Step 7: Choose the Right Cloud Service Provider
Choosing a cloud service provider is complicated on many levels—from the cloud delivery model and architecture to specific applications. Add to that the countless interdependencies and relationships, both technological and business-related, among vendors. To complicate matters, some companies offer not only software, but also hardware and services. Nevertheless, you must be vigilant about making sure the security you need to protect your data and platform are part of the offering. At the highest level, you need to know if the cloud provider can provide evidence of data and platform protections for the services they provide. Once you are comfortable that your criteria can be met, you can establish measurable, enforceable SLAs to provide ongoing verification. The following is a list9 of additional security considerations to think about when choosing a cloud service provider.
Security Selection Criteria
Data center risk management and security practices
What are the patch management policies and procedures? How does technology architecture and infrastructure impact the cloud service provider’s ability to meet SLAs? Can the cloud service provider offer trusted pools for your most sensitive workloads? Is encryption a software-only solution? How are systems, data, networks, management, provisioning, and personnel segmented? Are the controls segregating each layer of the infrastructure properly integrated so they do not interfere with each other? For example, investigate whether the storage compartmentalization can easily be bypassed by management tools or poor key management. What cloud access and identity protocols are used? How are attacks monitored and documented? How quickly can the cloud service provider respond? What recovery methods are used? How does the cloud service provider handle resource democratization and dynamism to best predict proper levels of system availability and performance through normal business fluctuations? How does the cloud service provider measure performance? Is the cloud service provider financially stable? How long has the vendor been in business? What is their current financial standing?
Attack response and recovery
System availability and performance
Vendor financial stability
9 Adapted and expanded from How to Choose a Cloud Computing Vendor. Inc.com (November 29, 2010). inc.com/guides/2010/11/how-to-choose-a-cloud-computing-vendor.html
17 Intel IT Center Planning Guide | Cloud Security