You may have some apprehension on moving your business to the cloud. You can see the benefits, but you still haven’t pulled the trigger. This is quite common with companies who did not come of age during the birth of cloud computing. You are used to managing and maintaining your own “on premise” solutions. You are finally ready to take that leap that allows you to streamline your processes and let a cloud solution handle your IT tasks, security, maintenance, licensing and support. You want to begin to focus on what your company does best, make money.
Here are 10 things you must consider before choosing a cloud provider.
- Define your Processes or create your cloud business plan? – Before you ever begin to look at cloud providers, define what you are trying to move to the cloud. For example, if you are looking to move away from Sharepoint and to a cloud document solution, list that as a process. If you want to eliminate your “on premise” data center and move to cloud servers, list that. Basically, run through everything your business does and list out in order of priority what service or processes your company currently provides should be offloaded to the cloud.
- Lock-in – When it comes to lock-in, you want to make sure that the cloud provider you choose, uses standard formats to move that data out of that cloud. If they are using proprietary formats, you may be locked-in to that provider and that is something you want to avoid at all costs. Basically, you MUST have data portability.
- Elasticity – You must have elasticity in your cloud provider. Elasticity is the ability upon a threshold to automatically spin-up more servers in the cloud to meet your demand. Once that demand subsides the machines deprecate automatically. The ability to expand and contract is crucial when planning on what cloud provider you will choose.
- Isolation failure – It is very important that the cloud provider is multi-tenant and provides shared resources; you don’t want a single point of failure in the cloud provider you choose. Examples include Storage, memory, routing and tenants.
- Compliance – Your cloud solution MUST be tied to an industry standard (ISO) and be able to provide the documentation supporting such claims. A third-party auditing firm should audit to this standard (ISO/SOC) annually and provide the proper documentation for any prospect upon request.
- Security – This is a feature you are going to want to spend a lot of time reviewing. The following are examples of some questions you might want to ask:
- How are you protecting our data?
- What encryption strength is data at rest/in transit?
- What security protocols do you have in place to protect our security?
- What is our breach protocol notification process?
- How do you handle Virus Protection?
- How do you monitor security risk and notify?
- What is your Incident Response Policy?
- Are your Penetrations test external or internal?
- Please Provide a summary of your penetration test results?
- Service Level Agreements (SLA) – SLA’s are very important to review before moving to a cloud solution. You want to know what the guaranteed uptime is for your cloud provider and what credits you get if they fail to meet their uptime. Ask to review their uptime reports if applicable.
- Business Continuity – Now that you are putting your trust in a cloud provider, how are they handling disaster recovery. In the event of a disaster or event, what are the SLA’s to have your data highly available. Ask what the recovery time objective is and the recovery point in time. Do not MOVE to a cloud provider if you don’t accept their RTO and RPO.
- Encryption Keys – As governments and other entities are trying to get your encryption keys from vendors, it is beneficial to use self provisioning keys. Why let your cloud provider be the “Janitor” with all the master keys. You should control your destiny. If you own your encryption keys and someone obtains access to your data, the data is worthless without the key. You CANNOT open encrypted data without a cypher (key).
- Privacy Shield and GDPR – The General Protection Act (GDPR) is a set of laws coming in 2018. It is about specific requirements on how data is transferred out of the EU. Privacy Shield is an agreement between the United States and EU/Switzerland allowing the transfer of data between EU and the US. if you are a global company, you will want to review how your cloud provider handles these policies.
Considering these 10 items above will put you in a great position to make a good decision on whether or not this cloud provider will meet your needs. Dialogue and transparency will help make your transition to the cloud successful.