The absence of a common framework for assessing Cloud Service Providers (CSPs), combined with the fact that no two CSPs are the same, complicates the process of selecting one that’s right for your organization. To help you work through this, we’re using this post to discuss seven basic factors you can use to identify a provider that can best match your business, technical, and operational needs.
In this post, we’re going to assume that you will be relying on public cloud infrastructure. There’s no reason to DIY (which can be costly, complex, and frustrating) when there are experts who can do it far better (no offense!). The shared responsibility model is such that you should be able to rely on cloud service providers to take care of the cloud itself while you focus on what’s in the cloud (your data and applications).
So, how do you choose a public cloud provider? First, it’s helpful to know who the major players are today.
The field has a lot of competitors in it, including the big three — Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) — as well as a host of smaller or niche players. And of course, AWS, GCP, and Azure dominate. (It’s tempting to speculate about the role that attrition and consolidation might have in this space over the next few years, but it’s also out of scope for our current discussion.)
AWS has been in the game the longest, and has captured the largest market share with 57% of the market running their apps on AWS. Microsoft has 34%, and Google has garnered 15% of market share. Other providers you may want to consider include Rackspace and IBM Cloud. They are generally smaller and more specialized but may have services that suit your needs.
As the statistics above indicate, AWS has long ruled the cloud platform space. But today more and more companies are branching out and using additional providers as well. Often this isn’t a matter of replacing one with another, but of different business requirements (such as managing risk and costs) being suited to different cloud vendors.
Other reasons for using more than one provider could include the fact that vendors work to price their offerings competitively and continually add new features. Additionally, many organizations that run Windows are offered free Azure credits. It may make sense to take advantage of these sorts of promotions (although we advise that cost should not be your first or only priority). Below, we’ll cover some of the key criteria to evaluate when you are deciding which direction to move in.
Primary Evaluation Criteria
As you determine which cloud provider(s) you will use, you will want to evaluate the options that different providers offer and look at how they would support your unique business characteristics and objectives. The principal elements to consider for almost every company are as follows:
You want to understand precisely what your security goals are, the security measures that are offered by each provider, and the mechanisms they use to preserve your applications and data. In addition, make sure you completely understand the specific areas that each party is responsible for. (Look at AWS’s Shared Responsibility Model documentation as well as Azure’s and Google’s approach to security.)
Security is a top concern in the cloud (and everywhere else these days), so it’s critical to ask detailed and explicit questions that relate to your unique use cases, industry, regulatory requirements, and any other concerns you may have. Do not neglect to evaluate this essential feature of operating in the cloud.
Next make sure you choose a cloud architecture platform that can help you meet compliance standards that apply to your industry and organization. Whether you are beholden to SOC 2, PCI DSS, HIPAA, or any other frameworks, make sure you understand what it will take to achieve compliance once your applications and data are living in a public cloud infrastructure. Be sure you understand where your responsibilities lie, and which aspects of compliance the provider will help you check off.
When choosing a cloud provider, think about how the architecture will be incorporated into your workflows now and in the future. For example, if your organization has already invested heavily in the Microsoft universe, it might make sense to proceed with Azure, since Microsoft gives its customers licenses (and often some free credits). If your organization relies more on Amazon or Google services, then it may be best to look to those vendors for ease of integration and consolidation.
Additionally, you may want to consider cloud storage architectures when making your decision. When it comes to storage, the three major vendors have similar architectures and offer multiple types of storage to fit different needs, but they all have different types of archival storage. If this is important to you, you will want to understand the nuanced differences between them. Each of the services offers options for storing and retrieving data frequently vs. infrequently (hot vs. cool storage). Typically, cool storage costs less but comes with various restrictions.
You will also want to spend some time determining what various cloud platforms will demand from you to manage. Each of the services supports different orchestration tools and integrates with various other services. If you have services that are particularly vital to your organization, make sure that the cloud provider you choose offers an easy way to integrate with them (or that your organization is comfortable porting over to a similar service that is supported). You’ll also want to determine how much time and effort it will take your team to manage various aspects of the cloud infrastructure before you make a final decision.
5. Service Levels
This characteristic is essential when businesses have strict needs in terms of availability, response time, capacity, and support (which, let’s be honest, almost all do these days). Cloud Service Level Agreements (Cloud SLAs) are an important element to consider when choosing a provider. It’s vital to establish a clear contractual (read: legally enforceable) relationship between a cloud service customer and a cloud service provider. Particular attention should also be paid to legal requirements for the security of data hosted in the cloud service. You need to be able to trust your cloud provider to do the right thing, and you need a legal agreement that will back you up if something goes wrong.
Support is another parameter that requires careful consideration. If you need help, will you be able to get it quickly and simply? In some cases, the only support you will get is through a chat service or call center. This may or may not be acceptable to you. In other cases, you may have access to a dedicated resource, but there’s a good chance there will be constraints on time and access. Ask questions up front about what level and form of support you will have access to before you choose a cloud provider.
While it should never be the single or most important factor, there’s no denying that cost will play a big role in deciding which cloud service provider(s) you choose. It’s helpful to look at both sticker price and associated costs (including personnel you may need to hire to manage your instances). Here’s a look at the pricing structure of the three major players:
- AWS: Amazon determines price by rounding up the number of hours used. The minimum use is one hour. Instances can be purchased in one of three ways:
- On Demand – Pay for what you use, no upfront cost
- Reserved – Reserve instances for one or three years, with an upfront cost based on utilization
- Spot – Bid for extra capacity available
- Google Cloud Platform: GCP bills for instances by rounding up the number of minutes used. There is a minimum of 10 minutes. Interestingly, Google recently came out with “sustained-use pricing” for compute services that offers a simpler and more elastic model compared to AWS’s reserved instances. You can read more about how this works here.
- Azure: Like GCP, Azure bills customers by rounding up the number of minutes used on demand. They also provide the option to make short-term commitments and obtain a discount for prepaying.
As you can see, there is no simple apples-to-apples comparison to make when it comes to prices. It’s not like AWS costs $5 and GCP costs $10. Instead, you’ll need to look at your usage patterns (or predicted usage patterns) and determine which of the three best fits your business model, budget, timeline, and so on.
While the seven criteria discussed above won’t give you all the information you need, they will help you build a solid analytical framework to use when you are determining which cloud service provider(s) you will trust with your data and applications. You can add granularity by doing a thorough analysis of your organization’s requirements to discover additional factors that will help you make an informed decision. This will be key to determining which provider will be the one that can deliver the features and resources that will best support your ongoing business, operational, security, and compliance goals.
If you’re planning a move to the cloud, download a free copy of Moving to the Cloud? Your Guide to Planning a Secure and Frictionless Migration. This eBook provides insight into:
- Who you need to get top level buy-in from
- The unique approach to risk acceptance and management you can and should adopt
- How to prepare the framework for your cloud migration plan
Security Vendor Assessment Worksheet
If you've been tasked with evaluating cloud security vendors, this is your starting point.