Business-critical servers: premise-based, hosted, co-located or cloud-based?

At the end of the day, there are only a few things truly relevant to the decision about where to host your business critical applications: availability, security, interoperability, data portability, and cost, and all of them are negotiable.

Using the term “business critical” implies that availability is important, but only the business can determine whether the significant cost difference between making a service 99.9% and 99.999% available is warranted. As it relates to hosting, it is likely of little importance to the service consumer where the service is as long as it is available and the issue for the business is to negotiate and enforce Service Level Agreements (SLAs). Dedicated in-house, hosted, and collocated servers are the best choices for negotiating high availability SLAs because shared and cloud-based servers tend to guarantee the availability of the infrastructure not the service running on the infrastructure. In any event, it is always incumbent upon the buyer to negotiate and monitor all SLAs; never assume that any provider will do this for you, even if they are in-house.

There are tomes written about risk assessment and security and I will not endeavor to repeat all of that here, an excellent reference written specifically for cloud but applicable to any outsourced arrangement can be found at http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-ass.... The tricky bit about security is separating the actual security requirements from the instinctive need we all have to hug our servers. You also need to determine whether the data associated with the application should be stored off premise, and if it could, if the location of the physical data storage is important. Recent events with Research In Motion highlight the lack of uniformity in international data protection policies and what impact that can have on enterprises. The key message, again, is that it is incumbent upon the buyer to negotiate and monitor security policies and SLAs and never assume that the provider is more interested in the security of your data than you are.

I mention interoperability and data portability because they are often used to eliminate shared and cloud-based servers from consideration as a deployment option (consider that just by selecting an application you have generally limited your interoperability and data portability options already). The reality for external providers is that they have disincentives to provide these and make it easy to switch from one to another. As standards evolve, especially for cloud, these considerations will become less pronounced, nonetheless, you need to consider how your services will interoperate with all of the other systems it needs to and how you will get your data out when you decide to change providers or if the provider you are using is acquired or fails as a business.

I mention cost last not only because it is obvious but also because it can be one of the hardest considerations to quantify. If you are considering moving from an in-house hosted environment to and external provider for example, is it possible to accurately capture the internal costs for servers, software, space, power, cooling, administration, and technology refresh so you are comparing apples to apples?

Regardless of the business size, if you are able to objectively consider the above you will surface the questions and considerations to put you well on your way to making the optimal decision for your business.