Move IT Infrastructure to the Cloud? What SMBs Need to Know

by Allen Bernard

Unlike the cloud commercials on TV that promise ease-of-use and eternal happiness, there's a lot to consider if you want to move your business' technology infrastructure to the cloud.

For a small business, moving to the cloud is a no-brainer. You get scale, power, redundancy, reliability, disaster recovery, accountability, professional management, maintenance, and security but, perhaps most importantly, you get freedom from managing business technology yourself -- a perennial headache if there ever was one.

For this article we look at the pros and cons of moving your small business IT infrastructure to the cloud. This is called infrastructure as a service (IaaS). But, by default, that means your business applications will also reside there. Some of these applications are mission critical, and they may even be custom to your business so it's very important to look before you leap.

The "cloud" you see during TV commercials is just the cream rising to the top of what cloud computing can do for your business. The infrastructures that underlie all those benefits, however, aren't quite so neat and clean. There are many, many things to consider when choosing a vendor to take over and manage your most important asset: your server technology and the information that resides on it.

Basic Options in the Cloud

For the purpose of this discussion, we're defining cloud as a delivery method that allows applications, infrastructure, platform, and services to be accessed and used remotely via an Internet connection and from any device (provided the apps are formatted correctly). There are a number of ways you can move to the cloud:

  • You can rent server rack space at a co-location facility (co-lo) and manage it yourself by putting your own people on-site
  • You can rent rack space at a managed co-lo facility (Amazon Web Services, Rackspace and GoGrid are three companies you may have heard of) and have them manage it for you
  • You can simply buy all of your applications (provided you have no custom software) from software-as-a-service providers (SaaS) and let them do it all for you

While SasS is not the focus of this article, it is very similar to IaaS from a usage point of view. How it differs is you are taking what the vendor offers in the way of product suite, features and services as-is. These are not your applications, you are merely renting them. Also, you will be dealing with multiple vendors to get all of the applications you need to run your business.

IaaS Leads Other 'As-a-Service' Offerings

According to a July Info-Tech Research Group report, infrastructure as a service (IaaS) is the fastest growing segment of the "as-a-service" market (software, platform and infrastructure are the big three on offer today). Rackspace and Amazon are leaders when it comes to small business IaaS, but there are a lot of players out there, including many regional operators that you may want to consider as well; especially if you like spending locally to support the businesses that support you.

Info-Tech also noted that HP's IaaS offering is in beta and free. This might be a good way to try out IaaS before you leap.

"HP’s cloud offering is still being developed, with a good deal of key features planned for future releases," the report states. "As such, only companies with very basic needs will be satisfied with the product in its current form. On the other hand, the beta is free and offers a great opportunity for clients to try out IaaS."

IaaS Pros and Cons

There's no shortage of both, but at the end of the day the pros do outweigh the cons -- provided you do your homework. Monica Hamilton, director of Global SMB Product and Solutions Marketing at McAfee sent over her list of pros and cons you should consider:

IaaS Pros

  • Cost: Cloud applications are generally cheaper than standalone applications because they re-use and share resources. No upfront capital investment, no need for highly specialized IT personnel
  • Scalability: A single server may run out of resources, but cloud systems are designed to scale and can typically handle huge changes in load
  • Reliability: Multiple redundancy in cloud systems means that they are far more reliable than standalone systems
  • Performance: Cloud services are constantly monitored and improved for performance that tracks the state of the art
  • Security: While there are concerns about storing sensitive business data off-site, cloud systems generally have better security than their standalone counterparts (precisely because they have to address market concerns about this issue)
  • Access to better infrastructure: SMBs take advantage of applications and services created for the large enterprise I.e., Salesforce, SAP, Siebel, Oracle

IaaS Cons

  • Internet access: Users must have a persistent connection – wired or wireless -- to the Web to access data and applications
  • Data control: Small business relies upon the cloud provider to secure the data. Data is no longer under the SMB's "lock-and-key." It is difficult to ensure the SMB's data is isolated from competitor's unless they can afford their own server in the cloud. IT no longer has persistent access to monitor user access and data integrity
  • Outages: Service Level Agreements (SLAs) do not cover the extent of impact an outage could have on a small business. For many small businesses an outage is devastating
  • Mobile management: Will not relieve the ongoing need for onsite security. As users will continue to use devices (BYOD: laptops, tablets, mobiles) to access the web regularly and they will continue to require device, web and email protection. (McAfee offers a Cloud-managed security.)

These are the basic pros and cons. Depending who you ask you'll find some variation to this list and a lot of that variability will be industry- and regulatory-dependent.

Next we'll look at the various factors you need to consider before handing over your IT infrastructure to a cloud provider. We were going to focus on the "Top 5" for this article but we got so much good information, we decided to include it all. Enjoy.

Top Considerations for Moving Your IT Infrastructure to the Cloud

Pure Cloud Providers

Does your cloud provider use other third-party providers for their services? It's a good idea to find out, especially if you are going with a regional player. There are cloud providers that rely on data centers they do not own to host their offerings, so check this out and understand what this means.


You will be giving up direct control over your servers and applications. You need to be comfortable with this.             


How much IT talent do you want to keep in-house verses how dependent do you want to be on your provider? Once you turn over control to an IaaS provider, you've essentially given them the keys to your business' survival. Choose wisely.


 Understand why you are moving to the cloud, what you expect to gain from it and what you need to achieve those gains.


Do you current software licenses allow you to off-site your versions to a cloud provider's servers? It might be a good idea to find out.


Where in the world is that co-lo facility? One company Info-Tech recommends for SMBs is based in Johannesburg, South Africa. If having your data on the other side of the world makes you uncomfortable, you may want to look closer to home.

Cloud Provider Cost and TCO

This is probably what led you to this article in the first place. Amazon does best on the TCO and ROI scale that Info-Tech uses, and Computer Science Corp. comes in last. But the big-name vendors in the SMB cloud-provider market appear comparable from this point of view. It comes down to your needs verses what you're currently spending verses what you want to spend. Three-year TCO ranges from $10,000 on the low side to $250,000 and up.

"From a cost standpoint, there comes a time (based on volume, scale, performance) when it likely makes sense to move some apps on-premises," says Brian Reagan, vice president of product marketing at Actifio, a provider of production data storage and management solutions used by cloud providers. "You need to make inspecting TCO a part of the governance process. Bottom line -- it's vital to focus on and to negotiate the fine print, as it [aligns expectations and] creates a stronger partnership from the outset."

Essential Questions to Ask Cloud Providers

Reagan also offers up a few other questions to ask your potential cloud provider:


What are the service level agreements (SLAs) for availability, recoverability, access, and data retention? (Read this document carefully! Some of Amazon's customers got burned earlier this year by an outage and tried to go after Amazon for remediation -- until they read their contracts.)

Moving On

What happens to my data if and when I leave? Who owns it?


How (and how frequently) will I be billed, and at what points -- in terms of usage -- do additional discounts kick in?  Also, what are the implications of "overages" during peak demand periods?

Customer Support

What is the defined customer support process including escalations, contact names/numbers, and response time guarantees?

Proprietary Vs. Open Standards

Choosing an "open cloud" provider -- one that bases its platform on open standards like RackSpace's OpenStack or Linux KVM -- ensures the flexibility for whatever the future might hold for business, advises Tiffaney Fox Quintana, director of the Rackspace Startup Program. As a company grows, infrastructure needs inevitably change.  Being locked in to one vendor (most likely VMware's vSphere platform) with the inability to move your applications or data to more applicable infrastructure can be costly and sometimes catastrophic for small businesses.

Addressing Cloud Security

Cloud security is a crucial issue. On the negative side, you are giving up responsibility for this task to a cloud provider who has other clients to worry about. On the plus side, it's generally accepted that cloud providers offer better security than you ever could. They stay up-to-date on best practices and employ the latest tools. They have to, because too many security breaches would cause the industry to founder very quickly.

Aside from the very nice pros and cons list, McAfee's Hamilton also provided a separate list focused, not surprisingly, just on security. We broke this out because security is a key concern. Hamilton recommends you ask potential IaaS providers these very important questions.


Do they encrypt the data during transport to the cloud as well as at rest on the cloud? Encryption prior to transport will ensure traffic intercepted on its way to the cloud is secure. Encryption at the service provider's data center will ensure the safety of the information when it's stored on the provider's server. 

All data transferred and stored should be encrypted with the highest levels allowed: 256-bit Advanced Encryption Standard (AES) SSL for data in transit, and 256-bit AES for data at rest. Where are the encryption keys stored? There should be both physical and logical separation between the encryption keys and the encrypted data.

Access Control

Can you control and monitor who has access to applications within your company's cloud? What level of password protection is available to you to deploy? Does the service provider employ strong passwords? Do they offer two-factor authentication?

Physical Security

How does the provider limit and/or prevent access to their facilities?

Data Security

What happens if your data becomes corrupt? Does the service provider offer fully redundant backup systems? Can you fall back to a prior day's version of uncorrupted data? In today's world of inexpensive memory, companies should expect their files to be backed up in triplicate -- at a minimum -- in geographically dispersed data centers.

With the speed of processors and connectivity, backup should be instantaneous and should be synchronized at the same time between all backup centers. How do they handle co-location? If you and a competitor use the same service provider, what physical and logical protections do they have in place to ensure that your data is not copied, emailed, forwarded?

Must-Have Security Certifications

Here is a list of security certifications that Hamilton suggests you look for before you buy:

  • PCI DSS – Payment Card Industry Data Security Standard (PCI DSS); an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM and POS cards
  • ISO 27001 – A standard applying to Information technology, security techniques and information security management systems
  • HIPAA – Health Insurance Portability and Accountability Act of 1996; national standards for electronic health care transactions  and national identifiers for providers, health insurance plans, and employers
  • FIPS 140-2 – Federal Information Processing Standard; a U.S. government computer security standard used to accredit cryptographic modules 
  • SOX (Sarbanes–Oxley Act of 2002) – a U.S. federal law that set new or enhanced standards for all U.S. public company boards, management and public accounting firms
  • SAS 70 Type I or II – Statement on Auditing Standards (SAS) No. 70, Service Organizations; a widely recognized auditing standard developed by the American Institute of Certified Public Accountants

It's a lot to think about, but so is re-inventing in your current infrastructure as you try to stay current on best practices and advances in hardware. This list will help begin to get answers to these and other fundamental questions that will come up as you start your journey to the cloud.

The former managing editor of CIOUpdate.com, Allen Bernard is a freelance writer who has written for numerous other technology websites that focus IT management and its relationship with the business. You can contact him at abernie182 @ gmail.com and follow him on Twitter at @allen_bernard1.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!
This article was originally published on Monday Oct 22nd 2012
Mobile Site | Full Site