One way to guard against cloud outages is for the service provider to offer servers in more than one location. If a disaster such as fire, flood or tornado takes out one, the other can compensate. (Shutterstock photo)

The cloud has sprung forth as a viable option for small-to-medium-sized municipalities looking for less costly methods of storing important data or even specific operations. With the cloud, they no longer have to worry about purchasing servers, finding storage space for them or the constant maintenance required to keep them in operation. Additionally, cloud-based technology proves beneficial should Murphy come a-knockin’ in the form of a fire or natural disaster like a hurricane, earthquake, tornado or flood.

Since important data is in the cloud, as it were, when those mischances occur municipalities have the ability to respond quickly from any location and get operations back online much quicker. Other benefits include rapid deployment of critical resources and dynamic provisioning of new and additional resources.

However, the cloud is not without its own Achilles heel: Outages can and will occur periodically, just like with any IT service. So far this year cloud services Dropbox, several Google services, Basecamp, Samsung Smart TV, Adobe cloud-based software, Evernote, iCloud and Microsoft’s Lync and Exchange services have all experienced outages that varied in length from a few hours to about two days. The causes vary, just like the length of time for the outages, and include scripting glitches, software bugs, hackers, a fire at the location where cloud servers are stored and distributed denial-of-service attacks. Of course, if a municipality or the cloud provider loses Internet, that also results in an inability to connect with the cloud.

So how does a municipality prepare for a cloud outage? According to Mike Cannon, chief information officer with the International City-County Management Association and former CIO for the city of Rockville, Md., it’s all about knowing what is in the statement of agreement, or SOA, between a municipality and its cloud provider, and formulating a solid continuity of operations plan.

“Have a good SOA,” Cannon said. He stressed the importance of researching a cloud provider and knowing what is in the SOA. “What is the promised uptime? If there is a problem, it needs fixed in the agreed with amount of time.”

Location of the company’s servers are also important, according to Cannon. If a company has servers on both the East Coast and West Coast, a power outage on the East Coast won’t affect servers on the West Coast, preventing a complete cloud outage. The same applies for other worst-case scenarios such as natural disasters. Cannon said, “Jurisdictions need to check to make sure a supplier has taken steps to reduce risk.”

Making sure a supplier is financially stable is also critical, he added.

Even if a supplier is financially stable in the present, municipalities need to make sure there is a clause in their SOA should the company cease to be so. Cannon noted often times escrow clauses exist that would provide a client access to the source code should a supplier become insolvent. Additionally, jurisdictions should make sure other situations are addressed in the SOA, such as if the provider would merge with another company, undergo restructuring or experience some other corporate change. Specific provisions that ensure continuity of operation should be in place in case such changes occur, in addition to other components such as continued security, confidentially or other perimeters that municipalities and their departments require.

“Look at security. Make sure they are following best practices,” Cannon said.

Security is particularly important if a municipality is utilizing cloud-based technology to hold sensitive information such as tax transactions or Criminal Justice Information Services data. Jurisdictions should ask to see independent assessments of cybersecurity by a certified party, in addition to checking a provider’s own certifications. They should verify the cloud provider continues to maintain cybersecurity liability insurance and make sure this is written in the contract. According to the International Association of Chiefs of Police’s “Guiding Principles on Cloud Computing in Law Enforcement” guide, such insurance policies can be set in an amount appropriate to the level of risk — particularly if the cloud provider is managing or supporting a law enforcement agency.

Smaller cities with no technology department staff, or medium and large cities with limited staff, utilize the cloud for accounting, email, help desk applications and more. The Municipal Association of South Carolina recommends first investigating the financial stability and risk tolerance, security and liability history of the provider thoroughly before making a decision, however. (Shutterstock photo)

A supplier needs to be thoroughly vetted, just like municipalities need to look inward to create a coop plan and determine what SOA they require. This process includes asking “what downtime can we afford,” according to Cannon, who added, “If the cloud goes down, could it jeopardize lives?”

Lives can be put in jeopardy if public safety operations or applications utilize cloud-based technology. According to a January 2013 survey by the IACP, 38 percent of survey respondents — chief executives/ sheriffs, contractors, sworn officers, IT managers, IT directors and command staff — are considering or planning to use cloud computing in the next two years. Of the respondents, 16 percent stated cloud computing is already used by their jurisdiction. Uses varied from cloud email and cloud storage to CJIS access and records management systems or crime reporting apps that allow for analysis or mapping.

Some of these uses, particularly services like computer-aided dispatch, require very limited downtown time, and a municipality needs to keep that in mind during the process of choosing a cloud service provider for those uses.

Besides establishing what their maximum allowable downtimes are, Cannon stated municipalities need to anticipate several different types of situations, particularly if they are positioned in an area prone to weather events like hurricanes and tornados or other disaster scenarios like earthquakes or wildfires.

“I would say to a jurisdiction, start with a pilot program, not with a mission critical application,” Cannon said. Some cities might also choose to maintain backup servers in case of cloud outages. Another tip for just starting out? “Don’t lock into a long-term agreement,” Cannon said. “Do a one-year or two-year (agreement) at most.” If the cloud is working for a jurisdiction, the plan can always be upgraded in the future.