1. Tech Blog
  2. Key Considerations for IT Managers When Assessing Cloud Providers
Key Considerations for IT Managers When Assessing Cloud Providers

2023/04/08 10:45

 

IT managers play a crucial role in ensuring the long-term success of externalized IT systems by selecting the most suitable cloud providers. However, the market for cloud services is extensive, with a multitude of providers offering a wide range of services. From industry leaders like Microsoft, Amazon, and Google to domestic players like VNG Cloud offering tailored solutions.

Given the vast options available, how can IT managers effectively choose the right cloud provider? The answer lies in implementing a well-defined selection and procurement process that aligns with your organization's specific needs.

To assist you in this process, below is the list of key considerations that IT managers should take into account when choosing a cloud provider.

vngcloud-blog-key-considerations-for-csp-hinh-1.jpg
Explore key considerations for IT managers when assessing cloud providers

What to Consider When Choosing a Cloud Service Provider?
To effectively choose a suitable cloud service provider, it is crucial to understand your specific business needs, and clarify your requirements and minimum expectations before evaluating providers. This ensures that you compare them against your checklist, rather than comparing one provider to another. This approach allows for a quicker transition from a long list to a short list. Once you have a clear understanding of your technical, service, security, data governance, and service management requirements, you can more effectively assess your chosen group of potential providers.

It is worth noting that the specific environments and services offered by your cloud service provider will determine the necessary configurations, the work you need to undertake, and the level of assistance provided during the migration of applications and workloads to the cloud.

Ideally, you should select your providers after identifying your cloud migration candidates and concurrently analyze and prepare these workloads for migration. To aid in the selection process, here are eight key areas of consideration that can be used to compare and assess cloud service providers. These areas include:

  • Certifications & Standards
  • Technologies & Service Roadmap
  • Data Security, Data Governance and Business policies
  • Service Dependencies & Partnerships
  • Contracts, Commercials & SLAs
  • Reliability & Performance
  • Migration Support, Vendor Lock in & Exit Planning
  • Business health & Company profile.
1. Certifications & Standards


Selecting cloud service providers that adhere to recognized standards and quality frameworks is indicative of their commitment to industry best practices. Although standards alone may not dictate the choice of a service provider, they play a significant role in narrowing down the list of potential suppliers.

If security is a top priority, it is advisable to seek out suppliers who possess relevant accreditations such as ISO 27001 and PCI DSS certifications. These certifications demonstrate a provider's dedication to maintaining robust security measures.

vngcloud-blog-key-considerations-for-csp-hinh-2.jpg
Some certificates & standards for evaluating CSPs

In addition to specific certifications, it is essential to consider broader factors such as structured processes, efficient data management, effective knowledge management, and transparent visibility into service status. It is crucial to gain an understanding of how the provider intends to allocate resources and provide ongoing support to ensure continuous adherence to these standards.

2. Technologies & Service Roadmap


Technologies
When selecting a cloud provider, it is important to ensure that their platform and preferred technologies align with your existing environment or support your cloud objectives.

Evaluate whether the provider's cloud architectures, standards, and services are suitable for your workloads and align with your management preferences. Consider the extent of re-coding or customization required to make your workloads compatible with their platforms.

Many service providers offer comprehensive migration services and even provide assistance during the assessment and planning phases. It is crucial to have a clear understanding of the support they offer and align it with your project tasks to determine the division of responsibilities. In some cases, service providers have technical staff who can fill any skill gaps in your migration teams.

However, certain large-scale public cloud providers may offer limited support, necessitating the need for additional third-party assistance to address skills gaps. You can ask the platform provider for recommended third-party partners who possess experience and extensive knowledge of the target platform.

Service Roadmap
When assessing cloud providers, it is essential to inquire about their service development roadmap: Understand how they plan to innovate and expand their offerings over time, evaluate whether their roadmap aligns with your long-term needs.

Consider their commitments to specific technologies or vendors and how they support interoperability. It is valuable if they can demonstrate similar deployments to what you are planning. For SaaS providers, having a well-defined roadmap for features, services, and integrations is highly desirable.

Depending on your cloud strategy, it may also be necessary to evaluate the overall portfolio of services offered by the providers. If you work with a few key cloud service providers, it is important that they offer a comprehensive range of compatible services.

3. Data Governance & Security


Data Management
When selecting a cloud provider, data management plays a crucial role. It is important to have a data classification scheme in place, defining data types based on sensitivity and adhering to data residency policies and regulatory requirements, especially regarding personal data. Some notable legal documents are Decree 53/2022/ND-CP on Cybersecurity Law, and Decree 13/2023/ND-CP on Personal Data Protection.

Consider the location of your data and the local laws it falls under, as this may impact your selection process. If you have specific requirements and obligations, seek providers that offer choice and control over the jurisdiction in which your data is stored, processed, and managed. Providers should be transparent about their data center locations, but it is your responsibility to gather this information as well.

Assess the provider's ability to protect data during transit through encryption, ensuring data moving to and within the cloud is securely encrypted. Sensitive data should also be encrypted at rest, reducing exposure to unauthorized administrator access. Object storage should typically employ encryption at the file/folder or client/agent level for sensitive volumes.

Understand the provider's data loss and breach notification processes, ensuring they align with your organization's risk appetite and legal or regulatory obligations.

Data and System Security
When evaluating a cloud provider, it is crucial to assess their data and system security levels, as well as the maturity of their security operations and governance processes. The provider's information security controls should align with your own security policies and processes, demonstrating a risk-based approach.

Ensure that user access and activity can be audited through all channels, and seek clarity on security roles and responsibilities as outlined in the contracts or business policies documentation.

Check if the provider complies with standards such as the ISO 27000 series or holds recognized certifications. Verify the validity of these certifications and seek assurances regarding resource allocation, including budget and headcount, to ensure ongoing compliance with these frameworks.

Request internal security audit reports, incident reports, and evidence of remedial actions taken for any identified issues. This will help you gauge the provider's commitment to security and their ability to address potential vulnerabilities.

vngcloud-blog-key-considerations-for-csp-hinh-3.jpg
4. Service Dependencies & Partnerships


Vendor Relationships
It is important to consider the vendor relationships of service providers. Evaluate the provider's relationships with key vendors, including their accreditation levels, technical capabilities, and staff certifications. Determine if they support multi-vendor environments and ask for relevant examples.

Consider whether the services offered by the provider fit into a larger ecosystem of complementary or supportive services. For example, when choosing a SaaS CRM, assess if there are existing integrations with finance and marketing services. In the case of PaaS, check if there is a cloud marketplace offering preconfigured services that integrate effectively on the same platform.

Subcontractors and Service Dependencies
It is essential to uncover any service dependencies and partnerships involved in the provision of cloud services. For instance, SaaS providers often rely on existing IaaS platforms to deliver their services, so it is important to understand how and where the service is being delivered.

In some cases, there may be a complex network of interconnected components and subcontractors that contribute to the delivery of a cloud service. It is vital for the provider to disclose these relationships and ensure that the primary service level agreements (SLAs) apply across all parts of the service, even those not directly under their control. Understanding the limitations of liability and policies regarding service disruptions related to these subcomponents is also crucial.

When considering providers, particularly for mission-critical business processes or data governed by data privacy regulations, it is wise to exercise caution if there is a long chain of subcontractors involved. The Code of Practice emphasizes the need for explicit clarification of service dependencies and their implications on SLAs, accountability, and responsibility of relevant parties.

5. Contracts, Commercials & SLAs


Contracts & SLAs
Cloud agreements can be complex, and the lack of industry standards for their construction and definition can add to the confusion. Many cloud providers still use unnecessarily complicated or intentionally misleading language in their SLAs.

However, there has been some progress in addressing this issue with the latest revision of the ISO standards for Service Level Agreements, ISO/IEC 19086-1:2016. This revision provides a useful framework for assessing providers' agreements.

Agreements can range from standard "Terms and Conditions" agreed upon online to individually negotiated contracts and SLAs. The size of the CSP compared to the customer can influence the negotiation process. Smaller CSPs are more open to negotiations but may agree to custom terms that they may struggle to support. It is important to challenge providers offering flexible terms and request details on how they plan to support and govern these variations, including clarifying responsibilities and processes.

vngcloud-blog-key-considerations-for-csp-hinh-4-en.png
Factors to consider when choosing a CSP

Service delivery


When assessing a cloud service provider, it is important to have a clear understanding of the service and deliverables they offer. Clarify the roles and responsibilities associated with the service, including aspects such as service delivery, provisioning, service management, monitoring, support, and escalations. It is crucial to determine how these responsibilities are divided between the customer and the provider.

Additionally, consider how the provider manages, ensures service accessibility and availability. This includes factors such as maintenance, incident remediation, and disaster recovery. Evaluate how these policies align with your specific requirements and expectations.

Data policies and protection


When evaluating a cloud service provider, it is crucial to assess their security policies and data management practices, especially in relation to data privacy regulations: Verify that the provider offers adequate guarantees regarding data access, data location and jurisdiction, confidentiality, and ownership rights. Examine their backup and resilience provisions to ensure the safety of your data.

Additionally, review the provider's data conversion policies to understand how easily your data can be transferred if you choose to switch providers in the future. It is essential to scrutinize these aspects to ensure the protection and portability of your data.

Business terms


When assessing cloud providers, important business terms to consider include:

  • Contractual and service governance, examining the provider's ability to unilaterally change terms and conditions.
  • Policies on contract renewals, exit clauses, and modification notice periods.
    Insurance policies, guarantees, penalties, and any accompanying conditions.
  • Willingness of the provider to undergo auditing operations and comply with policies.
    Legal Protections

When reviewing contracts with cloud providers, it is important to carefully examine the specific terms related to indemnification, intellectual property rights, limitation of liability, and warranties. While these protections are typically included in provider contracts, the parameters and scope of these protections should be thoroughly scrutinized. These terms often become the subject of negotiation as customers seek to limit their liability in the event of data privacy breaches, while providers aim to mitigate their own liability in case of claims.

Service Level Agreements (SLAs)
SLAs should consist of three key components that deserve attention:

  • Service level objectives (SLOs): These define the expected performance levels for various aspects of the service, such as accessibility, service availability, capacity, response time, and elasticity. Look for SLOs that are relevant, measurable, explicit, and unambiguous. It's beneficial if they can be audited and clearly stated in the SLA.
  • Remediation policies and penalties/incentives: SLAs should outline how issues will be identified, resolved, and by whom within specific timeframes. They should also specify the compensation options available and the processes for logging and claiming. It's essential to understand the terms that limit the scope of the SLA and take note of exclusions and caveats.
  • Exclusions and caveats: Pay close attention to these terms as they define the boundaries and limitations of the SLA. Often, service credit calculations can be complex. Request worked examples or create a hypothetical downtime scenario to compare the compensation differences among shortlisted providers.

Thoroughly scrutinizing these terms is crucial to ensure that the SLA aligns with your expectations and requirements. It may be helpful to request clarification or further information from the providers to fully understand how they handle these aspects.

Cloud Pricing and Flexibility


Each cloud service provider offers a unique set of services and pricing models, and different providers may have advantages in pricing for specific products. Pricing variables typically depend on the duration of usage, with Pay-as-you-go option or discounts for longer commitments.

SaaS products are commonly priced on a per-user, per-month basis, although there may be different tiers based on storage needs, contract terms, or access to advanced features. Pricing models for PaaS and IaaS are more detailed, with costs associated with specific resources or resource sets. In addition to considering financial competitiveness, it's important to look for flexibility in terms of resource options and the speed of provisioning and deprovisioning.

Having an application architecture that enables independent scaling of different workload elements allows for more efficient use of cloud resources. The way a cloud service provider packages its services inside containers can impact your ability to fine-tune scalability. Therefore, it's crucial to choose a provider that aligns with your scalability requirements and offers the desired level of flexibility.

vngcloud-blog-key-considerations-for-csp-hinh-5.jpg
At VNG Cloud, we provides professional services at a reasonable price
6. Reliability & Performance


There are several methods to assess the reliability of a service provider. Firstly, review the service provider's performance against their SLAs over the past 6-12 months. Some providers may publish this information, while others can provide it upon request.

It's important to note that no provider is perfect, and downtime is unavoidable. What matters is how the provider handles such instances. Ensure that the monitoring and reporting tools offered by the provider are adequate, and can integrate with your overall management and reporting systems.

Verify that your chosen provider has well-established, documented, and proven processes for managing both planned and unplanned downtime. They should have clear plans and processes in place for communicating with customers during disruptions, including timely updates, issue prioritization, and severity level assessment. Take note of the remedies and liability limitations provided by the cloud provider in case of service issues.

Disaster Recovery
Gain an understanding of the disaster recovery provisions and processes offered by the provider, as well as their ability to meet your data preservation expectations, including recovery time objectives. This assessment should encompass factors such as data criticality, data sources, scheduling, backup, restore, and integrity checks.

You must ensure that roles, responsibilities, escalation processes, and the burden of proof are clearly outlined and documented in the service agreement. This is crucial because, in certain cases, your team may be responsible for implementing some of these processes.

If the costs associated with recovery are not covered by the provider's standard terms and conditions, consider acquiring additional risk insurance to mitigate potential financial impacts.

7. Migration Support, Vendor Lock-in & Exit Planning


Vendor lock-in occurs when a customer becomes unable to easily switch to a competitor's product or service. This is often due to the use of proprietary technologies that are incompatible with alternatives. Inefficient processes or contractual constraints can also contribute to vendor lock-in.

Cloud services that heavily rely on unique proprietary components can hinder your ability to migrate to other providers or manage operations in-house. This becomes especially challenging when applications need to be re-architected for a specific service provider platform.

To mitigate the risk of vendor lock-in, it is advisable to choose a provider that minimizes the use of proprietary technology and avoids services that restrict your ability to transition. It is ideal to select value-added services that have comparable alternatives in the market and regularly review available options, reducing the risk of lock-in.

Additionally, be cautious of "enhancement creep", where service providers introduce lock-in factors by modifying configurations, policies, or technologies. While there may be benefits to working with a few key providers, it is important to consider the potential risks of over-reliance on a single supplier and maintain a balanced approach.

Finally, plan your exit strategy when entering a relationship with a cloud service provider. Transitioning away from their service can be challenging, so it's important to understand their processes beforehand. Also, consider how you will access and retrieve your data, its condition upon retrieval, and how long the provider will retain it.

vngcloud-blog-key-considerations-for-csp-hinh-6.jpg
8. Business health & Company profile


When assessing potential suppliers, it's important to not only consider their technical and operational capabilities but also their financial health and profile. Ensure that your shortlisted providers have a solid business foundation. Look into their financial stability and check if they have encountered any legal issues or lawsuits. You can ask them directly or conduct your own research:

  • Inquire about any planned corporate changes, mergers, acquisitions, or future business goals.
  • Understand the competitive position and ambitions of the provider.
  • Utilize analyst profiles, online reviews, and market research to gauge their market status.
  • Take a closer look at the management team's history, which can be revealed through platforms like LinkedIn.
  • Assess their track record, consistent performance, and commitment to good corporate governance.
  • Consider the types of customers they serve and the markets they prioritize. Vertical emphasis may indicate investment in valuable niche offerings.

How to find your trusted cloud service provider?
When evaluating potential providers, it is important to consider a combination of hard and soft factors. Validate the certifications and standards they adhere to, as well as gather insights from customer case studies and testimonials.

To ensure long-term success and avoid vendor lock-in, prioritize providers that steer clear of proprietary technologies and have a clearly defined exit strategy in place. This proactive approach will save you from future complications.

As an IT manager, take the necessary time to establish robust service level agreements (SLAs) and contractual terms. These agreements serve as the primary assurance that the services will be delivered as agreed upon, providing you with confidence in the provider-client relationship.

VNG Cloud is a leading cloud service provider in Vietnam, known for its reliable, secure, and scalable solutions. With advanced infrastructure and cutting-edge technologies, we offer tailored cloud solutions to meet diverse business needs. From IaaS to PaaS and SaaS, we empower organizations for seamless integration and high-performance computing.

 

Tag:
Tech Blogcloud computing

article.read_more