Cloud computing remains highly sought after by companies aiming to leverage scalable resources, efficient IT operations, and access to enterprise-style software tools without the need for a large network infrastructure.
Amid the continued buzz surrounding Software as a Service (SaaS) and cloud computing, businesses often make mistakes when selecting a cloud vendor due to inflated expectations, misunderstandings, and potential disillusionment. Each cloud provider offers unique capabilities tailored to specific needs.
This updated post presents critical questions for a comprehensive Cloud Vendor Assessment. These questions will help you evaluate and choose the best cloud vendor for your business, both functionally and economically.
Cloud Vendor Assessment – 80 Questions
Engagement
- How long have you been in the market?
- What industry is the solution designed for?
- Are there current issues of concern, e.g., negative media/press, data breaches, etc.?
- Do you have any examples of software customers successfully using the solution?
- How is your solution superior, both functionally and economically, to other available solutions?
- Can you provide at least three blind references?
- Can you demonstrate similar deployments to the ones we are planning?
- Can you show us relevant examples of functional proof points and ROI?
- How have other customers used your solution to solve similar business challenges?
- How do you engage with your customers for feedback and improvements?
Deployment/Service
- Do you run a pilot program and test the concept before making a substantial investment?
- Is it possible to configure your solution to fit my requirements without writing code?
- Do you have service-level agreements (SLAs)?
- How is your availability SLA superior to your competitors?
- Do you establish SLAs with real penalties for failure?
- Can I add and remove services as needed?
- Do you use a third party to provide the required services?
- What happens to our data when the service is terminated?
- Can your solution be integrated with our existing systems?
- How scalable is your solution in terms of handling increased workloads?
Security / Audit
- Do you perform regular vulnerability assessments/penetration tests? When was the most recent assessment, and what risks were identified?
- Do we have the right to audit the cloud provider?
- Where are your data centers located, and how are they secured?
- Are there controls to ensure that data can only be entered and changed by authorized personnel?
- Is privileged access restricted?
- Is the system secured by unique IDs and passwords?
- Do you use encryption to protect data and virtual machine images during data movement across and between networks and hypervisor instances?
- Can you list your current security features? Are they supported by an independent information security management certification (e.g., ISO/IEC 27001)?
- Do your logging and monitoring framework allow isolation of an incident to specific tenants?
- Who has access to these logs, and how long are logs maintained?
- Is a third-party involved in the integration process?
- How do you handle data privacy regulations (e.g., GDPR, CCPA)?
- What are your protocols for dealing with a data breach?
Disaster, Recovery, and Compliance
- Do you have an effective and comprehensive disaster recovery plan?
- Is the proposed architecture sufficiently diversified to mitigate risk?
- Does your solution meet critical security and compliance requirements?
- What are the capabilities and policies for protecting our data (both physically and procedurally)?
- Do you meet general and industry-specific security and compliance standards, such as PCI-DSS or NIST?
- Does your cloud solution comply with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18), HIPAA, or FedRAMP?
- Do you have cyber risk insurance?
- Do you have an audit trail for critical data and activities?
- Can the audit trail be reviewed for irregularities?
- What are the procedures in place to ensure business continuity and disaster recovery?
- Have these procedures been tested?
- Do you perform backups? How often?
- How often do service outages occur, and how long do they last?
- Do you have a guaranteed uptime?
- How do you ensure the resilience of your application?
- Are data backups stored on-site or off-site?
- How do you handle compliance with emerging regulations?
Support
- Do you monitor service continuity with upstream providers in the event of provider failure?
- Do you have a downtime plan (e.g., service upgrade, patch, etc.)?
- How is your support team structured and incentivized?
- Do you have quality measurement programs?
- What is your emergency response process?
- What is your post-emergency response process for root cause analysis?
- Can you show us your reporting mechanism for security and other incidents?
- What are your customer support response times for different severity levels?
- Do you provide dedicated account managers?
- How do you handle customer feedback and complaints?
Pricing
- Do you offer price protection and contractual flexibility?
- Do you provide a standard annual termination for convenience?
- Do you allow for annual usage-level alignment (up or down) based on business needs, and can I apply monthly “rollover” usage to address seasonal peaks?
- Do you provide long-term price protection?
- Do you offer a single bill for all services?
- Are there any hidden fees or charges?
- What is your policy for pricing changes over time?
- Do you offer volume discounts or incentives for longer-term contracts?
- How do you handle billing disputes?
- Can you provide a detailed breakdown of costs for transparency?
These questions will help you thoroughly assess cloud vendors to ensure you choose a partner that meets your technical, security, compliance, and financial needs, keeping in mind the latest industry standards and trends.