Blog September 19, 2019

4 Ways to Vet a Private Cloud Provider

Private Clouds Remain Popular – And for Good Reason!

While Azure and AWS are becoming ever-more popular and better suited to more types of workloads, private clouds remain the choice of many organizations. Last year, IDC found that private cloud spending had increased by 28.2% year over year. (For comparison, the growth of the pubic cloud grew by 58.9%.)

Related post: Is the Public Cloud Really Public Anymore?  

While public cloud spending is growing faster than private cloud spending, there are a number of reasons a business might opt for a private cloud. Greater control is one. Even though a public cloud can be compliant with most industry standards and regulations, the organization may not feel it has the skill set to manage a compliant cloud environment. Migrating legacy applications to a cloud environment amplifies these concerns, and private clouds can minimize an organization’s risk exposure.

There’s also the question of skill sets. Every day, we hear stories of misconfigured cloud-based resources, e.g., databases, being the root cause of a security breach or non-compliance with a regulation such as HIPAA. To make matters worse, these exposed resources may not be discovered for weeks or even months.

A private cloud, hosted by a reputable cloud provider, can help you take advantage of the benefits of cloud computing while minimizing your risks.

What is a private cloud?

A private cloud is one in which cloud-based resources are dedicated to a single organization. For the purposes of our discussion, we are referring specifically to private, hosted clouds operated by a third-party managed service provider like Connectria.

Doing Your Due Diligence

Before trusting your most sensitive or mission-critical workloads to a third-party cloud provider, you need to do your due diligence. Here are four ways to check out a potential provider before you sign on the dotted line.

1/ An onsite visit. If it’s feasible, onsite visits are a great way to get a better feel for how secure the site is and how comfortable you are with the people who will be overseeing your systems.

Nevertheless, an onsite visit isn’t always feasible, especially if you need to migrate workloads quickly and the data centers you’re considering are hundreds of miles away. And, even when you can visit a site, a visual inspection doesn’t tell you everything you need to know.

If you’ve never toured a data center, refer to our recent post, What Should You Look for in a Hosting Provider? 

2/ Independent audits. ALL reputable cloud providers have their data centers audited regularly, usually once a year. SOC 2 compliance is probably one of the most common types of audits you’ll see, and it’s a good one because it covers a wide range of core requirements.

In a nutshell, SOC 2 assesses the provider’s ability to ensure the security, availability, integrity, confidentiality, and privacy of their customers’ data. However, there are two types of SOC 2 reports. They are oh-so-descriptively named Type I and Type II, and the difference is important.

Type I assesses the provider’s systems and protocols at a point in time. The auditor will come in and look at how the controls are designed and evaluate their suitability.

Type II looks at the effectiveness of these controls by assessing them over time – a minimum of six months. That is, SOC 2 Type II validates not only that the controls are in place, but also that protocols are consistently being followed and they work.

I don’t know about you, but if I were going to trust my data to a third-party provider, I wouldn’t settle for anything less than an independent SOC 2 Type II audit.

In addition to our annual SOC 2 Type II audits, our data centers are also audited for HIPAA/HITECH, PCI-DSS, ISO 27001, FISMA, FERPA, GDPR, Bill 198, and HITRUST.

3/ Features checklists. The audits do a great job of creating a foundation of confidence, but you’ll also want to create a list of must-have features aligned to your specific requirements. For example, if you’re a Microsoft shop, you’ll probably want to choose a vendor with experience in Azure as well as other Microsoft applications and platforms. Likewise, if your mission-critical systems are running on IBM i or IBM AIX, you’ll want a vendor who can host applications in an IBM environment.

Next, think of any potential gaps in your IT strategy. Do you have the staff you need to keep up with the ever-changing cybersecurity threat landscape? Do you have a current, tested disaster recovery plan? Do you have open roles you haven’t been able to fill such as an IBM system administrator or SQL DBA? Add these items to your checklist as well and look for a managed cloud provider that can also offer assistance in these areas.

4/ Customer references. Finally, if you were referred to a provider by someone you know and trust, you’re already a step ahead. If not, customer references are your next best source. Check out the vendor’s case study page, and look for businesses that are similar to yours or those that addressed the same challenges.

Related Resources

Burnout in Technology Leadership (and what to do about it)
For all the ways in which technology dominates business news and business blogs, it’s surprising that people are not talking more about a very pervasive…
It’s Time to Add Social Media to Your HIPAA Compliance Checklist
Whether they’re not-for-profits or more commercially focused operations, healthcare providers are in the business of healthcare. That means they care about developing relationships with their…
Know Your Audit Reports! More Advice on Vetting Cloud Providers
In a recent post, we discussed four ways to vet a cloud provider before trusting them with your mission-critical workloads. If you missed that post,…