Many companies run into problems because they think a SaaS or cloud contract means the service provider is responsible for doing everything from installation to security, according to Sean Hackett, research director for The 451 Group.
The truth is that customers have to be responsible for securing their own data and often other parts of the process itself, he says. Successful SaaS or cloud outsourcing arrangements require defining who is responsible for what.
Sonesta hired Mimecast, an e-mail service that acts as a central hub for Sonesta's e-mail. Local Exchange hosts serve users inside the building, which sends messages through Mimecast, rather than directly to the addressee. Mimecast data centers handle backup, security, spam-filtering, PCI and HIPAA compliance automation.
4. Private or public?
For Sonesta, the practical choice was private. Sonesta is restricted by HIPAA regulations and PCI security requirements, neither of which it felt it could satisfy running e-mail on a cloud service that allows virtual machines from several customers to run on the same physical server.
Except that someone else owns the data center, it's as close as possible to being Sonesta's own setup.
"We wanted a service that could make sure, if something went down, they could still get e-mail if they could get to the Internet, but we wouldn't have to maintain it in-house," Beggs says.
Even without budget restrictions, outsourcing at that level makes more sense than DIY, she says. "Redundancy is one thing; operational redundancy is another."
5. Roll it out in the easy places first.
Distracting staff at a hotel from guest services to work on IT is a no-no, so Sonesta is rolling the Mimecast service out slowly at its U.S. locations, before moving to overseas properties.
Ownership issues, bandwidth limitations and local regulations are always issues, but so are licensing limitations from software vendors who don't allow their software to run in virtualized environments or in the cloud, which also makes extending the rollout more complex.
6. Know where you are on your own timeline.
"We're still in the beginning stages of cloud adoption, which is not to say we won't move more of our mission-critical applications to the cloud," Beggs says. "We're starting with the ones that can accept downtime if the communications infrastructure becomes an issue — e-mail, back-office, purchasing, that sort of thing. We're centralizing some things this year, but we have to see, with some applications, things like how well they communicate across the Internet and make sure what some of the other migration issues are."
Sign up for CIO Asia eNewsletters.