPTER 6: SERVICE MANAGEMENT Does the portal allow the setup of different accounts with individual user access policies? Example: One user to configure the firewall, one user to view the bill. Are all portals available to you in order to manage your infrastructure? Example: Compute, network, storage, firewall, load balancer etc. Can you order new elements online? Do provisioning times for new elements or change requests meet your business needs? Do you get a monitoring portal that suits your needs?

9 9 CHAPTER 7: TECHNOLOGY Are critical services built on dedicated technology? Example: Full featured dedicated Fortinet firewall or shared firewall. Do you need IaaS that uses a specific hypervisor and does the vendor support your hypervisor? Example: Some workload mobility solutions do not support multiple types (vendors) of hypervisors. Are you running a hybrid infrastructure (colocation, private cloud, public cloud, dedicated managed servers, on-premise servers) and does the vendor support this? Example: Hybrid solutions require scalable interconnectivity solutions. Do you prefer to get everything out of one hand and limit the number of vendors? Do you control the contention of your compute resources? Example: Public clouds do not reserve 100% of the compute resources for each client. Compute resources are assigned on demand between customers which adds latency times and could lead to noisy neighbour problems. Is the technology powerful enough? Example: What specs do you need to serve your required workload? It is not always easy to compare apples with apples due to different performance specifications. Does the vendor provide all the value added services you need? Example: Backup, patch management, multiple storage tiers, load balancers, global server load balancer. Does the vendor provide the storage options you need? Example: Storage for archives, normal server load, databases or ultra high workloads. Do the disaster recovery (DR) solutions suit your needs? Example: Price, DR location, ease of DR implementation, monitoring, maturity of DR solution. Does the vendor offer disaster avoidance solutions that suit your needs? Example: Performance of data centre interconnects, storage replication, stretch storage (same LUN in two locations).

10 10 CHAPTER 8: GLOBAL, REGIONAL, LOCAL Does your solution require hosting in Australia? Example: Required by law or any other legislation, personally preferred because of Homeland Security, PRISM, Patriot Act etc. Do you prefer to do business with a local partner? Example: You are looking for a local trusted business partner. Do you require multi availability zones for your disaster recovery or disaster avoidance solution? Example: High availability solutions could be hosted in different data centres for higher fault tolerance. Do you prefer a contact centre located in Australia? Do you prefer the engineers to be located in Australia? Can the vendor offer a network connection to its services with low latency? CHAPTER 9: THE DATA CENTRE Does the data centre fulfil all required certifications? Is the data centre highly reliable and available? Example: A Tier III data centre (Uptime Institute) can maintain all elements without causing any outage to any services at any time. Does the vendor provide enough transparency? Example: Tours and direct contact to the facility managers to ask questions. How do the vendors rank in their outage history? Example: Is the vendor transparent with its outage history? What were the reasons for the outages? What technology was affected? How does the vendor rank in terms of efficiency? Example: Ask for the power usage effectiveness (PUE). The PUE is the ratio of the total facility energy consumption to the IT equipment energy consumption. Does the data centre support your rack size? Does the data centre support your energy consumption per rack? Do you have the choice when it comes to Internet connectivity? Example: Available external Internet connections. Has the data centre enough capacity? Example: Are you likely to get more rack space when you need it in the future?

11 11 CHAPTER 10: MAKE OR BUY BUY (PRO) Solution maturity high. Solution available today. Portfolio of value added services. Solution variety (different storage tiers). Hybrid infrastructure out of one hand. Import/export capabilities (low locking risk). High support expertise. High solution design expertise. 24x7 monitoring and support. Sophisticated management portals. Comprehensive monitoring solutions. Grow as you go. Low Capex. Affordable turnkey disaster recovery solution (if offered). BUY (CON) T echnology lock-in (on some vendors). Uncertainty about vendor capabilities. Hidden costs and bill-shock risk. Support quality on entry level support offerings. Limited to vendor s solution portfolio. Limited transparency (reporting) with some vendors. MAKE (PRO) Growing in-house expertise. Full control over staffing. Self selected backend technology. Full control over vendors and partner selection. Full access to backend technology if required. MAKE (CON) Long term lock-in into internal solution because of long term Capex investments. High Capex. Solution will mature over time. IT staff has to cover infrastructure and application level support. Expensive 24x7 support and management. Limited technical solution portfolio (inflexible short and long term strategy). Slow uptake of new technologies. Limited benefits of cloud services benefits internal solutions use virtualisation but not cloud technologies (service layer on top of virtualisation). Service disruption and brain-drain issues due to fluctuating staff. High costs for consulting and engineering for solution design (especially DR).