By now, you should be familiar with the cloud, but one question I get time and time again is how to choose a cloud vendor. With so many options, I agree it can be confusing. Here is some basic information to help you determine your needs, as well as a set of questions you can use to assess potential cloud vendors.
Types of vendors and services offered
First, decide how you are going to use the cloud. Depending on your organization's needs, you have to decide what service or services will help you reduce costs and increase efficiency and accessibility.
The cloud comes in three flavors: infrastructure as a service (IaaS), platform as a service (PaaS), and the one you probably hear about most often, software as a service (SaaS). Let's take a quick look at what you need to know about each type of cloud offering.
IaaS is the hardware and software that powers it all, including servers, storage, networks and operating systems.
- As with all cloud service providers, IaaS providers deliver virtual services mostly through a public connection, usually the internet. For more secure but complex connections, some cloud vendors may offer leased lines and virtual circuit services.
- IaaS vendors offer virtual machines, servers, other types of hardware, storage, and software, if needed.
- IaaS can also host user applications and handle all maintenance functions, including backup and disaster recovery.
- IaaS offers a major benefit in its ability to scale up resources due to customer demand. Seasonal or cyclical needs can be adapted to meet user demand, thus reducing excess resource capacity when it's not needed.
- IaaS allows for administrative duties to be automated, reducing costs and downtime and increasing efficiency.
- Some examples of IaaS vendors are Amazon Web Services EC2, Google Compute Engine, Rackspace and Windows Azure.
PaaS is the set of tools and services designed to make coding and deploying those applications quick and efficient.
- PaaS is similar to IaaS in that it involves the renting of virtual servers and various services to run applications in the cloud.
- The platform is used to host, develop, run, and manage web applications. This includes virtual servers, networks, storage, and other services needed to host the user's application.
- PaaS is differentiated from IaaS in that it is mainly used for software development, and benefits the user from having to purchase various types of infrastructure and software to create a development environment. It also provides scalability.
- PaaS provides the customer with the tools to develop analytical tools for management to analyze data and to use as monitoring tools of business performance.
- Some examples of PaaS vendors are Amazon Web Services Elastic Beanstalk, Force.com (customer relationship management platform), Google App Engine, and Windows Azure.
SaaS includes commercial applications designed for end-users and delivered over the web.
- Because the provider hosts and maintains the software, infrastructure costs are greatly reduced along with administrative burden.
- Updates and patches are done automatically, so all users have the same version.
- SaaS is highly scalable and globally accessible.
- Two of the biggest SaaS product families are Google Apps and Microsoft Office 365.
Pricing of the various cloud vendor types can be very confusing and hard to calculate. Here are the characteristics for all three:
Questions to ask cloud vendors
Depending on your needs, you'll want to vet each cloud vendor through a careful, strategic review. Here is a comprehensive list of questions and observations in four areas.
Stability of cloud vendors
- Are they financially stable and will they be around for a long time? It takes time and resources to switch vendors.
- Will they have the funds to upgrade hardware and software whenever necessary?
- Will they have the ability to comply with contract terms for scalability when needed?
- What would happen if they fail?
Redundancy and availability
- How redundant are their connections to the internet? If one source is disrupted, you do not want connectivity to be affected.
- How redundant are the environmental controls in providing power and cooling to the infrastructure supporting the hosted or provided applications?
- Does increased redundancy cost extra?
- What are the redundancies already in place and have they been tested?
- Do they have an external auditor testing these controls to ensure they are effective?
- Is monitoring in place to actively disclose issues, and do the vendors have policies and procedures in place to address these in a timely manner?
Customer service record
- What is the vendor's customer service record? Ask for references.
- What technical support is offered and how much extra?
- What is average response and resolution time for events?
- Do you reach knowledgeable reps or just someone reading a script?
- Is customer service or technical support outsourced to a foreign country or domestic third party, and how are their services monitored by the cloud vendor?
- What security measures are in place to secure access rights and access to data from unauthorized users? The list should include firewalls, antivirus detection, intrusion detection, encryption and multi-factor authentication. Does the vendor provide proper data isolation and logical storage segregation?
- Is privacy, physical security, and confidentiality addressed? Does the service level agreement mention these items specifically and detail how the vendor addresses them?
- Are there any compliance and legal issues the customer needs the vendor to address? Among the compliance issues that most often need to be discussed before signing any agreement with a cloud vendor: the Payment Card Industry Data Security Standard, the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act.
- Does the vendor have a third-party audit their security controls? A good third-party audit to look for is a Service Organization Control (SOC) report. Specifically, you want to see a SOC 2 report
- What are the security controls in place? Look for these types of controls.
- Deterrent: Warning signs, pop-up banners
- Preventive: Training, firewalls, anti-virus
- Detective: System monitoring, intrusion detection system, event logs
- Corrective: Upgrades, patches, backup system
- Is the data center in the United States or a foreign country? What rights does the vendor have in political situations, fraud situations, and e-discovery?
- Do the vendors have a private cloud vs. a public cloud? Connectivity plays big part in whether the cloud is more secure.
- Do and will the vendors continue to comply with all regulations, laws, and compliance requirements?
All of the questions included above should not be considered an all-inclusive list to consider when choosing a cloud service vendor, but they are a good start. When companies are looking to outsource their information technology, they should perform a risk assessment and develop a project plan for transitioning to a cloud vendor. Finally, the project should be managed just like any other major project by monitoring progress during implementation; this helps to ensure the vendor is fulfilling the customer's needs as the agreement specifies.
Good luck and may the cloud be with you.
Jeffrey Streif, CPA, is the CFO of Koller Enterprises Inc. in Fenton, Mo. He has more than 25 years of financial auditing experience, including more than 12 years as an information systems auditor and consultant. He also is a member of the AICPA IMTA Cybersecurity Task Force.