"It appears that there are enormous differences of opinion as to the probability of a failure… The estimates range from roughly 1 in 100 to 1 in 100,000. The higher figures come from the working engineers, and the very low figures from management."
~ Richard Feynman, PhD, Personal observations on the reliability of the Shuttle
Last month’s blog called for service providers to reveal more specifications for their cloud offerings. However, users also have to do their part to demand transparency from service providers, and until now, they have not yet shown much interest in understanding how service providers truly compare in terms of operational characteristics. Consumers vote with their dollars, and it seems they are not demanding data from many cloud vendors about supporting basic compliance regimes, for example. This does not bode well for the availability of uptime statistics in the future.
When Amazon's AWS service crashed, this user was forced to switch his Twitter tools from Hootsuite.com to Tweetdeck, and it is unlikely that he was alone. The cost of Amazon’s outage to Hootsuite.com is unknown, yet it is a not stretch of the imagination to suppose that it is more than Amazon’s reimbursement to the end-users for breaking its SLA. As vendors tack on 9s to SLA's decimal places, or pursue the even more fantastical 100%, the probability of breaking the promised uptime increases. In this environment, the most important part of a cloud service provider contract is the one that identifies consequences and repayment guarantees when the vendor reneges.
End-users and vendors have a patron-client relationship. This association comes with a dynamic where one party (or both) can have varying degrees of inside information that adversely affects the contractual agreement that one (or both) believes is implied. In cloud computing, vendors have information about the infrastructure, while end-users have privileged knowledge of their usage.
Cloud service providers can potentially adhere to any number of standards and compliance measures, some optional, and others statutory (links are given at the end of this blog for some definitions). Governments and NGOs have devised various certificates and laws that apply to data and data centers. Cloud vendors sometimes seek out and divulge this information, but far fewer are doing so than would be expected and desired. Since certifications do cost money, a cloud provider will not have the motivation to get certified unless there is demand from end-users. Once they do achieve certification, they have no reason to not publish that information. However, as the table below shows, many vendors do not publish any information on basic compliance, which implies that they are not seeing demand for this information from their users
Amazon AWS, Rackspace, GoGrid, Softlayer and NewServers do a good job of publishing compliance and uptime information, but many other service providers, including some that promise very high SLAs, are lacking. Users may take the risk of not knowing anything about their service provider’s data center, but as was learned by Hootsuite.com, that can be a costly gamble.
Table of Compliance and SLAs from selected vendors listed below:
| Vendor | Region(s) | Subregion/Point of Presence? | Compliance/Audit | SLA |
|---|---|---|---|---|
| Amazon AWS | North America | California (US) | SAS70, HIPAA, SOX | Compute: 99.95%; Storage: 99.999999999% OR 99.99% |
| Amazon AWS | North America | Virginia (US) | SAS70, HIPAA, SOX | Compute: 99.95%; Storage: 99.999999999% OR 99.99% |
| Amazon AWS | Europe | Ireland | SAS70, HIPAA, SOX | Compute: 99.95%; Storage: 99.999999999% OR 99.99% |
| Amazon AWS | APAC | Japan | SAS70, HIPAA, SOX | Compute: 99.95%; Storage: 99.999999999% OR 99.99% |
| Amazon AWS | APAC | Singapore | SAS70, HIPAA, SOX | Compute: 99.95%; Storage: 99.999999999% OR 99.99% |
| Rackspace | North America | Chicago (US; Illinios), Dallas (US; Texas) | SAS70, HIPAA, SOX, GLBA, PCI, FISMA | Compute: 100% ; Storage 99.99% |
| Storm On Demand | North America | Michigan (US) | Unknown | Compute: 100% |
| GoGrid | North America | California (US), Virginia (US) | HIPAA, SOX, PCI | Compute: 100% |
| Voxel | Europe, North America, APAC | Amsterdam (Europe), New York (North America), Singapore (APAC) | Unknown | Compute: 100% |
| NewServers | North America | Miami (US; Florida) | PCI, SOX, HIPAA, SAS70 Type II | Compute: 100% |
| Linode VPS Hosting | North America, Europe | Atlanta (North America; US; Georgia), Newark (North America; US; New Jersey), Dallas (North America; US; Texas), Fremont (North America; US; California), London (Europe; UK) | Unknown | Compute: 99.9% |
| SoftLayer | North America | Dallas (US; Texas), Houston (US; Texas), Seattle (US; Washington), DC (US), San Jose (US; California) | SAS70 Type II, PCI, Safe Harbor | Compute: 100%; Storage: Unknown |
| Terremark | North America | Miami (US; Florida) | SAS70 Type II | |
| VPS.NET | North America | Atlanta (US; Georgia) | Unknown | Compute:100% |
| OpSource Cloud | North America | Virginia (US) | SAS70 Type II | Compute: 100% |
| Speedyrails | North America, Europe, APAC | Quebec (North America; US; Canada), San Jose (North America; US; California), Los Angeles (North America; US; California), Ashburn (North America; US; Virginia), New York (North America; US; New York), Chicago (North America; US; Illinios), Dallas (North America; US; Texas), Atlanta (North America; US; Georgia), Seattle (North America; US; Washington), London (Europe; UK), Frankfurt (Europe; Germany), Hong Kong (APAC; China), Tokyo (APAC; Japan), and Sydney (APAC; Australia; NSW) | Unknown | Compute: 99.9% |
| Zerigo | North America, Europe | Colorado (North America; Colorado), Dallas (North America; Texas), Washington (North America; DC), London (United Kingdom), Amsterdam (Netherlands) | Unknown | Compute:99.99% |
| ReliaCloud | North America | Minnesota (US) | SAS 70 | Compute:100%: Storage: Unknown |
| Gandi.net | Europe | France | Unknown | Compute: 99.95% |
| CloudSigma | Europe | Switzerland | Unkown | Compute: 100% |
| IBM | North America, Europe | Raleigh (North America; US; North Carolina), Boulder (North America; Colorado), Ehningen (Europe; Germany; Baden-Württemberg ) | Unknown | Compute: 99.5% |
| Cloud Central | APAC | Australia | Unknown | Compute: 100% |
| RimuHosting | North America, Europe, APAC | London (Europe; UK), Dallas (North America; US; Colorado), Australia (APAC), New Zeland (APAC) | Unknown | Compute: 99% |
| ElasticHosts | North America, Europe | UK, US | Unknown | Compute: 100% |
| Flexiscale | Europe | UK | Unkown | Unkown |
| ZettaGrid | APAC | Australia | SAS70 | Compute: 99.9% |
| StratoGen | Europe | United Kindom | Unkown | Computer: 100% |
| Melbourne IT vCloud Express | APAC | Melbourne (APAC; Australia) | SAS70, HIPAA, SOX | None while in Beta |
| Agathon Group | North America | Grand Rapids (US; Michigan) | SAS70 | N/A |
| Hosting.com | North America | Newark (US; Delaware), San Francisco (US; California) | SAS70, PCI, SOX, HIPAA & GLBA | Compute: 100% Storage: 100% |
| AT&T | North America | United States | Compute: 99.9% Storage 99.9% | |
| KDDI | APAC | Japan | Unknown | Unknown |
| Layered Tech | North America | Kansas City (US; Missouri); Dallas (US; TX); Chicago (US; Illinois) | PCI DSS, HIPAA, SAS 70, SOX | Compute:100% |
| NetMagic | APAC | Bangalore (India), Mumbai (India) | Unknown | Compute:99.99% |
| OpSource | North America | Ashburn (US; Virginia), Santa Clara (US; California) | SAS70 Type II, PCI DSS Level 1, European Safe Harbor, HIPAA | Compute: 100% |
| Macquarie Telecom | APAC | Australia | PCI DSS, ISO 27001, AS/NZ7799, DSD Gateway Certified to Highly Protected, Microsoft Gold Certified, Redhat Advanced Hosting Partner, HP Business Partner | Compute: 99.9% |
| NTT | North America | San Jose (US; California), Sterling (US; Virginia), Ashburn (US; Virginia), New York (US; New York), Frankfurt (Germany), London (England), Madrid (Spain), Paris (France), Singapore (Republica of Singapore), Tokyo (Japan) | SAS 70 type II | Compute: 100% |
| RagingWire | North America | Sacramento (California) | SAS70 | Compute: 99.99% |
| Savvis | North America, Europe, Asia Pacific | El Segundo (US; California), Irvine (US; California), San Francisco(US; California), Santa Clara (US; California); Atlanta (US; Georgia); Chicago (US; Illinois); Boston (US; Massachuets), Hazelwood (US; MO), Jersey City (US; New Jersey); Weehawken (US; New Jersey), Piscataway (US; New Jersey), New York (US; New York), Dallas (US; Texas), Sterling (US; Virginia), Seattle (US; Washington), Vancouver (Canada), Toronto (Canada), Montreal (Canada), Docklans (UK), Slough(UK), Reading (UK), Singapore (Republic of Singapore), Tokyo (Japan) | SAS 70 Type II , PCI DSS | Compute: 99.99% |
| SunGard | North America, Europe | United States, UK, Sweden, France, Luxemberg, Belguim, Ireland | SAS70 | Compute: 99.95% |
| ThinkGrid | Europe | United Kindom | SAS70 or ISO27001, SOX, HIPAA | N/A |
| Verizon Business | North America | United States | SAS70 Type II | Compute: 100% |
| Joyent | North America | Unkown | SAS70 Type II | Compute: 100% |
Statement on Auditing Standards No. 70 (SAS70): http://en.wikipedia.org/wiki/Statement_on_Auditing_Standards_No._70:_Service_Organizations
Payment Card Industry Data Security Standard (PCI DSS) http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
International Organization for Standardization (ISO) and the International Electrotechnical Commission 2700 family of standards (ISO 27001) http://en.wikipedia.org/wiki/ISO/IEC_27001
International Safe Harbor Privacy Principles (US-EU Safe Harbor) http://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles
NIST Cloud Computing http://csrc.nist.gov/groups/SNS/cloud-computing/
Health Insurance Portability and Accountability Act (HIPAA) of 1996 (HIPAA) http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
Federal Information Security Management Act (FISMA) http://csrc.nist.gov/groups/SMA/fisma/index.html
Control Objectives for Information and related Technology (COBIT) http://en.wikipedia.org/wiki/COBIT
Data Protection Directive (Directive 95/46/EC) http://en.wikipedia.org/wiki/Data_Protection_Directive
What's not captured here is the payout information or the fine print. Our experience found AWS to require duplicate environments in different availability zones since the SLA is for region unavailable issues which effectively doubled the cost the have coverage. Even then the payout was so small it did nothing to offset the risk. In our eyes they have an SLA on paper but it really doesn't do anything. For that reason we moved services elsewhere.
Posted by: Steven Jackson | December 24, 2011 at 11:27 AM