Moving to the cloud is a big step. You’re entrusting your data and key IT operations to a third party company. Choosing that cloud service provider (CSP) should be a carefully considered decision. How can you navigate it, and ensure that the relationship will be long and productive? The questions that you should ask break down into several key areas.
The health of the CSP
One consideration that people forget when choosing a CSP is the health of the business. Financial stability is just as important as its technological capabilities.
Listed companies have the advantage of publicly available financial statements that can help potential customers to assess their CSP’s financial position. Even if this is not the case, though, knowledge of a company’s past is a useful tool when assessing its future. When evaluating a service provider, ask yourself how long it has been in business.
Another data point to watch is how quickly the CSP has grown recently. Is it a well-established business with a steady growth record, or is it starting out, accelerating quickly, and likely to face growing pains? This is an important consideration for customers who want to ensure that a service provider can scale to meet its needs. After all, scalability is a key characteristic in any cloud service.
Past customer service
Understanding how it serves its customers is another important element to consider when looking into a company’s past. A company should be willing to provide a report of its downtime history and security incidents so that you can evaluate its past reliability.
Other customers are also reliable sources of information about a CSP’s performance. Is the company willing to provide references from other customers? They will give you an account of their experiences with that company.
Questions to ask could include whether a customer has ever had to escalate service level agreements when dealing with the CSP, and if so, how that escalation was handled. More generally, has the CSP provided good customer support in the past, answering questions and resolving issues quickly when needed?
Assuming that a CSP satisfies all of these questions, it still faces queries about how its relationship with you will begin, and how that relationship may expand. At the very least, its service portfolio must be a fit for your needs, but beyond that, the pricing structure is an important consideration. Are there up-front costs? Are resources truly priced on an as-you-go basis? Are there any price bumps when scaling your service?
These pricing questions also apply to additional services. How much does it cost to add new services to your existing arrangement with the CSP?
If the price (and pricing structure) is right, then setup is next. What does your staff need to do as part of the migration to the cloud? Is your workload simple enough – and your workforce skilled enough – that a simple introductory setup guide is appropriate? Or are there more sophisticated data preparation and configuration tasks ahead, and if so, how can your CSP assist you?
Operations and security
Once the service has been set up, and pricing understood, you need assurances that services will run smoothly, and an understanding of what will happen if they don’t. One important question to ask here is how changes in the CSP’s infrastructure will affect your services. If it upgrades its software, for example, will you be forced to accept the upgrade or can you opt out of it to choose an upgrade on your own schedule?
Ongoing operations is also where security comes into play. Before entering into any agreement with a CSP, you should demand evidence of a security audit. Can a third party conduct such an audit, or can the CSP provide results of security audits from the last year? Have there been any breaches in the past?
Certification is key here. There are various levels of security certification that a CSP can attain. The past incumbent, SAS 70, focused more on methods of reporting around internal data center controls. In 2011, that was superseded by SSAE 16, which required a written statement from a data center’s owners about the effectiveness of their controls.
SSAE 16 has two levels, but one of the most stringent controls goes beyond this. Service Organization Control (SOC) again has two levels of importance. SOC 2 requires management to report on data center practices in several key areas: security, availability, processing integrity, confidentiality, and privacy.
The Payment Card Industry Security Standards Council also provides PCI-DSS, a standard detailing requirements for processing credit card payments. This is one of the most technically prescriptive standards, with a strong operational focus, and is currently in its third version. All of these certifications are useful benchmarks.
If it all goes wrong
Hopefully, asking these questions will get you a long way towards choosing the right CSP. However, things can still go wrong, and it is important to understand how you will be able to mitigate the damage and extract yourself from a situation in that event. In particular, if your CSP suffers a data breach and loses your data, will it bear some of the cost? Does it have a cyber-risk insurance policy in place?
At some point, you may decide to terminate the agreement. If that happens, what are the conditions for doing so? Are there penalties? And how will you retrieve your data if you back out of the relationship? Is there a cost for that?
All of these questions should feature on your checklist when beginning negotiations with a CSP, but there are many more. One go-to document is the Cloud Security Alliance’s Cloud Controls Metrics (CCM) guide. This will give you the ability to conduct a deep dive into a CSP’s security capability.
Just as when starting any business relationship, it is impossible to be 100% safe when choosing a CSP. Nevertheless, you can at least increase your level of certainty and protection with some due diligence. With such an important resource at stake, it’s worth the effort.
Find out more about cloud computing from Orange Business and read case studies, ebooks, factsheets and more on the Private Cloud Solutions page.