How to select the right cloud service provider
As more and more IT systems are externalised, making sure you pick the right cloud providers has become critical to long-term success.
However, the available market is vast, with a myriad of providers offering an even larger number of services. From market giants like Microsoft, Amazon and Google through to smaller niche players offering bespoke services.
So how do you select the right cloud provider from so many? The answer is a defined selection and procurement process appropriately weighted towards your unique set of needs.
We’ve distilled the key factors into a definitive list of 8 consideration areas.
Timing – When to select a cloud provider?
Before you can effectively select a suitable provider you need to understand your specific business needs. This sounds pretty obvious, but clarifying your specific requirements and minimum expectations, in advance of assessing providers ensures you are comparing them all against your checklist, instead of comparing one against the other. This is the quickest way to move from long list to short list.
Armed with clarity on technical, service, security, data governance and service management requirements, you can more effectively interrogate your select group of potential providers.
It’s also worth noting, when migrating applications and workloads to the cloud, the specific environments you choose and the services offered by your cloud service provider will determine the configurations needed, the work you need to do and the help you can get from the provider in doing it.
Ideally, therefore, you should choose your providers after you have identified your cloud migration candidates but in parallel with analysing and preparing these workloads for migration.
How to pick a cloud service provider? Use these 8 key areas for consideration.
When it comes to selecting a cloud provider, the requirements you have and evaluation criteria you use will be unique to your organisation. However, there are some common areas of focus during any service provider assessment.
We have grouped these into 8 sections to help you effectively compare suppliers and select a provider that delivers the value and benefits your organisation expects from the cloud.
- Certifications & Standards
- Technologies & Service Roadmap
- Data Security, Data Governance and Business policies
- Service Dependencies & Partnerships
- Contracts, Commercials & SLAs
- Reliability & Performance
- Migration Support, Vendor Lock in & Exit Planning
- Business health & Company profile
Certifications & Standards
Providers that comply with recognised standards and quality frameworks demonstrate an adherence to industry best practices and standards. While standards may not determine which service provider you choose, they can be very helpful in shortlisting potential suppliers.
There are multiple standards and certifications available. The image above illustrates some of the more common organisations that provide standards, certifications and good practice guidance.
More generally, look out for structured processes, effective data management, good knowledge management and service status visibility. Also understand how the provider plans to resource and support continuous adherence to these standards.
Technologies & Service Roadmap
Make sure the provider’s platform and preferred technologies align with your current environment and/or support your cloud objectives.
Does the provider’s cloud architectures, standards and services suit your workloads and management preferences? Assess how much re-coding or customisation you may have to do to make your workloads suitable for their platforms.
Many service providers offer comprehensive migration services and even offer assistance in the assessment and planning phases. Ensure you have a good understanding of the support on offer and map this against project tasks and decide who will do what. Often service providers have technical staff that can fill skills gaps in your migration teams.
However, some large scale public cloud providers offer limited support and you may need additional 3rd party support to fill the skills gaps: ask the platform provider for recommended 3rd party partners that have experience and extensive knowledge of the target platform.
Ask about the provider’s roadmap of service development – How do they plan to continue to innovate and grow over time? Does their roadmap fit your needs in the long term?
Important factors to consider are commitments to specific technologies or vendors, and how interoperability is supported. Also can they demonstrate similar deployments to the ones you are planning?
For SaaS providers in particular a features, service and integration roadmap is highly desirable.
Depending on your particular cloud strategy, you may also want to evaluate the overall portfolio of services that providers can offer. If you plan to use separate best of breed services from a broad mix of provider then this is not as relevant, but if your preference is to use only a few key cloud service providers, it is important for those service providers to offer a good range of compatible services.
Data Governance and security
You may already have a data classification scheme in place that defines types of data according to sensitivity and/or policies on data residency. At the very least you should be aware of regulatory or data privacy rules governing personal data.
With that in mind, the location your data resides in, and the subsequent local laws it is subject to, may be a key part of the selection process. If you have specific requirements and obligations, you should look for providers that give you choice and control regarding the jurisdiction in which your data is stored, processed and managed. Cloud service providers should be transparent about their data centre locations but you should also take responsibility for finding this information out.
If relevant, assess the ability to protect data in transit through encryption of data moving to or within the cloud. Also, sensitive volumes should be encrypted at rest, to limit exposure to unapproved administrator access. Sensitive data in object storage should be encrypted, usually with file/folder or client/agent encryption.
Look to understand the provider’s data loss and breach notification processes and ensure they are aligned with your organisation’s risk appetite and legal or regulatory obligations.
The CIF Code of Practice framework has some useful guidance to help identify relevant security and data governance policies and processes as part of a provider assessment.
Ensure you assess the cloud provider’s levels of data and system security, the maturity of security operations and security governance processes. The provider’s information security controls should be demonstrably risk-based and clearly support your own security policies and processes.
Ensure user access and activity is auditable via all routes and get clarity on security roles and responsibilities as laid out in the contacts or business policies documentation.
If they are compliant with standards like the ISO 27000 series, or have recognised certifications, check that they are valid and get assurances of resource allocation, such as budget and headcount to maintain compliance to these frameworks.
Ask for internal security audit reports, incident reports and evidence of remedial actions for any issues raised.
Service Dependencies & Partnerships
Service providers may have multiple vendor relationships that are important to understand.
Assessing the provider’s relationship with key vendors, their accreditation levels, technical capabilities and staff certifications, is a worthwhile exercise. Do they support multivendor environments and can they give good examples.
Think about whether the services offered fit into a larger ecosystem of other services that might compliment or support it. If you are choosing a SaaS CRM for instance – are there existing integrations with finance and marketing services? For PaaS – is there a cloud marketplace from which to buy complimentary services that are preconfigured to integrate effectively on the same platform?
Subcontractors and service dependencies
It’s also important to uncover any service dependencies and partnerships involved in the provision of the cloud services. For example, SaaS providers will often build their service on existing IaaS platforms, so it must be clear how and where the service is being delivered.
In some cases there maybe a complex network of connected components and subcontractors that all play a part in delivering a cloud service. It’s vital to ensure the provider discloses these relationships and can guarantee the primary SLAs stated across all parts of the service, including those not directly under its control. You should also look to understand limitations of liability and service disruption policies related to these subcomponents.
In general, think twice before considering providers with a long chain of subcontractors. Especially with mission critical business processes or data governed by data privacy regulations.+
The Code of Practice requires explicit clarification of service dependencies and the implications on SLAs, accountability and responsibility.
Contracts, Commercials & SLAs
Contracts & SLAs
Cloud agreements can appear complex, and this isn’t helped by a lack of industry standards for how they are constructed and defined. For SLAs in particular, many jargon-happy cloud providers are still using unnecessarily complicated, or worse, deliberately misleading language.
This is being addressed to some degree with the latest revision of the ISO standards for Service level agreements ISO/IEC 19086-1:2016, this revision is a useful framework to use when assessing providers’ agreements.
In general, agreements range from out of the box “terms and conditions”, agreed online, through to individually negotiated contracts and SLAs.
The size of CSP vs the customer is a factor here. Smaller CSPs are more likely to enter into negotiations but may be more likely to agree custom terms that they might not be able to support. Always challenge providers that are prepared to offer flexible terms to provide details on how they plan to support this variation, who is responsible for this variation and what are the processes used to govern this variation.
We cover contracts, SLAs and cloud law in module 10 of our online training programme. Key factors to consider with contracts are:
Look for a clear definition of the service and deliverables. Get clarity on the roles and responsibilities relating to the service (delivery, provisioning, service management, monitoring, support, escalations, etc.) and how that is distributed between customer and provider. How is service accessibility and availability managed and assured (Maintenance, incident remediation, disaster recovery, etc.). How do these policies fit with your requirements?
Data policies and protection
Assess a provider’s security policies and data management policies particularly relating to data privacy regulations. Ensure there are sufficient guarantees around data access, data location and jurisdiction, confidentiality and usage /ownership rights. Scrutinise backup and resilience provisions. Review data conversion policies to understand how transferable data maybe if you decide to leave.
There are a myriad of terms covered in the training module and your circumstances will dictate which are important, but key considerations include:
- Contractual and service governance, including to what extent the provider can unilaterally change the terms of service or contract.
- What are the policies on contract renewals and exit or modification notice periods.
- What insurance policies, guarantees and penalties are included and what caveats accompany them.
- And to what extent is the provider willing to expose their organisation to auditing operations and compliance to policies.
Specific terms relating to Indemnification, Intellectual property rights, Limitation of liability and warranties should be standard terms in providers’ contracts. However, the parameters relating to each should be scrutinised. Typically these protections are often the most hotly contended as customers look to limit their exposure to potential data privacy claims following a breach and at the same time providers look to limit their liability in cases of claims.
Service level agreements
SLAs should contain 3 major components:
- Service level objectives
- Remediation policies and penalties/incentives related to these objectives
- Exclusions and caveats.
Look for SLOs that are relevant, explicit, measurable and unambiguous. They should also be auditable if possible and clearly articulated in the service level agreement.
SLAs should also specify how issues should be identified and resolved, by who and in what time period. They will also specify what compensation is available and the processes for logging and claiming, as well as listing terms that limit the scope of the SLA and list exclusions and caveats.
Close scrutiny of these terms is important, as often service credit calculations are complex – ask for worked examples or better still give all shortlist providers the same imaginary downtime scenario and compare the difference in compensation.
Each cloud service provider has a unique bundle of services and pricing models. Different providers have unique price advantages for different products. Typically, pricing variables are based on the period of usage with some providers allowing for by the minute usage as well as discounts for longer commitments.
The most common model for SaaS based products is on a per user, per month basis though there may be different levels based on storage requirements, contractual commitments or access to advanced features.
PaaS and IaaS pricing models are more granular, with costs for specific resources or ‘resource sets’ consumption. Aside from financial competitiveness look for flexibility in terms of resource variables but also in terms of speed to provision and de provision.
Application Architecture that allows you to scale different workload elements independently means you can use cloud resources more efficiently. You may find that your ability to fine tune scalability is affected by the way your cloud service provider packages its services and you’ll want to find a provider that matches your requirements in this regard.
Reliability & Performance
There are several methods you can use to measure the reliability of a service provider.
First, check the performance of the service provider against their SLAs for the last 6-12 months. Some service providers publish this information, but others should supply it if asked.
Don’t expect perfection: downtime is inevitable and every cloud provider will experience it at some point. It’s how the provider deals with that downtime that counts. Ensure the monitoring and reporting tools on offer are sufficient and can integrate into your overall management and reporting systems.
Ensure your chosen provider has established, documented and proven processes for dealing with planned and unplanned downtime. They should have plans and processes in place documenting how they plan to communicate with customers during times of disruption including timeliness, prioritisation and severity level assessment of issues.
Be aware of remedies and liability limitations offered by the cloud provider when service issues arise.
Look to understand the provider’s disaster recovery provisions, processes and their ability to support your data preservation expectations (inc. recovery time objectives). This should include criticalness of data, data sources, scheduling, backup, restore, integrity checks, etc.
Roles and responsibilities, escalation processes and who has the burden of proof, all must be clearly documented in the service agreement. This is vital, as in many cases, your team may be responsible for implementing some of these processes.
Consider purchasing additional risk insurance if the costs associated with recovery are not covered by the provider’s umbrella terms and conditions.
Migration Support, Vendor Lock in & Exit Planning
Vendor lock-in, is a situation in which a customer using a product or service cannot easily transition to a competitor. Vendor lock-in is usually the result of proprietary technologies that are incompatible with those of competitors. However, it can also be caused by inefficient processes, or contract constraints, among other things.
Cloud services that rely heavily on bespoke or unique proprietary components may impact your portability to other providers or in-house operations. This is especially true if applications have to be re-architected in order to run on a service provider platform.
Avoid the risk of vendor lock in by ensuring your chosen provider has minimal use of proprietary technology or you minimise the use of services that limit your ability to migrate or transition away.
Ideally select value added services that have competitive and comparable alternatives in the market and put policies in place to periodically review the options to minimise lock-in risk.
Also be wary of “enhancement creep”, where service providers modify configurations, policies, technologies etc, and in doing so introduce lock-in factors as part of your service.
Finally, while there are some compelling benefits in working with one or a few key providers you should balance these benefits with the risks of becoming too entangled with any one supplier.
Similarly, ensure you have a clear exit strategy in place at the start of your relationship. Moving away from a CSP’s service isn’t always an easy or smooth transition, so it’s worth finding out about their processes before signing a contract.
Furthermore, consider how you’ll access your data, what state it will be in and for how long the provider will keep it.
Business health & Company profile
Assessing the technical and operational capabilities of a potential supplier is obviously important, but take time to consider the financial health and profile of your shortlisted providers.
The most compatible or most competitive cloud service is immaterial if the provider doesn’t have a sound business. Make sure your main providers are a good fit for the long term.
As Microsoft say in their short guide on provider selection: ‘The provider should have a track record of stability and be in a healthy financial position with sufficient capital to operate successfully over the long term”. If a service provider gets into trouble it may not have the financial resources to refund your losses, regardless of good intentions and contract assurances.
Try and establish if the organisation has had any past legal issues, has been, or is being sued and how they respond to legal challenges – ask directly or do your own research.
Ask about any planned corporate changes, mergers and acquisitions, or business aspirations.
Get a good handle on the competitive position and aspirations of the provider, use analyst profiles, online reviews and market research to get a sense of their market status.
Sometimes looking at the history of the management team via networks like LinkedIn can be very revealing – do previous roles show consistent performance and good corporate governance.
What type of customers do they have and what markets do they count as important – vertical emphasis may prompt investment in valuable niche offerings.
Include hard and soft factors in your assessment of prospective providers: recognise and validate both the certifications and standards they adhere to, but also what their customers say about them in case studies and testimonials.
Think long-term to avoid lock-in – avoidance of proprietary technologies and a clearly defined exit strategy will avoid a lot of headaches down the line.
Take time to establish workable SLAs and contractual terms – they’re the main form of assurance you have that the services will be delivered as agreed.
For a comprehensive and extensive guide on how to assess, select and review service providers access module 9 (Assessing Cloud Service Providers) and module 10 (Cloud Contracts, SLAs and Cloud LAW) of our online training.