Five questions to ask any hosting provider
Is there a Service Level Agreement and is there a proven history of strong performance related to that agreement?
Service Level Agreements (SLAs) provide a great way to align your expectations with a guarantee by the vendor of performance. Putting in the effort to get your SLA right is one of the first and most important steps. There are several things you should consider on your SLA:
- Guarantee availability – is there 99% or greater guaranteed uptime? How do they guarantee this uptime?
- Is there an N+1 level redundancy (form of resilience that ensures system availability in the event of component failure)?
- Do they have dedicated network technicians onsite 24/7 to monitor and maintain the data center?
- Is their physical data center climate controlled?
- What about backup power supplies, not only for the server environment but also for the building?
- What kind of automatic fail-over and redundancy is built into the server platform and at each major point of failure? Does it cost extra?
- Do they rely on a single upstream provider or a single fiber line? What happens if the provider has an issue, or if the fiber gets cut?
- Do they have multiple sites and an ability to fail-over to another data center? How long would that take? Hours, days?
- Is the data closet protected by gas-based fire suppression systems, or will all their servers be soaked if a fire breaks out anywhere in their building?
- When is the System Maintenance window, and is that down time part of the 1% down time?
- Guaranteed performance – is there a guaranteed transaction time, storage, and scaling of the servers as needed?
Do you meet critical security and compliance requirements?
Security and compliance are key priorities in evaluating any hosting solution, especially with PHAs. Your PHA remains accountable to regulators, business partners, customers and employees. Thus, you shouldn't consider using a hosted solution unless it has adopted a comprehensive and technically sound approach to an in-depth security program that is certified and proven to meet all HUD, Federal Government, and industry standards for computing over the internet. Some useful questions to ask include:
- What are the procedures for protecting your data, both from a physical systems perspective, as well as a procedural perspective?
- How is the application and the database itself protected, and how is that protection maintained?
- Has the hosting solution been certified based on SOC2/3 assessment and QSA-let PCI assessment?
- What about meeting specific security and compliance standards as defined by HUD, by the National Institute of Standards and Technology (NIST), by accounting standards as defined in SAS70, and by the Health Insurance Portability and Accountability Act (HIPAA)?
- 24×7 NOC (Network Operations Center) for Monitoring and Security.
- Is penetration or breach testing performed regularly?
- Is there a dedicated hardware firewall for individual clients?
Can you demonstrate similar deployments of my size?
Most inexpensive hosting solutions look good on paper, but in real-world conditions, they may reveal alarming weaknesses. PHAs are rightfully risk averse, so when trying to determine risk, it's comforting to know you're not the first to implement a particular solution.
Ask the vendor for many strong references of your size, with the same number of concurrent users or larger. PHAs are being forced to do much more with fewer resources, so understanding how other PHAs leverage hosting can help you determine the cost benefit and ROI. If the hosting provider is new to hosting an agency of your size, that should be reason for concern.
Do you have a comprehensive Disaster Recovery Plan, and is it included?
When it comes to disaster recovery, many hosting providers will simply provide an offsite backup of your database and say, 'Yes, we have a disaster recovery plan.' It's painful to realize too late when that is not enough.
In the case of a real catastrophic failure, your disaster recovery plan should be real time (hot redundancy) or near real time (warm redundancy). In contrast, your recovery time objective (RTO) will vary, depending on the needs of your business and the likelihood of an actual disaster.
When you make a decision about hosting, it is important for you to consider resiliency of both the hosting provider's core infrastructure and its disaster recovery capabilities. The provider should expect the loss of any particular component or system and plan for it. That loss should have no impact on you, as long as both areas are covered.
Do you deliver robust service integration and operational transparency, including reporting capabilities?
There is nothing you can't do in a hosted environment that you could do with your local on-premise environment (at least there shouldn't be). So beware of the less experienced hosting vendor because they may not be able to deliver the more advanced services that you should expect. Look out for added costs if the vendor is not providing these value-added services as part of their core offering:
- Database backups performed hourly/daily/weekly
- Database administration services
- Application Software updates applied for you
- Capacity and license planning, with usage management
- System performance monitoring and management
- Change management
- Problem management
- Service level data integration for ad-hoc reporting capabilities