4 Ways to Vet a Private Cloud Provider
Connectria
Author
Date
September 19, 2019
Private Clouds Remain Popular – And for Good Reason!
While Azure and AWS are becoming ever-more popular and better suited to more types of workloads, private clouds remain the choice of many organizations. Last year, IDC found that private cloud spending had increased by 28.2 percent year over year. (For comparison, the growth of the pubic cloud grew by nearly 50 percent.)
While public cloud spending is growing faster than private cloud spending, there are a number of reasons a business might opt for a private cloud. Greater control is one. Even though a public cloud can be compliant with most industry standards and regulations, the organization may not feel it has the skill set to manage a compliant cloud environment. Migrating legacy applications to a cloud environment can amplify these concerns, and private clouds can minimize an organization’s risk exposure.
There’s also the question of skill sets. Every day, we hear stories of misconfigured cloud-based resources, e.g., databases, being the root cause of a security breach or non-compliance with a regulation such as HIPAA. To make matters worse, these exposed resources may not be discovered for weeks or even months.
A private cloud, hosted by a reputable cloud provider, can help you take advantage of the benefits of cloud computing while minimizing your risks.
What is a private cloud?
A private cloud is one in which cloud-based resources are dedicated to a single organization. For the purposes of our discussion, we are referring specifically to private, hosted clouds operated by a third-party managed service provider like Connectria.
Doing Your Due Diligence
Before trusting your most sensitive or mission-critical workloads to a third-party cloud provider, you need to do your due diligence. Here are four ways to check out a potential provider before you sign on the dotted line.
1. An onsite visit
If it’s feasible, onsite visits are a great way to get a better feel for how secure the site is and how comfortable you are with the people who will be overseeing your systems.
Nevertheless, an onsite visit isn’t always feasible, especially if you need to migrate workloads quickly and the data centers you’re considering are hundreds of miles away. When you can visit a site, a visual inspection also doesn’t tell you everything you need to know.
2. Independent audits
ALL reputable cloud providers have their data centers audited regularly, usually once a year. SOC 2 compliance is probably one of the most common types of audits you’ll see, and it’s a good one because it covers a wide range of core requirements.
In a nutshell, SOC 2 assesses the provider’s ability to ensure the security, availability, integrity, confidentiality, and privacy of their customers’ data. However, there are two types of SOC 2 reports. They are oh-so-descriptively named Type I and Type II, and the difference is important.
Type I assesses the provider’s systems and protocols at a point in time. The auditor will come in and look at how the controls are designed and evaluate their suitability. Type II looks at the effectiveness of these controls by assessing them over time – a minimum of six months. That is, SOC 2 Type II validates not only that the controls are in place, but also that protocols are consistently being followed and they work. I don’t know about you, but if I were going to trust my data to a third-party provider, I wouldn’t settle for anything less than an independent SOC 2 Type II audit. In addition to our annual SOC 2 Type II audits, our data centers are also audited for HIPAA/HITECH, PCI-DSS, ISO 27001, FISMA, FERPA, GDPR, Bill 198, and HITRUST.
3. Features checklists
The audits do a great job of creating a foundation of confidence, but you’ll also want to create a list of must-have features aligned to your specific requirements. For example, if you’re a Microsoft shop, you’ll probably want to choose a vendor with experience in Azure as well as other Microsoft applications and platforms. Likewise, if your mission-critical systems are running on IBM i or IBM AIX, you’ll want a vendor who can host applications in an IBM environment.
Next, think of any potential gaps in your IT strategy. Do you have the staff you need to keep up with the ever-changing cybersecurity threat landscape? Do you have a current, tested disaster recovery plan? Do you have open roles you haven’t been able to fill such as an IBM system administrator or SQL DBA? Add these items to your checklist as well and look for a managed cloud provider that can also offer assistance in these areas.
4. Customer references
Finally, if you were referred to a provider by someone you know and trust, you’re already a step ahead. If not, customer references are your next best source. Check out the vendor’s case study page, and look for businesses that are similar to yours or those that addressed the same challenges.
Keep Reading
Prepare for the future
Tell us about your current environment and we’ll show you the best path forward.
Fast track your project. Give us a call.