80 questions to ask for a cloud vendor assessment [Updated]

Cloud computing remains highly sought after by companies aiming to leverage scalable resources, efficient IT operations, and access to enterprise-style software tools without the need for a large network infrastructure.

Amid the continued buzz surrounding Software as a Service (SaaS) and cloud computing, businesses often make mistakes when selecting a cloud vendor due to inflated expectations, misunderstandings, and potential disillusionment. Each cloud provider offers unique capabilities tailored to specific needs.

This updated post presents critical questions for a comprehensive Cloud Vendor Assessment. These questions will help you evaluate and choose the best cloud vendor for your business, both functionally and economically.

Cloud Vendor Assessment – 80 Questions

Engagement

• How long have you been in the market?
• What industry is the solution designed for?
• Are there current issues of concern, e.g., negative media/press, data breaches, etc.?
• Do you have any examples of software customers successfully using the solution?
• How is your solution superior, both functionally and economically, to other available solutions?
• Can you provide at least three blind references?
• Can you demonstrate similar deployments to the ones we are planning?
• Can you show us relevant examples of functional proof points and ROI?
• How have other customers used your solution to solve similar business challenges?
• How do you engage with your customers for feedback and improvements?

Deployment/Service

• Do you run a pilot program and test the concept before making a substantial investment?
• Is it possible to configure your solution to fit my requirements without writing code?
• Do you have service-level agreements (SLAs)?
• How is your availability SLA superior to your competitors?
• Do you establish SLAs with real penalties for failure?
• Can I add and remove services as needed?
• Do you use a third party to provide the required services?
• What happens to our data when the service is terminated?
• Can your solution be integrated with our existing systems?
• How scalable is your solution in terms of handling increased workloads?

Security / Audit

• Do you perform regular vulnerability assessments/penetration tests? When was the most recent assessment, and what risks were identified?
• Do we have the right to audit the cloud provider?
• Where are your data centers located, and how are they secured?
• Are there controls to ensure that data can only be entered and changed by authorized personnel?
• Is privileged access restricted?
• Is the system secured by unique IDs and passwords?
• Do you use encryption to protect data and virtual machine images during data movement across and between networks and hypervisor instances?
• Can you list your current security features? Are they supported by an independent information security management certification (e.g., ISO/IEC 27001)?
• Do your logging and monitoring framework allow isolation of an incident to specific tenants?
• Who has access to these logs, and how long are logs maintained?
• Is a third-party involved in the integration process?
• How do you handle data privacy regulations (e.g., GDPR, CCPA)?
• What are your protocols for dealing with a data breach?

Disaster, Recovery, and Compliance

• Do you have an effective and comprehensive disaster recovery plan?
• Is the proposed architecture sufficiently diversified to mitigate risk?
• Does your solution meet critical security and compliance requirements?
• What are the capabilities and policies for protecting our data (both physically and procedurally)?
• Do you meet general and industry-specific security and compliance standards, such as PCI-DSS or NIST?
• Does your cloud solution comply with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18), HIPAA, or FedRAMP?
• Do you have cyber risk insurance?
• Do you have an audit trail for critical data and activities?
• Can the audit trail be reviewed for irregularities?
• What are the procedures in place to ensure business continuity and disaster recovery?
• Have these procedures been tested?
• Do you perform backups? How often?
• How often do service outages occur, and how long do they last?
• Do you have a guaranteed uptime?
• How do you ensure the resilience of your application?
• Are data backups stored on-site or off-site?
• How do you handle compliance with emerging regulations?

Support

• Do you monitor service continuity with upstream providers in the event of provider failure?
• Do you have a downtime plan (e.g., service upgrade, patch, etc.)?
• How is your support team structured and incentivized?
• Do you have quality measurement programs?
• What is your emergency response process?
• What is your post-emergency response process for root cause analysis?
• Can you show us your reporting mechanism for security and other incidents?
• What are your customer support response times for different severity levels?
• Do you provide dedicated account managers?
• How do you handle customer feedback and complaints?

Pricing

• Do you offer price protection and contractual flexibility?
• Do you provide a standard annual termination for convenience?
• Do you allow for annual usage-level alignment (up or down) based on business needs, and can I apply monthly “rollover” usage to address seasonal peaks?
• Do you provide long-term price protection?
• Do you offer a single bill for all services?
• Are there any hidden fees or charges?
• What is your policy for pricing changes over time?
• Do you offer volume discounts or incentives for longer-term contracts?
• How do you handle billing disputes?
• Can you provide a detailed breakdown of costs for transparency?

These questions will help you thoroughly assess cloud vendors to ensure you choose a partner that meets your technical, security, compliance, and financial needs, keeping in mind the latest industry standards and trends.