How to Assess Cloud Service Providers

Cloud service providers have been around for some time, and many organizations are becoming more reliant on these types of vendors. While cloud technology isn't new, it can be challenging to assess cloud service providers if you don't understand the basics. To help you evaluate cloud providers, let's examine a few key considerations.

7 Areas to Consider When Evaluating Cloud Service Providers 

Due to its ability to host unlimited amounts of information, the cloud is often the ideal environment for organizations that need to scale quickly and affordably. There's no longer a need to buy a physical server, wait for it to arrive, and physically install it in an appropriate environment. 

However, it's important to recognize that the storage capabilities of the cloud also make it an ideal target for cybercriminals who want access to sensitive information. 

When evaluating cloud service providers, keep these things in mind:

1. Security – One of the first things to evaluate with a cloud service provider are its security practices. This is to ensure that the provider has proper controls in place to protect you and your customer's data. It's important to ask the right questions to learn who will have access to your data, how it’ll be protected, and how you’ll be notified if there’s a breach. 
   
   Two popular methods to assess a cloud service provider's security practices include reviewing the following:
   
   
   • SOC 2 Type II report – This examines a vendor's controls over the five Trust Services Criteria of security, availability, processing integrity, confidentiality, and privacy over a period of time. It was established by the American Institute of Certified Public Accountants (AICPA).
   • CAIQ (Consensus Assessment Initiative Questionnaire) - Created by the Cloud Security Alliance, this is the cloud industry’s standard information-gathering questionnaire.
2. Infrastructure – Knowing what type of cloud service provider they are is key to asking the right questions when assessing them, and depending on the type, potentially their cloud provider as well. You'll need to know if they’re an Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS), or another type of provider. This will guide your approach to scope your questions. 
3. Compliance – It's helpful to familiarize yourself with the cloud industry’s best practices and recommendations for security guidelines. You’ll also want to ensure the provider is compliant or certified in areas relevant to your industry and the use of the provider. These include audits such as HIPAA and HITRUST CSF in healthcare, PCI-DSS in the payment industry, or FedRAMP for use by the U.S. government.
4. Capabilities – Consider the different capabilities that a cloud service provider can offer and whether they can support your organization’s goals. A provider’s capabilities can encompass many areas, such as its technical expertise, ease of use for your organization, and contractual service level agreements (SLAs). It’s also advisable to ask about the availability and implementation of application programming interfaces (APIs) to ensure your organization can build any necessary connections. You should also be aware of any service dependencies the provider may have, such as subcontractors who may have access to your data. 
5. Support – Your organization will inevitably need support from your cloud service provider, whether it’s integrating into your existing tools or ongoing support as you use the service. You should find out what support resources are included, and which may incur extra costs. 
6. Resiliency – A cloud service provider’s operational resiliency is another area to consider, which is often outlined in their disaster recovery and business continuity plans. Ask the provider questions about their recovery time objectives (RTO) and recovery point objectives (RPO). It’s important to know how long it will take for normal operations to resume and how much data you might lose if the service experiences a business-impacting event. 
7. Termination – As with any service provider, you'll want to implement an exit strategy before you sign the contract. There may be challenges or unique processes for securely transferring your data to a new cloud service provider. If the provider goes out of business or is acquired by another company, you’ll have to consider how data will be destroyed.

How to Interact With the Cloud Service Provider

There’s more to working with a cloud service provider than simply assessing its controls. Knowing some best practices for interacting with your service provider is helpful as your organization continues to use cloud technology. 

Here are a few tips:

• Know your obligations. Understand the shared responsibility model for the cloud service provider, as security and compliance require participation by all parties. 
• Be realistic. Don’t assume that your data is safe by using a well-known provider. Misconfigurations within cloud environments are a common source for incidents, including breaches.
• Plan ahead. Make sure you understand your support options and know how to use them before you need them. 

Using a cloud service provider can be very rewarding if you do your homework and understand how best to minimize risk from the relationship. When you understand how to properly assess and interact with a cloud service provider, your organization can reap the benefits of this innovative technology.