Some cloud services are more important than others, and should be treated that way
Don't waste your time and money trying to secure and support services that don't mean as much to the business. Not everything has to be locked down, or be up 31.5 million seconds a year. Put your precious budget resources into the select services that really matter.
These sage words of advice come from David Linthicum, who explains the importance of cloud service tiers in a recent GigaOm post. As he puts it, there are some cloud services which are essential to the business, and others that serve more peripheral roles. Thus, they need to be given different levels of priorities and resources when it comes to the business.
Dave proposes that cloud services be categorized within three distinct tiers as presented in the enterprise service catalog, to provide clarity to which services get "the most expensive resources for the applications that are most important for the business" -- such as uptime, systems management, security, maintenance, and integration activities. Even security should be prioritized according to a service's importance to the business, he advises -- direct the "most sophisticated, effective, but most expensive security services" at the most business-critical systems. "Those applications that are less critical typically have very few security services, or, in some cases, none at all."
Dave suggests a "basic model" for categorizing three priority levels (Tier 1, 2, and 3) for cloud services. While Dave's proposal is intended to help prioritize funding levels of public cloud services -- paying premiums for maximum uptime for given services -- this is a good model for internal cloud service support as well. Setting services with tiers "will allow enterprises to set policies to support internal SLAs, and maximize the value enterprises get from the cloud." Here are the three tiers by which cloud services can and should be managed:
Tier 1: Business-critical applications. These are services that are tied to very specific SLAs, such as those that "define very high availability, including cloud services that support high fault tolerance and provide scalable performance on-demand."
Tier 2: Business non-critical applications. These can be defined as "applications that are not business critical, or won’t stop the business from functioning if they go down," Dave says. "The cost should be less for these cloud services, but you should not be surprised if you experience occasional outages, perhaps one or two a month."
Tier 3: Occasional-use applications. As their name suggests, these are applications "only used occasionally, such as applications for end-of-quarter processing, or those that may be used to take occasional inventory," Dave says. "In many instances, there are no SLAs involved. Examples would include the use of Dropbox or Box.net for storage services, or Google Applications. They are either free, or offered at a very low cost."
(Disclosure: I am an occasional contributor to GigaOm Research, mentioned in this post.)