How do I choose: 8 criteria to ensure you select the right cloud service provider

How to select the right cloud service provider
As more and more IT systems are externalised, making sure you pick the right cloud providers has become critical to long-term success.

However, the available market is vast, with a myriad of providers offering an even larger number of services. From market giants like Microsoft, Amazon and Google through to smaller niche players offering bespoke services.

So how do you select the right cloud provider from so many? The answer is a defined selection and procurement process appropriately weighted towards your unique set of needs.

We’ve distilled the key factors into a definitive list of 8 consideration areas.

For a complete and comprehensive cloud adoption guide, including how to assess cloud service providers – see our online e-learning courses

Timing – When to select a cloud provider?
Before you can effectively select a suitable provider you need to understand your specific business needs. This sounds pretty obvious, but clarifying your specific requirements and minimum expectations, in advance of assessing providers ensures you are comparing them all against your checklist, instead of comparing one against the other.  This is the quickest way to move from long list to short list.

Armed with clarity on technical, service, security, data governance and service management requirements, you can more effectively interrogate your select group of potential providers.

It’s also worth noting, when migrating applications and workloads to the cloud, the specific environments you choose and the services offered by your cloud service provider will determine the configurations needed, the work you need to do and the help you can get from the provider in doing it.

Ideally, therefore, you should choose your providers after you have identified your cloud migration candidates but in parallel with analysing and preparing these workloads for migration.

We have grouped these into 8 sections to help you effectively compare suppliers and select a provider that delivers the value and benefits your organisation expects from the cloud.

Certifications & Standards
Technologies & Service Roadmap
Data Security, Data Governance and Business policies
Service Dependencies & Partnerships
Contracts, Commercials & SLAs
Reliability & Performance
Migration Support, Vendor Lock in & Exit Planning
Business health & Company profile

Data Governance and security
Data management
You may already have a data classification scheme in place that defines types of data according to sensitivity and/or policies on data residency. At the very least you should be aware of regulatory or data privacy rules governing personal data.

With that in mind, the location your data resides in, and the subsequent local laws it is subject to, may be a key part of the selection process. If you have specific requirements and obligations, you should look for providers that give you choice and control regarding the jurisdiction in which your data is stored, processed and managed. Cloud service providers should be transparent about their data centre locations but you should also take responsibility for finding this information out.  

If relevant, assess the ability to protect data in transit through encryption of data moving to or within the cloud. Also, sensitive volumes should be encrypted at rest, to limit exposure to unapproved administrator access. Sensitive data in object storage should be encrypted, usually with file/folder or client/agent encryption.

Look to understand the provider’s data loss and breach notification processes and ensure they are aligned with your organisation’s risk appetite and legal or regulatory obligations.

The CIF Code of Practice framework has some useful guidance to help identify relevant security and data governance policies and processes as part of a provider assessment.

Subcontractors and service dependencies
It’s also important to uncover any service dependencies and partnerships involved in the provision of the cloud services.  For example, SaaS providers will often build their service on existing IaaS platforms, so it must be clear how and where the service is being delivered.

In some cases there maybe a complex network of connected components and subcontractors that all play a part in delivering a cloud service. It’s vital to ensure the provider discloses these relationships and can guarantee the primary SLAs stated across all parts of the service, including those not directly under its control. You should also look to understand limitations of liability and service disruption policies related to these subcomponents.

In general, think twice before considering providers with a long chain of subcontractors.  Especially with mission critical business processes or data governed by data privacy regulations.+

The Code of Practice requires explicit clarification of service dependencies and the implications on SLAs, accountability and responsibility.

The most common model for SaaS based products is on a per user, per month basis though there may be different levels based on storage requirements, contractual commitments or access to advanced features. 

PaaS and IaaS pricing models are more granular, with costs for specific resources or ‘resource sets’ consumption. Aside from financial competitiveness look for flexibility in terms of resource variables but also in terms of speed to provision and de provision. 

Application Architecture that allows you to scale different workload elements independently means you can use cloud resources more efficiently. You may find that your ability to fine tune scalability is affected by the way your cloud service provider packages its services and you'll want to find a provider that matches your requirements in this regard.