6 Tips: Building Bulletproof Exchange E-Mail in the Cloud
In the hotel business, IT people are used to having to create standardized technology services to share with parts of the company that they don't necessarily own.
Sonesta International Hotel Co., for example, is made up of 34 hotels, resorts, casinos and cruise ships worldwide -- some of which the company owns directly, while others are managed or franchisee properties.
Each has its own infrastructure for guest services -- cable television, Internet access and the like -- separated for security reasons from room-reservation and facilities-management systems, says Carol Beggs, vice president of technology for the Boston-based company.
Tying them all together -- aside from data downloads from financial and room-reservation systems -- is e-mail. It's asynchronous and detached, but if it's reliable, it provides a high enough level of communication to coordinate even a global business, Beggs says.
One hitch for Sonesta's IT is that crunch times often conflict.
"Periods during the day where check in/check out is busy are different depending on where you are, and the seasons between facilities in the Northern Hemisphere and Southern Hemisphere are opposite," Beggs says. "So even when you can do a system update at the same time in two locations, we tend to work around when a particular hotel is busy."
And in the hotel business, e-mail can't go down. So with a lean IT staff, the key was to build bulletproof e-mail without the amount of work it usually takes to build a Microsoft Exchange network that's 100 percent reliable.
How did they do it? Beggs shared her 6 tips for building bulletproof Exchange e-mail in the cloud:
1. Define the business risk and what you're able to do to minimize it.
Without the budget or willingness to build expensive high availability/business continuity systems, Sonesta's only real choice was to have someone else handle the insurance systems.
"We realized how mission critical e-mail is and, while I had confidence in our backup routines, I still wanted an additional layer of protection," Beggs says. "If we ever had a catastrophe or had a server go down, I wanted to have some extra backup available so we wouldn't have the additional risk."
2. Define how "external" the service provider can be.
"E-mail is mission critical enough that I don't entirely trust outsourcing to someone else. I don't want to hire someone and only find out when we have an issue it's not as secure as we thought it was," Beggs says. "I still wanted to host it onsite, so we were down to having an appliance or having someone host it for us at one of our sites."
3. Define roles between you and your service provider.
Many companies run into problems because they think a SaaS or cloud contract means the service provider is responsible for doing everything from installation to security, according to Sean Hackett, research director for The 451 Group.
The truth is that customers have to be responsible for securing their own data and often other parts of the process itself, he says. Successful SaaS or cloud outsourcing arrangements require defining who is responsible for what.
Sonesta hired Mimecast, an e-mail service that acts as a central hub for Sonesta's e-mail. Local Exchange hosts serve users inside the building, which sends messages through Mimecast, rather than directly to the addressee. Mimecast data centers handle backup, security, spam-filtering, PCI and HIPAA compliance automation.
4. Private or public?
For Sonesta, the practical choice was private. Sonesta is restricted by HIPAA regulations and PCI security requirements, neither of which it felt it could satisfy running e-mail on a cloud service that allows virtual machines from several customers to run on the same physical server.
Except that someone else owns the data center, it's as close as possible to being Sonesta's own setup.
"We wanted a service that could make sure, if something went down, they could still get e-mail if they could get to the Internet, but we wouldn't have to maintain it in-house," Beggs says.
Even without budget restrictions, outsourcing at that level makes more sense than DIY, she says. "Redundancy is one thing; operational redundancy is another."
5. Roll it out in the easy places first.
Distracting staff at a hotel from guest services to work on IT is a no-no, so Sonesta is rolling the Mimecast service out slowly at its U.S. locations, before moving to overseas properties.
Ownership issues, bandwidth limitations and local regulations are always issues, but so are licensing limitations from software vendors who don't allow their software to run in virtualized environments or in the cloud, which also makes extending the rollout more complex.
6. Know where you are on your own timeline.
"We're still in the beginning stages of cloud adoption, which is not to say we won't move more of our mission-critical applications to the cloud," Beggs says. "We're starting with the ones that can accept downtime if the communications infrastructure becomes an issue -- e-mail, back-office, purchasing, that sort of thing. We're centralizing some things this year, but we have to see, with some applications, things like how well they communicate across the Internet and make sure what some of the other migration issues are."