Cloud computing is highly sought after by all companies who want to take advantage of scalable resources, efficient IT operations, and access to software enterprise-style tools, which are otherwise not available without an enterprise network infrastructure.
Amid almost deafening hype surrounding software as a service (SaaS) and cloud computing, companies tend to make a lot of mistakes while they choose a cloud vendor, mostly due to their inflated expectations, misunderstandings, and even disillusionment. Each cloud provider is unique, serving a specific function.
This post will present 60 basic questions you must ask for a complete Cloud Vendor Assessment, while you assess and choose your cloud vendor, best suited for your business, both functionally and economically.
- How long have you been in the market?
- What industry is the solution designed for?
- Are there current issues of concern, e.g., negative media/press, data breach, etc.?
- Do you have any examples of software customers successfully using the solution?
- How is your solution superior, both functionally and economically, to other available solutions?
- Can you give us at least three blind references?
- Can you demonstrate similar deployments to the ones we are planning?
- Can you show us relevant examples of functional proof points and ROI?
- Can you show us how other customers have used its solution to solve the same business challenges you’re looking to address?
- Do you run a pilot program and test the concept first before making a substantial investment?
- Is it possible to configure your solution to fit my requirements without the need for writing code?
- Do you have service-level agreements (SLAs)?
- How is your availability service level agreement (SLA) superior to your competitors?
- Do you establish SLAs with real penalties for failure?
- Can I add and remove services as needed?
- Do you use a third party to provide the required services?
- What happens to our data when the service is terminated?
Security / Audit
- Do you perform regular vulnerability assessments/penetration tests to determine security gaps? If so, can you state the date of the most recent vulnerability assessment and provide a comprehensive list of all security risks identified?
- Do we have the right to audit the cloud provider?
- Where are your data centers located, and how are they secured?
- Are there sufficient controls to ensure that data can only be entered and changed by authorized personnel?
- Is privileged access restricted?
- Is the system secured by unique IDs and passwords?
- Do you use encryption to protect data and virtual machine images during data movement across and between networks and hypervisor instances?
- Can you list your current security features? Are they supported by an independent information security management certification (e.g., ISO/IEC 27001)?
- Do your logging and monitoring framework allow isolation of an incident to specific tenants?
- Who has access to these logs, and how long are logs maintained?
- Is a third-party involved in the integration process?
Disaster, recovery, and compliance
- Do you have an effective and comprehensive disaster recovery plan in place?
- Is the proposed architecture sufficiently diversified to mitigate risk?
- Does your solution meet critical security and compliance requirements?
- What are the capabilities and policies for protecting our data (both physically and procedurally)?
- Do you meet general and industry-specific security and compliance standards, such as the Payment Card Industry (PCI) Security Standards Council or the National Institute of Standards and Technology (NIST)?
- Does your cloud solution comply with the Statement on Auditing Standards No. 70 (SAS70), HIPAA, or DIACAP?
- Do you have cyber risk insurance in place?
- Do you have an audit trail for critical data and activities?
- Can the audit trail be reviewed for irregularities?
- What are the procedures in place to ensure business continuity and disaster recovery? Have these procedures been tested?
- Do you perform backups? How often?
- How often do service outages occur, and how long do they last?
- Do you have a guaranteed uptime?
- Tell us how you ensure the resilience of your application?
- Are data back-ups stored on-site or off-site?
- Do you monitor service continuity with upstream providers in the event of provider failure?
- Do you have a downtime plan (e.g., service upgrade, patch, etc.)?
- How is your support team structured and bonused?
- Do you have any quality measurement programs?
- What is your emergency response process?
- What is your post-emergency response process for root cause analysis?
- Show us your reporting mechanism for security and other incidents.
- Do you offer price protection and contractual flexibility?
- Do you provide a standard annual termination for convenience?
- Do you allow for annual usage-level alignment (up or down) based on business needs, and can I apply monthly “rollover” usage to address seasonal peaks?
- Do you provide long-term price protection?
- Do you offer a single bill for all services?