Is your company considering moving to cloud-based services? SaaS, Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) offers many benefits that can provide your company flexibility, scalability, and added security. Choosing the right provider is one of the most critical and long-lasting decisions your company will make. To help you make that decision, Ziffity’s cloud services experts put together this list of 10 things to consider when choosing a cloud service provider.
Types of Cloud Services Provided
The first question is to determine which type of services you want for your company. The answer will depend on a combination of the sensitivity of your data, budget, in-house resources, and growth plans.
|Public Cloud||In a public cloud setup, all physical hardware is owned and operated by the cloud services provider (e.g., AWS) in their own facilities.
The benefit of this model is its cost. The infrastructure is paid for and maintained by the provider, and you just pay as you go. The potential downside is security, as you’ll share computing space with other clients of the service provider. There is a small chance of data leakage.
|Private Cloud||A private cloud provides services in a secluded environment, i.e., your hardware and network services are dedicated to your company. The advantage of a private cloud is that it offers the highest level of security, as all of your company’s data and services are segregated. It is, however, costly.|
|Hybrid Cloud Services||As the name suggests, hybrid cloud services combine a private cloud with one or more public cloud services, with a secure communication that connects the two. This is a good approach if, for instance, you wish to store data that isn’t highly sensitive, meaning you can store in a public cloud, and reserve sensitive applications for a private cloud.|
When selecting a cloud service provider, you’ll need to consider a variety of security risks to your data, customer and employee identities, applications, and devices.
Obviously, the sensitivity of your data will certainly drive your risk tolerance level, although, at a minimum, any provider you consider should offer encryption, firewalls, antivirus detection, and user authentication.
Depending on where you do business, regional laws may require you to meet specific security standards. If you’re subject to specific requirements, look for providers that can support the local laws of jurisdictions in which your data is stored, processed and managed.
Things to consider
- Encryption. Is data automatically encrypted at the physical layer before it leaves the cloud services facility? What are other encryption layers offered? Is data encrypted while in transit and at rest? Can you manage your own encryption keys if desired?
- Firewalls. How quickly and easily can you implement a firewall? For instance, AWS allows businesses to set up a firewall that scales automatically in just a few clicks. How easily can you define rules that apply to specific network traffic? Does the firewall include an intrusion prevention system to detect and prevent threats?
- Antivirus Detection. How are threats detected (e.g. behavioral-based scanning)? How often is it updated? Are there many false positives?
- User Authentication. Identity and access management are key considerations. You’ll want to control who can administer the system, grant granular permission levels, grant multi-factor authentication (e.g., password or access key along with a code from a specially configured device). Ensure that your provider can meet your company’s standards, as well as any standards that apply to your industry and jurisdiction.
Each cloud service provider offers unique service bundles and pricing models. For example, AWS offers multiple pricing options, including three tiers of free services, with over 85 products that can be bundled into an offering.
Although each provider is unique, pricing is typically based on usage (e.g., per user/per month), storage requirements, access to advanced features, and so on. If you’re using a Platform-as-a-Service or Infrastructure-as-a-Service model, pricing will be much more granular, with services offered as a “resource set.“
Be sure to detail your service requirements so that you will understand all the services you’ll need and the costs you may incur as you scale up. As the Cloud Industry Forum warns, “You may find that your ability to fine-tune scalability is affected by the way your cloud service provider packages its services, and you’ll want to find a provider that matches your requirements in this regard.”
Both GDPR and CCPA set stringent requirements conjuring privacy and protection of personal data and impose fines on data controllers and agents who run afoul of those protections. Compliance is bigger than consent; GDPR lays out eight individual rights of the consumer, ranging from the right to be informed of how their data will be processed to the right to opt out of machine-based profiling. CCPA grants consumers specific rights over how businesses collect, use, and process their personal information.
Additionally, many industries face additional regulations. For instance, if your company handles any kind of health records, you’ll need to ensure that the service provider complies with HIPPA.
It is imperative that compliance with these regulations is built into the cloud services. Be sure to ask each service provider about their compliance security and privacy compliance.
Support Services Offered
Clearly, you can’t afford any downtime of your computing systems. Ask if the vendor offers 24/7 technical support. Additionally, other issues may arise from time to time that doesn’t necessarily require immediate attention. Be sure to ask about the vendor’s ticketing and ticket-tracking system, response time for queries, and so on. How you will receive that support — phone, email, live chat, etc. — may be important to your team, so be sure that the provider’s support team can work with your team via your preferred channels.
If you opt to work with a managed services provider like Ziffity, we will provide many support services for you. For instance, our support and maintenance services include post-deployment support like monitoring the application’s health 24/7, infrastructure, performance, and more. Our support team can work as an extended arm of your in-house development team. Tasks we will do include:
- Administration and support
- Configuration management
- 360-degree monitoring
- Incident & Service Request management
- Integrate custom and SaaS applications
Service Level Agreement (- Backup, BCDR, Uptime )
The service level agreement (SLA) is likely to be one of your company’s most important selection criteria. Performance stability is of paramount performance. The SLA will help you understand what to expect in terms of quality, availability, and responsibilities that are split or shared between you and the provider.
SLAs include issues, as:
- Specific services offered (e.g. how data is stored, protected, encrypted)
- General service commitment (e.g. which services are available in which region)
- Availability guarantees
- Escalation procedures and timeframes
- Service credits due to service interruptions
- Definitions of issues, roles and responsibilities
How the infrastructure is designed will have a direct impact on the quality of service you’ll receive. Important considerations include:
- Data Center Setup – The cloud service provider should have data centers in multiple locations. Ideally, your company will use the data center that’s physically closest to you to minimize latency. In the event of an emergency, however, you should be able to use another data center so that your company can continue to do business.
- High Performance Computing (HPC) – HPC is the ability to process data and perform complex calculations at high speeds. Things like elasticity or the cloud service provider’s ability to scale up your infrastructure will ensure high performance of your services.
- Multi-Layer Security – Security should be multi-layered, incorporating:
- Physical or perimeter layer, such as controls that allow/prevent employees and contractors from entering the physical location of the providers’ facilities.
- Infrastructure layer, which encompasses the data center equipment and systems that keep it running smoothly (e.g. backup power sources).
- Data layer, to restrict access to data, and maintain a separation of privilege for each layer.
- Environmental layer, to ensure a data center isn’t built in an area prone to environmental catastrophe.
Certifications & Standards
Ask the cloud service provider which recognized standards and framework they comply with in order to determine the degree to which they adhere to best practices. Look for suppliers accredited with certifications like ISO/IEC 27001, which details requirements for an information security management system (ISMS) and requires an annual audit for accreditation.
There are multiple standards and certifications within the industry. The important thing is to ensure your cloud service provider adheres to a standard that encompasses structured processes, effective data management, good knowledge management, and service status visibility.
Data Governance and Information Security
If you operate in any country where data privacy and security regulations are in effect, you’ll need to ask about the cloud service provider’s data governance and security policies. Your legal department and procurement vice president may ask for proof of compliance, as many regulations hold the data controller or agent liable if any vendor in the supply chain runs afoul of the regulations while collecting, processing, or storing data on your behalf.
Select providers that allow you to choose which jurisdiction your data will be stored, processed, and managed, along with the ability to encrypt data that’s in transit. Some jurisdictions in which you operate may have data loss and breach notification requirements, so be sure that your cloud service provider can handle them.
Information security is critical, which means you’ll want to ask about the provider’s data and security practices, controls, the maturity of security operations, and so on. Select providers that have achieved well-known certifications, such as the ISO 27000 series.
Migration Support, Vendor Lock in & Exit Planning
Migration to a cloud-based service is rarely a simple “lift-and-shift” process. Ask all cloud service providers about their migration methodology and support and your responsibility in the process to ensure an effective migration. If you lack the resources or expertise to plan the migration, you can engage a managed services provider, like Ziffity, to assess and design your cloud-based infrastructure.
Vendor lock-in is a concern if you wish to switch providers in the future. Vendor lock-in becomes a tricky issue if your cloud service provider relies on a lot of proprietary technologies that don’t translate over to another provider. Contracts may also keep you locked with a provider, so you’ll need to have an exit plan in place ahead of time.
You have no need to do it alone. Ziffity can help you build a list of criteria that’s specific to your company and help you evaluate a provider that’s right for you.