Trust is one of the most important criteria when it comes to selecting a cloud service provider. Consequently, customer and provider must jointly define organizational, operational, technical, and infrastructural measures which guarantee a maximum of trust and security in cloud usage. In this article, we have compiled a list of the key factors to consider when selecting a cloud service provider.
Companies require a large amount of storage capacity and computing power to be able to assess and evaluate data to their benefits. The demand is growing exponentially with ever-increasing data volumes, so that it is no surprise that companies that organize their IT exclusively internally are bound to reach their limits of feasibility; this is where the cloud can help to provide solutions flexibly, inexpensively and quickly.
It thus does not come as a surprise, that cloud-based systems are becoming increasingly popular. According to Statista, the third quarter of 2019 saw investments of 20 trillion dollars worldwide for the use of Infrastructure as a Service (IaaS) alone. Besides platform and software solutions (PaaS / SaaS), IaaS represents the entry level of cloud possibilities. The majority of users rely on big brand names such as Amazon (39% market share), Microsoft (19%) and Google (9%) when opting for a cloud service provider.
Modes of deployment
Three basic application variants for cloud computing can be distinguished. The differences are not so much on technical but rather on organizational level.
A public cloud is a public offering of services from a freely accessible provider. Customers can assemble the services according to their individual requirements. This type of cloud service is called public because several customers share the same virtual infrastructure without being aware of each other. The virtual areas are logically separated even though they exist on the same physical resources. Examples for public cloud offering are web mailing services or Google Docs as well as fee-based services of Microsoft Office 365 or SAP Business by Design.
- Private Cloud
On the other hand, there are private cloud services which can only be accessed by one company. A characteristic example would be a company with several branch offices at different locations which provides its IT centrally for all its employees. No other company can access this virtualized infrastructure. The cloud may be operated by the company itself or by an IT service provider. An advantage over the public cloud is that the company retains the control of its data. This is why company-specific applications and sensitive data are usually located here.
- Hybride Clouds
A hybrid cloud takes the best from the two former approaches and combines it. This means that certain services are running on the Internet of public providers while others remain with the company. Or a cloud service many consist of a combination of central elements with local components situated in the customer’s infrastructure. That way, the advantages of cloud computing and those of a corporate solution can be combined.
In addition to the modes of deployment, there are also several service models with marked differences. Software, platform and infrastructure together are the foundation of cloud computing. They can be divided into hierarchically structured layers. Offered cloud services usually belong to one of the three layers and are geared to one specific target group of users.
Software as a Service (SaaS)
On the top level, there are the software applications. They are meant for users and usually comprise standardized services. Cloud service customers do not get in touch with the underlying cloud infrastructure; all they can do is configure the user-specific settings of the application. The applications are operated by the IT service provider on its own servers instead of on the IT resources of the customers. Users access the services via the Internet and the provider makes the required resources available. Customers only have to bring their own device to access the service with.
Platform as a Service (PaaS)
In this case, customers can install and operate applications that they have developed or purchased on the cloud infrastructure of the cloud service provider. The provider operates the complete working environment including databases, middleware (control software), and application software. The applications can then be developed by means of programming languages, program libraries or other services and tools supported by the cloud service provider. Just like in the SaaS model, cloud service customers cannot control the underlying cloud infrastructure.
Infrastructure as a Service (IaaS)
This service model refers to the provisioning of the IT infrastructure. Customers are granted access to scalable hardware and software resources of the cloud service provider, think computing power, storage capacities or networks. It can be used to install and operate software, such as operating systems or applications for instance. It is possible to rent client infrastructure, too, for any required period of time. Results are available at the flick of a switch.
Spoilt for choices
“And which provider is right for me and my company?” This is the question that potential cloud users are frequently struggling to find an answer to given the wide range of options. After all, not only the complex technology itself but also the selection of the right cloud service provider can cause difficulties. And this decision does merit a second thought because the wrong choice may not only compromise smooth operation and damage your reputation but also entail legal consequences. This is due to the fact that data and its protection are a highly sensitive topic in Germany. To avoid issues, we have compiled a list of the eleven most important criteria to consider when opting for a reputable cloud provider.
Data protection and compliance according to the latest regulations and directives
Data protection is the crucial point when it comes to selecting a cloud provider. Only entrust companies with your data that have been certified and that comply with the relevant security standards (ISO/IEC). Carefully compare your ⯈compliance requirements with the ⯈data protection measures of the provider. Make sure to exclusively cooperate with cloud providers that give “sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this regulation and ensure the protection of the rights of the data subject” (EU GDPR art. 28). Set up a contract on data processing.
Handling sensitive customer data
The cloud provider should be able to use its cloud services to securely separate different customer infrastructures on multiple levels. Determine whether your data will be adequately protected in the event of a failure. Additionally ask which precautionary measures have been taken by the provider to prevent failures. Has your data been distributed on backup servers so that your daily business remains unaffected from possible server failures? Which are the processes of crisis and information management taking effect in case of a failure?
Encryption of data
Ask whether your cloud service provider is using encryptions (end-to-end) to comply with data protection requirements. Data should be encrypted on its way to the cloud as well as while stored in the cloud.
Flexibility and scalability
Check whether the provider’s cloud offer is dynamic. It should be possible to flexibly adjust the cloud services to possible changes and shifts e. g. in terms of the sales strategy, mergers or buy-out, innovations, or the customer base.
Imposing detailed requirements on the cloud service provider
During the purchasing process, you should always keep in mind what it is that you really expect from the cloud provider and ensure that your demands are included in the contract in writing. The more imprecise, the higher the risk that the services will eventually not cater to your needs (this also applies to support and setup). In the ideal case, however, service providers may even fulfill highly customer-specific wishes. Demands and requirements that have been agreed upon should always be documented in SLA (Service Level Agreements).
Do not select cloud service providers which do not suit your IT systems. Be aware of the topic of interfaces.
Support on demand
Clarify support questions because it may be possible that not all questions about the new services can be answered by the internal IT department. A swift and effective communication process is important. Additionally, inquire about hidden costs and response times. Find out whether there are extra charges on additional support requests.
Availability and performance
Which availability rates does the cloud service provider promise and are they high enough to guarantee you smooth and uninterrupted workflows? Is it likely that the provider can live up to this promise? Document the promised availability rates in the contract and define measures for efficient risk management.
Updates and maintenance
Are there regular updates and are they included or charged separately? Also inform yourself about the intervals in which the application will be updated and whether updates entail downtimes.
Location of data storage
Ask the cloud service provider where your data will be stored and ensure that the data center complies with the strict security demands. Especially for companies from heavily regulated industries or countries with strict data protection laws, it is important to know the geographic storage location of the data they think of entrusting the service provider with.
Preparing for the termination of the contract
What happens if you do not want to use the software any longer? Can the cloud service provider guarantee that your data will not only be transferred back to you, but also deleted from the provider’s databases? In addition, you should settle in advance in which format your data will be transferred back to you to avoid that you receive your data in a file format that your system does not support. (Ask whether this demand entails additional costs for you.)
If you keep these eleven criteria in mind and take a close look at what the cloud service providers are offering and what you want for your company, transitioning to the cloud will be a walk in the park.
Author: Tamer Caliskan
Tamer Caliskan has been working for ASC for three years. Before that he used to be active in service, development, and DevOps. As Head of DevOps since 2017 he is responsible for the operation of cloud systems and passionate about advancing the cloud development at ASC.