How do I choose a cloud service provider?

Once you’ve decided to make the move to cloud computing, your next step is to select a cloud service provider. It’s vital to assess the reliability and capability of a service provider that you plan to entrust with your organization’s applications and data. Some things to consider:

Business health and processes

  • Financial health. The provider should have a track record of stability and be in a healthy financial position with sufficient capital to operate successfully over the long term.
  • Organization, governance, planning, and risk management. The provider should have a formal management structure, established risk management policies, and a formal process for assessing third-party service providers and vendors.
  • Trust. You should like the company and its principles. Check the provider’s reputation and see who its partners are. Find out its level of cloud experience. Read reviews, and talk to customers whose situation is similar to yours.
  • Business knowledge and technical know-how. The provider should understand your business and what you’re looking to do and be able to match it up with their technical expertise.
  • Compliance audit. The provider should be able to validate compliance with all of your requirements through a third-party audit.

Administration support

  • Service Level Agreements (SLAs). Providers should be able to promise you a basic level of service that you are comfortable with.
  • Performance reporting. The provider should be able to give you performance reports.
  • Resource monitoring and configuration management. There should be sufficient controls for the provider to track and monitor services provided to customers and any changes made to their systems.
  • Billing and accounting. This should be automated so that you can monitor what resources you’re using and the cost, so you don’t run up unexpected bills. There should also be support for billing-related issues.

Technical capabilities and processes

  • Ease of deployment, management, and upgrade. Make sure the provider has mechanisms that make it easy for you to deploy, manage, and upgrade your software and applications.
  • Standard interfaces. The provider should use standard APIs and data transforms so that your organization can easily build connections to the cloud.
  • Event management. The provider should have a formal system for event management that’s integrated with its monitoring/management system.
  • Change management. The provider should have documented and formal processes for requesting, logging, approving, testing, and accepting changes.
  • Hybrid capability. Even if you don’t plan to use a hybrid cloud initially, you should make sure the provider can support this model. It has advantages that you may wish to exploit at a later time.

Security practices

  • Security infrastructure. There should be a comprehensive security infrastructure for all levels and types of cloud services.
  • Security policies. There should be comprehensive security policies and procedures in place for controlling access to provider and customer systems.
  • Identity management. Changes to any application service or hardware component should be authorized on a personal or group role basis, and authentication should be required for anyone to change an application or data.
  • Data backup and retention. Policies and procedures to ensure integrity of customer data should be in place and operational.
  • Physical security. Controls ensuring physical security should be in place, including for access to co-located hardware. Also, data centers should have environmental safeguards to protect equipment and data from disruptive events. There should be redundant networking and power and a documented disaster recovery and business continuity plan.

To learn more, see Microsoft Azure Trust Center: Security