“Regardless of whether you are looking at IaaS, PaaS, SaaS, or any other type of cloud service, you should always start by familiarising yourself with the agreements you have with your cloud service provider. ”
Cloud services can be difficult to evaluate. There are a fair amount of guides out there that tell us which cloud service is the best and which ones to avoid. Choosing between Amazon AWS, Google Cloud services, or Microsoft Azure is a topic well understood but what to make of the other options? What about the service that you are using, like a VPN provider or an invoicing software?
In this article, we will explain the criteria we have used to evaluate some of the cloud services we have chosen to use in the past. If you have any suggestions of your own that would help with the evaluation of cloud services, please share the knowledge and send us a link to your article.
Now let’s turn to the task at hand. When discussing information security and cloud services, we have to talk about something called the CIA triad. The letters stand for confidentiality, integrity, and availability.
When talking about any cloud service, the confidentiality of your data is not something you can control. Instead, it’s up to the service provider to tell you what they are doing to keep your data confidential. What you as an end-user need to think about is how the loss of confidentiality impacts your business.
There are a couple of things to consider here. Are you handling data that requires compliance to some standard? Does the cloud service provider adhere to said standard? And if they claim they do, how can you actually prove it? Also, what are the steps you need to take to get certified? It's probably not as easy as just using a service that is already certified.
Here’s where things get a bit easier. Compared to confidentiality, the integrity of your data is simpler to achieve. For example, you can use multiple providers and have redundant backups. All with tight access control in place.
There is one significant caveat, though: using multiple providers is understandably considerably more expensive. It’s not enough to just account for the cost of the service itself. You will also have to factor in the cost of development and integration.
Unless you try to host everything yourself, availability is usually guaranteed. Services usually have an SLA (Service Level Agreement) and a CSA (Cloud Services Agreement). SLA guarantees a significant amount of uptime, the service might be available 99.999% of the time. That means you only get a couple of minutes of downtime a year.
However, sometimes stuff happens, the service goes down and the provider downtime might cost you more than the insurance covers. For such eventualities having a multi-cloud solution is preferable. Keep in mind, though, that double the availability means also double the risk to confidentiality.
Learn, assess, invest
In the end, it all boils down to reading all agreements carefully, assessing your risks accordingly, and investing in your services appropriately.
To help you make the best choices possible, here are three important questions you should ask while evaluating cloud services before making the final choice:
- What happens when your data becomes public?
- What happens when your data goes missing?
- What happens when the service is unavailable?
Regardless of whether you are looking at IaaS, PaaS, SaaS, or any other type of cloud service, you should always start by familiarising yourself with the agreements you have with your cloud service provider.
Another indication of service provider maturity is how they have implemented user management. Make sure your user management solution is supported and you are well on your way to selecting the best provider for you.