1. TRUST BUT VERIFY.
Good relationships are built on trust. It works both ways – as a customer, you trust your vendor to provide what is promised. As a vendor, you trust your client will compensate according to your agreement. Of course, there's more to it but this is the basic foundation – but it doesn't always work out the way you expect.
In one case, an MSP company was contracted to provide services to a CPA Tax & Accounting company. There was an incident which resulted in significant data loss, so a recovery was required - it was then discovered that the MSP had not been properly backing up the company's data. The results were disastrous, embarrassing, and expensive.
How can this be avoided – what are the lessons learned?
- What comparable experience and references does this MSP provide?
- Do they have adequate staff, the right skill sets, and depth of talent?
- Have the terms & conditions been reviewed by an independent expert?
- Are the SLAs crystal clear?
- Is there an escape clause in case of failure to perform?
- Has there been proper discovery and is there a cadence of meetings/reviews going forward?
2. TOTAL SECURITY: 90% IS FAR FROM 100%.
Cybersecurity threats are evolving at an almost exponential rate. What worked a year ago is most likely not enough for today's newest threats. So when your MSP makes a security recommendation, it means it's time to act.
In a recent example, a financial services client had implemented a new network security plan. Upon inspection, we found numerous open ports and made the recommendation to immediately close and block access to them. Due to perceived inconveniences—unwilling to give up numerous applications for video conferencing, peer-to-peer file sharing, internet radio streaming, etc.—they decided not to follow this advice. Less than 6 months later their system was breached and the financial information of their clients was accessed, resulting in financial consequences and serious damage to their credibility and brand.
3. OUTAGES HAPPEN – BE STRATEGICALLY PREPARED.
When you do business in the cloud, it's also good to stay grounded in a secure, highly redundant, flexible infrastructure. Because 99% uptime in the cloud is still not a 100% guarantee. Even Amazon has suffered a public outage. So here's what to keep in mind so that you are always prepared.
- Understand what is mission critical. Not everything is mission critical, but some systems are more vital than others. Ensure your most important applications and datasets are going to be available – whether that's backed up in the cloud or on the ground.
- Know your limits. Determine how much data you can afford to lose before it becomes a critical issue – this is your Recovery Point Objective (RPO). Next, determine how long you can afford to be down & out – this is your Recovery Time Objective (RTO). Knowing these limits will help you set your strategy.
- Don't put all your eggs in one basket. Redundant systems may not be required for everything, but having a safety net for your most critical systems is the right move.
- Uptime vs. durability metrics. Uptime is the most popular feature to highlight for the cloud; however, durability is just as important. Durability refers to the data integrity and how much data is lost over time. What good is uptime if durability is poor? Both metrics are important.
- Follow best practices. Vendors have a vested interest in protecting customers even if their servers are only down for a few minutes a year. Published architecture best practices should be followed to avoid downtime and loss of data.