Digital transformation is more than just moving things to the cloud and externalizing assets and resources for more flexible consumption. Choosing your cloud service provider as a partner is almost like a marriage. The intent is to be in the relationship for the long haul, and they never should be selected as a one-byte (night) stand. The selection itself is crucial to your success. If you consider we only covered a few major players in the space and the attack vectors that plague all of them, the truth is that there are myriad differences, such as geolocations, financials, services, support, and legal terms, to name a few, that differ between them all and that apply to both small and larger providers.
Before you can successfully select a cloud service provider, you need to understand your business requirements. While this may be obvious to most people, discussing it with your team and documenting your needs, service-level agreements, and minimum expectations before searching for a provider are crucial to your success.
Accepting the CSP boilerplate of features and services typically leads to gaps in your success criteria, and this could be devastating to your business if the risks, roles, and responsibilities are not well understood upfront. Therefore, when assessing potential cloud service providers, create a gradable checklist that compares your requirements to their services and that compares one provider against another. A sample of a cloud service provider questionnaire is available in Appendix B.
Certifications and Standards: CSPs that comply with industry standards for quality and security demonstrate an adherence to the latest established best practices. At a minimum, your selection should have similar certifications and should adhere to equivalent standards at your own organization – or else the provider could become a liability.
Technology and Strategic Road Map: The technology stack underpinning your cloud service provider selection should be aligned with your strategic direction. For example, if they have chosen an RDS (relational database service) as the primary data store and your applications use another, verify they can provide the support and services you need. This is also true for operating systems used in virtual machines, as well as any orchestration and automation that you will be developing against. A strategic road map discussion will help you determine what they can provide today and what is planned for the future.
Data Security, Data Privacy, Data Protection, and Data Governance: Data management is often considered one of the biggest risks in the cloud. And while security, privacy, protection, and governance are all different, they all apply to the well-being of data. As a part of the vetting process, it is important to determine how the cloud service provider manages data and what security controls they use as a model to ensure data integrity. This includes everything from unauthorized access detection, encryption, data loss prevention, malware mitigation (including ransomware), and so on. Similar to certifications, the cloud service provider should have controls that are equal to or more stringent than your internal controls.
Operational Dependencies: When licensing a service, we often overlook the people and technologies that provide that service in the first place. This includes vendors, subcontractors, and other licensed solutions that are incorporated into their offering. If your business has strict requirements around employee citizenship, outsourcing of sensitive information, and export restrictions, please consider any service and operational dependencies as a part of your selection criteria.
Technology and Business Partnerships: Cloud service providers are like CISOs – they tend to operate in herds. Cloud service providers tend to build technology and business relationships that differentiate themselves from other providers. In other words, one provider aligns with one vendor, and their competitor aligns with another. In rare cases, a third-party vendor aligns and services everyone. When selecting your cloud service provider, consider who they partner with for foundational technology in all major disciplines, like IAM, IGA, PAM, VM, PM, and SIEM, or if these stacks are native only to their offerings.
Contractual Terms and Pricing: Most cloud service providers prefer to use their own paper (their boilerplate contract) for onboarding and servicing a new vendor. There is nothing wrong with this, but you must engage your legal team to review all the terms of the contract and ensure it meets your business requirements. If it does not, don’t be afraid to mark it up with corrections and send it back. Simple changes will typically be accepted. On the other hand, without asking, you may be bound to services and reporting (especially around security) that are not acceptable to your business and your clients.
Service-Level Agreements (SLA): Cloud service providers will state a wide variety of SLAs in their marketing material and in their contracts. The truth is that they actually mean nothing unless there are credits or penalties associated with any violations. The SLA itself becomes just a metric or a goal with no accountability. Therefore, when reviewing any stated SLA, make sure there is some form of enforcement based on noncompliance and, most importantly, that the stated values are the minimum you are willing to provide your customers. For example, if the cloud service provider claims 99.9% availability, you cannot state to your own customers any higher. Unfortunately, this is a shell game that is rampant in the industry, when depending upon the cloud for your services.
Reliability and Performance: All cloud service providers are different. Some have better infrastructure for auto-scaling, bursting, and adapting to performance requirements. Others are focused on providing services for virtual machines, hybrid environments, and workload migrations from on-premise. Only a few do both well and can provide reliability and performance across diverse geolocations. For example, can my services in the cloud perform the same in Europe and Asia, as in the North America? Understanding the fundamentals of your mission and how and where you plan to conduct business will help you build a model for the reliability and performance you will need.
Backup, Recovery, High Availability, and Disaster Recovery: To achieve any realistic SLA for operations, the CSP must provide a robust platform to mitigate an outage from virtually any type of fault. It is in your best interest to ask questions around these services, as well as about the average time to recover based on a wide range of events, from accidental deletion all the way through a security breach. Do not assume just because you are in the cloud that these security disciplines don’t matter anymore. The truth is they matter even more because the resources in the cloud are not yours. You are just licensing someone else’s computers. Pulling a hard drive for data recovery is just not possible in the cloud.
Technology Stickiness (Vendor Lock In): One of the undocumented goals of every cloud service provider is to make their services and platform sticky. That is, to provide a technology stack and implementation that locks a buyer into their offerings, making it difficult, and potentially cost prohibitive, to change to another provider. While this may sound like a deceptive business practice, many times, it is marketed as a capability or feature only available within their cloud services. For example, if you choose Azure as your cloud service provider and develop an application using Microsoft Fabric Technology, you will not be able to easily migrate the application to another provider. This is true for any component, from a specialized RDS to an orchestration solution. When selecting a cloud service provider, consider how sticky your solution will become on that platform and what the effort and cost might be to migrate, or even host, on another cloud platform. Many organizations choose to build their solutions to be cloud-agnostic simply for this reason.
Business Viability: What happens if your cloud service provider goes out of business? Unfortunately, this has happened in the past, and for many tier 2 and tier 3 providers with specialized services, this threat is real due to rising costs, competition, and even supply-chain challenges. If you choose a tier 2 or tier 3 provider based on specialty services, geolocation, etc., request an independent audit, and/or proof of viability, to ensure they will be able to continue providing you services. And consider a contingency plan just in case they do default. While this is never a pleasant conversation, selecting the right vendor does include reviewing the business viability, just as much as their technical capabilities.
Company and Cultural Match (Sales, Operations, and Technical Support): There is truth in that people who enjoy their jobs enjoy the people they are working with. Executive relationships and a culture match among rank-and-file employees is important to ensuring that all aspects of the business relationship are operating as one team with a common goal. As a part of any cloud service provider selection, consider a trial period where various team members get to meet and work with their counterparts. Personality conflicts will always happen, but verifying teams can communicate and work together from the start will go a long way for the success of your cloud projects.
Selecting a cloud service provider is much more than pricing, region, and support. While the technical questions in Appendix B may help determine compatibility with your security model, the business and operational terms are equally important. An RFP (Request for Proposal) or an RFI (Request for Information) may be helpful to vet out the right provider, even if they are not in the top 5. If there is any doubt in the selection, leading analyst firms have a wealth of information and empirical feedback to help resolve any ambiguity in cloud service provider selection. Finally, remember that many of the XaaS solutions that you license are probably operating on someone else’s cloud. Therefore, any criteria from the hosting CSP will probably be reflected through to the vendor themselves and it is nearly impossible for them to offer anything different. A good example is availability. An XaaS vendor can rarely offer a better SLA for availability than the hosting vendor themselves.