Picking a cloud provider? Ask good questions

By Laura Haight
Originally published as The Digital Maven in Upstate Business Journal

There are many reasons why your business could be looking at cloud providers. Most are financial, but operational components are closely intertwined.

Since most of us are not technical by nature, the language of the cloud, the companies that thrive in it, and even your own IT staff may seem foreign. Still, it is important that you understand the business need that you are filling and how each cloud company will support and protect your business.

So here are some questions to ask each provider you’re considering.

Quantifiable and comparable

  • Uptime. Few things are more important than your access to your data. Your service level agreement (SLA) should outline what you are being promised but you should ask your providers to also provide data on their history of meeting or exceeding their SLAs. You’ll probably be told about x-number of 9’s. See the could speak sidebar for a translation.
  • Certifications: Cloud providers are not required to pass operational audits or certification requirements. But if you are entrusting your business to them, you may find it important that they have voluntarily submitted to audits or reviews and obtained those standards. Look for two certifications: SSAE 16 and SOC-2. The first is a statement (an attestation) that requires the company to provide and attest to a description of services provided and operational functions and controls that affect their customers. SOC-2 is an audit that addresses five key areas of data center operations: security, availability, processing integrity, confidentiality and privacy.
  • Encryption: This is often misunderstood. There are many levels of encryption but there are also different states that data may be in. Critical data should be encrypted both in transit (while it is moving from point to point, such as email being sent) and at rest (where it is stored, such as email archived in mailboxes). Be specific in your question and make sure you get a specific answer.
  • Deployment and operational flexibility: Companies don’t usually start out putting their entire business in the cloud. Usually, it’s a toe in the water: a single application, a development server, etc. So how easy is it to add to your environment, increase the workload or swap services? Do you have a portal that gives you control? Can it be done dynamically? The answers may matter more to time-dependent companies.
  • Backup and Recovery: Joe Strayer, CEO of Integral Solutions Group in Spartanburg, says backup is immaterial; it’s restore that counts. Ask prospective providers how often they test backups. Also how long recovery historically takes. You’ll need to compare by a metric such as per gigabyte or server, but the answer is critical if you get hit with a ransomware situation. Another good question is how many recovery points are maintained. If you receive malware or ransomware, you want to be able to select a restore point from BEFORE the attack. Otherwise, you are simply recovering the same corrupted data. Can you choose different restore points and how far back are they maintained?
  • Capital demands: Disk is not cheap and successful data centers need to be well capitalized. “We’ve seen a lot of providers who get into the business, then realize they can’t spend a half a million to keep up with the growth,” says Immedion CEO Frank Mobley, noting, “Success adds expense.” You’ll want to confirm that your provider has the resources and the capital planning to be sustainable.

The warm fuzzies

  • Customer Service: Who will answer the phone when you call? Who works in the data center? Strayer says “there are two things I don’t want in my data center: water and people.” To that end, there are only five ISG employees authorized to be in the DC. Most providers have staff they describe as “experts”, but what certifications do they have? CIO magazine lists 10 that can help you benchmark the expertise of the providers you’re considering. bit.ly/cloudcerts
  • Who makes you feel they really care?: Let’s face it, there are a lot of “experts” who got their certifications and then took the rest of their lives off. Some experts are great with hardware, but not so good with humanware. The best way to assess this is to ask customers. Of course, the companies will provide you with carefully curated lists of happy customers to call. But you try crowdsourcing at networking events, on LinkedIn or other social media.
  • Last failure?: Strayer suggests you ask: When was the last time you went down? The perfect answer, of course, would be “never.” But dig a little deeper. Everyone has failures whether they are within their control or the result of natural disasters or a failure of a major infrastructure system. The key to any problem is not that it happened, but what you learned from it. Says Strayer: “Find a company that is open about failures, about what the cause of those failures was, and open about the steps they took to mitigate the problem and make sure it didn’t happen again, and I would trust that company with my data.”

Noticeably missing from this list is cost. Cost is variable and is not always the biggest driver. The cheapest provider may not be the best option for a small business making their first foray to the cloud. You can compare the cost of disk, backup solutions, redundancies and other factors; but customer care, experience, and expertise are wild cards.