As organisations increasingly rely on ever more complex systems, they face a multitude of technological, staffing and operational risks. A constantly evolving presence on the internet involves rapid change in requirements, strategies, supporting systems and associated protocols. At the same time, traffic and public expectations increase. As a result, many businesses make the risk based decision to rely on a web hosting provider - an organisation whose entire business is built on the provision of reliable and cost-effective web hosting services.
Finding an acceptable web hosting provider and an optimal cost-risk-benefits balance is hard. Each organisation is likely to reach a different decision, but it is vital that the decision is made in a structured, consistent, measurable and repeatable way.
In an ideal world, every product and service would be delivered to a flexible, inexpensive, low-risk, high quality standard. In reality it is necessary to assess requirements and evaluate best practices. These should include consistency within and across data centres, the provider's ability to communicate internally and with customers, their change management methodology and problem resolution processes. It is also crucial to understand the operational metrics they capture and present, as well as what cost-related compromises to service provision mean to the business.
What seems to be an innocuous choice can have major repercussions. The difference between 99.9% web site availability and 99.99% is 41 minutes per month or over 8 hours per year. Quantifying the maximum period of time that a website or services can be unavailable keeps many unacceptable risks at bay. This can be done by estimating the extent that public and customer perceptions would suffer without the applications run by the web service provider, over different periods of time.
Staff competence and turnover are vital aspects of the provider's risk profile. People define, build, maintain and improve the processes to achieve service delivery and provide many other value added functions. No matter how talented or qualified staff may be, experience is vital. If some have worked in, or run, data centres or server farms elsewhere, they will be better equipped to understand high-availability requirements and able to respond to outages in a timely and appropriate manner.
One of the biggest challenges in web hosting is finding the ability to fix the most obscure problems quickly and thoroughly. Automated fault detection tools are very important, but the breadth of experience of the supporting staff is vital. The provider must therefore employ an appropriate mix of experience, and staff should be devoted to detail, since even simple mistakes can have huge impact on the service delivery.
The onus is not just on the supplier. The customer should ensure a match between their expectations and those of the host, and have a formal and well documented management structure, process and metrics. If the provider is expected to deliver maximum availability of the entire environment, exactly what is required should be specified and evidence of experience should be obtained.
Since web related requirements change constantly, it would also be reasonable to ensure that the hosting company actively engages in continuous development at all levels, that it tests and pursues leading edge technologies and that its staff are sufficiently experienced to do so.
A service provider who is willing to select a high availability systems architecture for an organisation, based on a brief meeting, is unlikely to take into account all aspects of the client organisation's goals, objectives and strategies or even its technical requirements.
The supplier's components, entire architecture and infrastructure is a very important factor in the minimisation of risk factors. When assistance is required regarding requirements specification, servers, operating systems, application software environment, database, load balancing, bandwidth and storage, finding providers who understand and can assemble optimal combinations of these elements is the key.
Other risk management criteria include: deployment of known and trusted hardware and software, awareness of leading edge innovations, the presence of a number of reference architectures that have been thoroughly tested under a wide variety of operating conditions, the level of automation of repetitive tasks, formal change management for even seemingly minor changes and well tested contingency and continuity plans with published results.
If a provider does not measure its day to day operations in considerable detail it cannot demonstrate that it is delivering optimal service, or that it is successfully managing any risks that manifest. The key metrics should include overall and specific component performance, problem response time, reliability and recoverability
In a market that is still changing and is likely to undergo further metamorphoses over the next few years, the best advice for any organisation looking for a web hosting partner is to carefully evaluate risks, costs and benefits. After this evaluation, the only thing that remains to be done is to put into place adequate and seamless continuity and contingency plans.
Carole Edrich is principal of KAI Corporation (Risk), E-mail: cedrich@kaicorporation.com