Finding the right cloud provider

Journey to the cloud with the right provider

A good relationship with your provider is essential for successful collaboration. These six criteria are crucial when choosing your cloud provider.

Text: Christoph Widmer, 24 june 2019

Amazon Web Services, Microsoft Azure, Salesforce, Swisscom Cloud: if a company decides to move into the cloud, it is spoilt for choice. It can choose from many different providers, from market leaders who have established themselves as global public cloud providers to smaller niche providers offering tailor-made services. It is not easy to choose the provider that best suits your business needs and requirements from this wealth of potential providers. In the following, we will present a number of criteria that need to be considered when choosing a cloud provider.

1. Who is responsible for cloud security?

Even if a company’s data and applications are entrusted to a cloud provider, this provider is not solely responsible for their protection and operation. So too is the cloud consumer, i.e. the company that purchases the cloud services. Although the Shared Responsibility Model already roughly determines how responsibilities are divided between cloud providers and cloud consumers for SaaS, PaaS and IaaS service models, provider-specific deviations are possible. Companies should therefore familiarise themselves with the relevant cloud provider’s service level agreements (SLAs). After all, these lay down the precise responsibilities and areas of responsibility of the provider and the user. The company must also precisely define the depth of production of its own IT infrastructure in advance and ideally record this in the target operating model (TOM). “The customer and his IT managers must know exactly which areas they are responsible for – or would like to be responsible for,” explains Mario Walker, Swisscom’s Lead Architect of Enterprise Solution Architecture. “Only then can he check whether the cloud provider’s SLAs really are compatible with his own TOM.”

2. Is administration undertaken via portals or service requests?

Cloud providers provide businesses with different aids and tools for administrative collaboration. Global public cloud providers, such as Microsoft Azure or Amazon Web Services, often offer access to portals for this purpose. These enable companies to perform administrative tasks themselves to a certain extent for operating the cloud. However, change management tools are just as common. Here, the user company does not change the cloud infrastructure itself, but commissions them from the cloud provider as a service request. “Neither approach is better or worse,” Walker says. “Some companies want the flexibility that portals offer, others want to reduce their own administrative work as far as possible. Here, too, the company must check which approach suits its own target operating model and whether criteria such as the response time, time to resolve, etc. are sufficiently fulfilled by the provider’s SLAs.”

3. Does the provider submit complete reports?

The cloud provider should definitely make reports available, not only with regard to security, but also in terms of operating costs. Especially if the shared responsibility model is more complicated – for example, if certain administrative tasks are outsourced to third parties as a managed service – the cloud consumer needs to have an accurate and complete list of the costs this incurs. Only then can he assign them intelligently within the company to his own cost centres or organisational units – or even pass them on.

4. Are process automation interfaces available?

Within the framework of cloud migration, it is imperative that user organisations are given access to automation interfaces: “Companies must be aware that there is an enormous potential in using the cloud to automate their own business processes,” says Mario Walker. “Cloud consumers must therefore demand appropriate interfaces.” REST (Representational State Transfer) interfaces are recommended because they are increasingly becoming the standard. REST APIs enable machine-to-machine communication and allow systems to distribute data and tasks between different servers or request them with an HTTP request. Many REST-compatible API interfaces are used to provide modern Web services.

5. What roles do governance and compliance play?

Internal company regulations, but above all statutory regulations, have a major influence on which cloud provider is suitable for your own business model and market segment. Depending on the situation, companies have to look into Swiss and/or international legislation, applicable industry standards or sector-specific regulations such as FINMA regulations or e-privacy before they can search for a suitable cloud provider. For example, data storage in Switzerland may have to be guaranteed under certain circumstances, as a result of which foreign cloud providers may no longer be an option. The provisions of the General Data Protection Regulation (GDPR) also apply in Switzerland, and compliance with them may also be obligatory.

6. What is the provider’s reputation?

Just like with due diligence, companies should take a closer look at their cloud provider. “Typical key questions here include: How long has the provider been on the market? How many customers does it have? What is its reputation? And what is its financial situation?” Walker notes. The legal entity and the provider’s corporate organisation may also be the decisive selection criterion. Security-related aspects must also be included in this corporate assessment: Has one of the providers recently suffered security or system failures? What were the reasons for this? How quickly were the problems fixed? In order to minimise the security risk when entering the cloud, these factors too are fundamental in evaluating the cloud provider.