Cloud architecture: Questions to ask your provider for reliability

How do know your cloud provider has the right web-services architecture? Gregory Machler offers these questions that can help pinpoint possible weaknesses the storage and network layers of your system

By Gregory Machler

July 18, 2011CSO

I've been an architect on some complex applications and I have a significant concern about assessing architectural risk for public/private cloud applications. Traditional risk assessmentsfocus on external/internal access to confidential information like social security numbers, credit card number, and for banks PINs for the ATMs. Access controls and network protection are high priorities because they suppress the risk.

I'm interested in something a little different — I'll call it architectural reliability. The desire is to avoid single points of failure for critical applications so that catastrophic errors don't occur; those lead to huge financial losses and a diminished corporate brand. So, where would I start to shore up the architecture? Here are some storage and networking diagnostic questions I would ask for the top-10 applications within a corporation. Note that some questions that need to be asked are pertinent to all applications and some just within a given domain. I'm going to focus on just the storage and networking product domains that support the top-10 applications.


[See also: Five cloud security trends experts see for 2011]


Storage Architecture — All Applications

Is only one SAN vendor used for storage of all of the applications?
How is data de-duplication addressed?
Is only one SAN switch vendor used for all of the applications?
Is only one data replication vendor used?
Is only one encryption vendor used to encrypt data for all of the applications?
Which encryption algorithm is used for a given encryption tool?
Is only one PKI vendor used to manage certificates?
Where are the certificates related to data at rest encryption stored?

Storage Architecture — Each Application

What storage subsystem does the application run on?
Which other applications run on the same subsystem?
Is the data on the storage subsystem replicated elsewhere or is this the only copy?
How is the need for more data storage addressed for a given application?
What SAN switch is used for traffic to/from the storage subsystem?
What network components are used to replicate SAN data from one data center to another remote data center?
What is the application that performs data replication?
What is the software version and release for the data replication application?
Which encryption vendor is used to encrypt Confidential data on a given storage subsystem?
Does the storage for the encryption tool also run on a SAN shared with other applications?
Can corruption of the encryption data affect multiple applications or just this application?
What PKI vendor is used?
What version and release of PKI software is deployed?

Network Architecture — All Applications

Is there only one switch/router vendor?

RESOURCE CENTER