A Guide to Choosing a New Cloud Service Provider
(White Paper)

There are multiple steps in the selection process for a vendor supplying business critical services. The first of these is understanding exactly what your requirements will be.

Before selecting a managed services partner, it's essential to create a specification of what services they will manage. This sounds obvious but is often overlooked.

Conducting an internal assessment of your requirements, and potentially working with a certified architect to plan out what you will need will give you the ability to discuss your true needs with potential suppliers and get a like for like comparison of the service levels and costs that they will bring forward.

A clear picture of what technical requirements you have along with your expectations of service levels, and any particular data governance needs that you have means that the quotes you receive will cover the different items in your checklist and streamline the process of moving to a preferred support partner.

In some cases, you may find that the partner you choose for a migration project is different to the one who will provide long term support. In that case, it is useful to engage with the long- term support partner early in the migration process to give them greater insight into your solution— this will make future support much more efficient and useful.

Ultimately, your choice of cloud partner will come be based upon your perception of who “gets” your business best and is able to provide the insight and support levels you need to ensure that your performance goals are met. If you follow a formal supplier recruitment process, then you will set a group of criteria for the selection and focus on these during the assessment. The following criteria should form part of your cloud partner assessment — the weight that they are given in the scoring would be dependent on how you want to manage the relationship in the context of your own business goals.

1. Contracts & commercial agreements
2. Supplier accreditation
3. Supplier business health
4. Vendor Relationships
5. Data governance and security
6. Technology roadmap

Your relationship with an Amazon or Azure managed services provider will usually continue over multiple years, and as such, taking time to consider the history, financial health and business goals of your provider is important.

Without a sound business in place, even the most competitive provider may not be a good long-term fit for your business, and if they cease trading without adequate warning, you may lose data or your application.

Both Microsoft and Amazon provide guidance on partner selection, specifying that:

“The provider should have a track record of stability and be in a healthy financial position with
sufficient capital to operate successfully over the long term”.

A partner's long term plans may be subject to change during the lifetime of your agreement, but at the outset it is wise to establish whether there are any major corporate changes such as mergers or acquisitions that are planned which may affect your business relationship.

The type of client that your provider typically works with is important to research. A provider without experience of the nuances and legal requirements in your sector may not be a good fit for security reasons. Likewise, a partner who works with much larger or smaller businesses than yours may not assign an expected level of resource to your management.

Modern public cloud managed service providers will typically work with multiple vendors in order to provide the most appropriate solution for clients. In most cases, this can be seen in their partner status with either Microsoft or Amazon.

Talk to your prospective provider about the length of their relationship with their vendors and the level of certification and training that they offer. Adherence with partner requirements will usually entail having a range of qualifications to cover the different aspects of managing services within the platform.

Talk to providers about technical competencies to ensure that they can extend your existing skill levels. Choosing an Azure provider based on them simply having Microsoft Gold Partner status without confirming that their specialisms are appropriate to cloud and Azure may result in an unsuitable and inexperienced partner taking responsibility for critical business services.

Cloud hosting of data and services is more secure than legacy hosting — provided that the proper security measures are taken, and that software is regularly patched and reviewed. When moving to the cloud you still need to be mindful of how your information is secured and discuss with your vendor about what steps they are taking to protect your business-critical information.

Information security

Maintaining the security of your data and that of clients is a fundamental requirement for most application hosting. A successful cloud managed services provider will be able to demonstrate the processes that they have put in place to protect your information and provide system security.

Managing and minimising risk should be at the heart of the security policies. You will need to agree responsibility for all aspects of InfoSec with your provider and ensure that their policies are compatible with your own.

The ability to audit access and activity on your cloud platform is essential. A managed services provider who is unable to share this information with you should be avoided. Processes need to be documented and agreed to protect your business.

Examples of incident and security audit reports should be provided at the outset of the agreement, and policies agreed for how these would be supplied if required during the relationship.

Data management

GDPR and similar legislation has given more emphasis to the way data is held and managed, and as such, considerations about how your data is stored and managed should be a fundamental part of your agreement.

Key questions to ask include where your data will reside. Azure and AWS use global data centre networks to deliver their services and provide backups which means that data centre location is a consideration — it's possible to manage Azure costs by buying capacity internationally, so discuss this arrangement with your supplier as it could be leveraged to reduce costs for certain aspects of your solution.

Application function around security and encryption should form part of the testing process prior to deployment to ensure that any existing aspects are retained in your new arrangement.

Your provider should be able to provide you with insight into their notification process for data loss or security breaches and ensure that they are aligned with your obligations.

Disaster recovery

For a business-critical cloud solution, it is important to understand what the disaster recovery processes are and how you can use them.

You should agree data preservation expectations including recovery times - these may be specific to different aspects of your solution and include issue reporting and the provision of plans to avoid recurring issues.

Roles and responsibilities, escalation processes and who has the burden of proof, all must be clearly documented in the service agreement. This is vital, as in many cases, your team may be responsible for implementing some of these processes.

It is important to recognise that not all issues your business may face would be covered within the Disaster Recovery process of your provider — such as in the even that they cease trading. As such, you should also consider purchasing additional risk insurance to ensure that the costs of recovery can always be covered.

A long-term relationship with your provider will inevitably involve changes to their relationship with technology and the range of services that they are able to provide.

For a provider who offers software-based management of your Azure or AWS deployment, the future development of their technology will impact on your application and hosting. Discuss their innovation roadmap as part of the selection process to ensure that a solution that works well today will continue to take advantage of new releases within the cloud and what their ongoing plans are.

Your supplier may be committed to a single platform today (e.g. Microsoft Azure), but you should discuss future options with them — for example what would their plans be if developments from another vendor such as IBM outstrip their current preference and offer a more cost effective or efficient solution to your application hosting needs.

When selecting your new cloud partner for migration or management services, it's important to >include both hard and soft criteria in your assessment process. It's likely that your relationship with a supplier will extents over multiple years, so you need to have a strong relationship with your partner that allows them to help you understand and meet your business goals.

Key factors such as certifications, skills and applicable standards should be considered as fundamental to the decision, but it is also vitally important to investigate existing client relationships through case studies, references and testimonials.

Over the lifespan of your contract, it is likely that there will be personnel changes on both sides of the agreement, along with platform changes as new technologies are introduced and billing structures change.

Your decision should be based not just on who will be the most appropriate partner today, but also into the future and your final contract with the supplier needs to cover your changing needs and allow for growth without affecting the quality of service and value you receive.

Taking the time at the start of the relationship to agree mutually beneficial terms and SLAs give you a strong foundation for a relationship that can help your business maximise the value of both the cloud and the level of insight and development that your partner can offer.