A Cloud Provider Decision Guide: How to Choose the Right Provider to Reduce Your Risk of a Data Breach

This article was originally featured in IT Briefcase.

Choosing the optimal cloud solution for your organization—and the right cloud provider to help you secure your sensitive and mission-critical data and applications—is no easy task. Public cloud offerings can’t provide the levels of security and regulatory compliance needed to protect sensitive or mission-critical information. While private clouds managed on an individual company basis can provide the necessary security and compliance, they require significant expense, staffing with specialized skill sets, certifications and attestations that few organizations can afford. For most businesses, the most secure and cost-effective approach is a private hosted cloud.

It’s important to choose a cloud provider that will collaborate with you to design, build and support a tailored solution that meets your business requirements for security, compliance, reliability and customization. But how do you determine which provider is right for your business? Half the battle is knowing what to look for and the right questions to ask.

Here are seven key criteria to help you choose the right cloud provider for your business.

1. Ability to service all your business and audit requirements. Look for a provider with a standards-based cloud environment and a security program that meet the regulatory policies and procedures with which your business must comply.

  • Compliance and attestations: Data security and compliance is a formal methodology that applies the right physical, technical and administrative processes to properly ensure confidentiality, integrity and availability (CIA) of mission-critical applications. Some cloud providers claim to be compliant when just the physical data center they reside in is compliant. They may offer the components to build a compliant solution, but it’s up to you to know how to assemble them. Choose a provider that not only is up-to-date on its data center and service attestations but also can meet your regulatory compliance needs including SOC1, SOC 2, SOX, HIPAA, FIPS 140-20, PCI, CJIS, ITAR, Sarbanes-Oxley and the same capabilities as Safe Harbor (which the EU has ruled is no longer valid).
  • Policies and procedures: Does the provider follow ITIL best practices for aligning IT services with the needs of your business? Do they have an Architectural Review Board and Customer Advisory Board (CAB) for changes? Make sure you understand the process to update and make maintenance changes to your solution.

2. Comprehensive contract and offering. Find out which services are part of the standard offering and which are considered add-ons that cost extra. Ideally a standard configuration should include multiple site redundancy and automatic failover to an alternate data center in the event of a disaster. Make sure to look for a provider whose standard service level agreement (SLA) guarantees 99.99% (versus 99.9%) uptime, a non-differentiated uptime agreement (i.e., an all-inclusive guarantee), and automatic notification and refunds for downtime. Also consider how each provider charges for traffic and look for one that offers pre-sales design resources (versus just a quote) and gives you visibility into usage numbers and costs.

3. Reputation and experience. What is the provider’s reputation? How long have they been in business? How much experience do they have with clients in your industry and how well do they understand your industry-specific requirements? Are they staying on top of technology and security trends and investing in new technologies?

4. Relationship and day-to-day support. It’s essential to choose a cloud provider with whom you feel comfortable working as a partner, one with a collaborative, flexible approach and whom you trust to have your best interests at heart. Private cloud providers that get involved in the initial design usually understand business goals better and find more efficient ways of deploying your cloud.

Responsive day-to-day support is another key requirement. Look for a cloud provider that offers unlimited technical resolution for operating system, SQL Server or Cloud Platform with 24/7 support, as well as integration of support plans with your current application support provider/partner. The ideal provider will have a 24/7 toll-free phone support and an online customer portal that provides a convenient, central gateway for submitting requests, reporting incidents and getting status updates and compliance documentation.

5. Expertise, training and screening of the cloud specialists. Ask about the skill set matrix and certifications of each member of the team that will be working on your cloud solution. Also, several of the key attestations require criminal, credit and other types of personnel screening. Ask each provider about its screening process for cloud specialists.

6. Flexibility and customization. How flexible is the cloud provider in providing “your cloud” the way you need it? Look for a provider that can tailor a true hybrid cloud if you need it by creating high-speed, low-latency private connections between public cloud platforms and infrastructure that resides on premise or in a co-location facility.

7. Ability to limit access by geography or provide international support. The ability to limit access just to U.S. citizens is a critical requirement for any company that does business with the Department of Defense and other Federal government agencies. And if you are operating a global company with remote sites in multiple countries, make sure the company you choose can provide international support.

On-premise data centers are not necessarily more secure than hosted private clouds. If you do choose to focus your efforts and investment in your core business and put your trust in a cloud provider to handle some or all of your business’ data, app hosting and security, be absolutely certain you entrust them to the right provider.

For more about securing your cloud against data breaches, download our free eBook, Breaches and the Boardroom - Lessons Learned in Cybersecurity