60 questions to ask for a Cloud Vendor Assessment

November 3, 2019

Cloud computing is highly sought after by all companies who want to take advantage of scalable resources, efficient IT operations, and access to software enterprise-style tools, which are otherwise not available without an enterprise network infrastructure.

Amid almost deafening hype surrounding software as a service (SaaS) and cloud computing, companies tend to make a lot of mistakes while they choose a cloud vendor, mostly due to their inflated expectations, misunderstandings, and even disillusionment. Each cloud provider is unique, serving a specific function.

This post will present 60 basic questions you must ask for a complete Cloud Vendor Assessment, while you assess and choose your cloud vendor, best suited for your business, both functionally and economically.

Cloud Vendor Assessment – 60 questions

Engagement

How long have you been in the market?
What industry is the solution designed for?
Are there current issues of concern, e.g., negative media/press, data breach, etc.?
Do you have any examples of software customers successfully using the solution?
How is your solution superior, both functionally and economically, to other available solutions?
Can you give us at least three blind references?
Can you demonstrate similar deployments to the ones we are planning?
Can you show us relevant examples of functional proof points and ROI?
Can you show us how other customers have used its solution to solve the same business challenges you’re looking to address?

Deployment/service

Do you run a pilot program and test the concept first before making a substantial investment?
Is it possible to configure your solution to fit my requirements without the need for writing code?
Do you have service-level agreements (SLAs)?
How is your availability service level agreement (SLA) superior to your competitors?
Do you establish SLAs with real penalties for failure?
Can I add and remove services as needed?
Do you use a third party to provide the required services?
What happens to our data when the service is terminated?

Security / Audit

Do you perform regular vulnerability assessments/penetration tests to determine security gaps? If so, can you state the date of the most recent vulnerability assessment and provide a comprehensive list of all security risks identified?
Do we have the right to audit the cloud provider?
Where are your data centers located, and how are they secured?
Are there sufficient controls to ensure that data can only be entered and changed by authorized personnel?
Is privileged access restricted?
Is the system secured by unique IDs and passwords?
Do you use encryption to protect data and virtual machine images during data movement across and between networks and hypervisor instances?
Can you list your current security features? Are they supported by an independent information security management certification (e.g., ISO/IEC 27001)?
Do your logging and monitoring framework allow isolation of an incident to specific tenants?
Who has access to these logs, and how long are logs maintained?
Is a third-party involved in the integration process?

Disaster, recovery, and compliance

Do you have an effective and comprehensive disaster recovery plan in place?
Is the proposed architecture sufficiently diversified to mitigate risk?
Does your solution meet critical security and compliance requirements?
What are the capabilities and policies for protecting our data (both physically and procedurally)?
Do you meet general and industry-specific security and compliance standards, such as the Payment Card Industry (PCI) Security Standards Council or the National Institute of Standards and Technology (NIST)?
Does your cloud solution comply with the Statement on Auditing Standards No. 70 (SAS70), HIPAA, or DIACAP?
Do you have cyber risk insurance in place?
Do you have an audit trail for critical data and activities?
Can the audit trail be reviewed for irregularities?
What are the procedures in place to ensure business continuity and disaster recovery? Have these procedures been tested?
Do you perform backups? How often?
How often do service outages occur, and how long do they last?
Do you have a guaranteed uptime?
Tell us how you ensure the resilience of your application?
Are data back-ups stored on-site or off-site?

Support

Do you monitor service continuity with upstream providers in the event of provider failure?
Do you have a downtime plan (e.g., service upgrade, patch, etc.)?
How is your support team structured and bonused?
Do you have any quality measurement programs?
What is your emergency response process?
What is your post-emergency response process for root cause analysis?
Show us your reporting mechanism for security and other incidents.

Pricing

Do you offer price protection and contractual flexibility?
Do you provide a standard annual termination for convenience?
Do you allow for annual usage-level alignment (up or down) based on business needs, and can I apply monthly “rollover” usage to address seasonal peaks?
Do you provide long-term price protection?
Do you offer a single bill for all services?

10 best places to find free data sets for your project

Key technical skills required for AI and ML professionals

Best data visualization practices – Dos and don’ts

Industries with the highest demand for data science professionals

Key technical skills required for AI and ML professionals

AI phone call scams: 12 crucial steps to safeguard yourself

What to do if you are experiencing a DDoS attack?

Safety in metal fabrication: Protecting workers and machineries

UI/UX design for gaming applications: Balancing user experience, aesthetics, and intuitive…

5 technologies you didn’t know your business can afford (and should…

Examine the role of SD-WAN in remote work environments

Revolutionize your performance review: New employee welcome kit ideas

Creating employee recognition programs: A step-by-step guide