In this post, we’re going to assume that you will be relying on public cloud infrastructure. There’s no reason to DIY (which can be costly, complex, and frustrating) when there are experts who can do it far better (no offense!). The shared responsibility model is such that you should be able to rely on cloud service providers to take care of the cloud itself while you focus on what’s in the cloud (your data and applications).
Evaluating A Cloud Security Solution
So, how do you choose a public cloud provider? First, it’s helpful to know who the major players are today.
The field has a lot of competitors in it, including the big three — Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) — as well as a host of smaller or niche players. And of course, AWS, GCP, and Azure dominate. (It’s tempting to speculate about the role that attrition and consolidation might have in this space over the next few years, but it’s also out of scope for our current discussion.)
AWS has been in the game the longest, and has captured the largest market share with 33% of the market running their apps on AWS. Microsoft has 13%, and Google has garnered 6% of market share, according to a Synergy Research report. Other providers you may want to consider include Rackspace and IBM Cloud. They are generally smaller and more specialized but may have services that suit your needs.
As the statistics above indicate, AWS has long ruled the cloud platform space. But today more and more companies are branching out and using additional providers as well. Often this isn’t a matter of replacing one with another, but of different business requirements (such as managing risk and costs) being suited to different cloud vendors.
Other reasons for using more than one provider could include the fact that vendors work to price their offerings competitively and continually add new features. Additionally, many organizations that run Windows are offered free Azure credits. It may make sense to take advantage of these sorts of promotions (although we advise that cost should not be your first or only priority). Below, we’ll cover some of the key criteria to evaluate when you are deciding which direction to move in.
Primary Evaluation Criteria
As you determine which cloud provider(s) you will use, you will want to evaluate the options that different providers offer and look at how they would support your unique business characteristics and objectives. The principal elements to consider for almost every company are as follows:
You want to understand precisely what your security goals are, the security measures that are offered by each provider, and the mechanisms they use to preserve your applications and data. In addition, make sure you completely understand the specific areas that each party is responsible for. (Look at AWS’s Shared Responsibility Model documentation as well as Azure’s and Google’s approach to security.)
In addition, consider what security features are offered free out-of-the-box for each vendor you’re evaluating, which additional paid services are available from the providers themselves, and where you may need to supplement with third-party partners’ technology. For example, both AWS and Google Cloud make that process relatively simple by listing their security features, paid products, and partner integrations on the security section of their respective websites.
Security is a top concern in the cloud (and everywhere else these days), so it’s critical to ask detailed and explicit questions that relate to your unique use cases, industry, regulatory requirements, and any other concerns you may have. Do not neglect to evaluate this essential feature of operating in the cloud.
Next make sure you choose a cloud architecture platform that can help you meet compliance standards that apply to your industry and organization. Whether you are beholden to GDPR, SOC 2, PCI DSS, HIPAA, or any other frameworks, make sure you understand what it will take to achieve compliance once your applications and data are living in a public cloud infrastructure. Be sure you understand where your responsibilities lie, and which aspects of compliance the provider will help you check off.
When choosing a cloud provider, think about how the architecture will be incorporated into your workflows now and in the future. For example, if your organization has already invested heavily in the Microsoft universe, it might make sense to proceed with Azure, since Microsoft gives its customers licenses (and often some free credits). If your organization relies more on Amazon or Google services, then it may be best to look to those vendors for ease of integration and consolidation.
Additionally, you may want to consider cloud storage architectures when making your decision. When it comes to storage, the three major vendors have similar architectures and offer multiple types of storage to fit different needs, but they all have different types of archival storage. If this is important to you, you will want to understand the nuanced differences between them. Each of the services offers options for storing and retrieving data frequently vs. infrequently (hot vs. cool storage). Typically, cool storage costs less but comes with various restrictions.
You will also want to spend some time determining what various cloud platforms will demand from you to manage. Each of the services supports different orchestration tools and integrates with various other services. If you have services that are particularly vital to your organization, make sure that the cloud provider you choose offers an easy way to integrate with them (or that your organization is comfortable porting over to a similar service that is supported). You’ll also want to determine how much time and effort it will take your team to manage various aspects of the cloud infrastructure before you make a final decision.
5. Service Levels
This consideration is essential when businesses have strict needs in terms of availability, response time, capacity, and support (which, let’s be honest, almost all do these days). Cloud Service Level Agreements (Cloud SLAs) are an important element to consider when choosing a provider. It’s vital to establish a clear contractual relationship (read: legally enforceable) between a cloud service customer and a cloud service provider. Particular attention should also be paid to legal requirements for the security of data hosted in the cloud service, particularly in light of GDPR regulations. You need to be able to trust your cloud provider to do the right thing, and you need a legal agreement that will back you up if something goes wrong.
Support is another parameter that requires careful consideration. If you need help, will you be able to get it quickly and simply? In some cases, the only support you will get is through a chat service or call center. This may or may not be acceptable to you. In other cases, you may have access to a dedicated resource, but there’s a good chance there will be constraints on time and access. Ask questions up front about what level and form of support you will have access to before you choose a cloud provider.
While it should never be the single or most important factor, there’s no denying that cost will play a big role in deciding which cloud service provider(s) you choose. It’s helpful to look at both sticker price and associated costs (including personnel you may need to hire to manage your instances). Here’s a look at the pricing structure of the three major players:
- AWS: Amazon determines price by rounding up the number of hours used. The minimum use is one hour. Instances can be purchased in one of three ways:
- Pay-as-you-go: Pay for what you use, no upfront cost
- Reserved: Reserve instances for one or three years, with an upfront cost based on utilization
- Volume discounts: Acquire more services as the company grows, and receive volume discounts for specific services, such as S3
- Google Cloud Platform: GCP bills for instances per second used. Interestingly, Google also offers “sustained-use pricing” and “committed use discounts” for compute services that offer a simpler and more elastic model compared to AWS’s reserved instances. You can read more about how these work here.
- Azure: Azure bills customers on-demand by hour, gigabyte, or millions of executions, depending on the specific product. They also provide the option to reserve instances, like AWS.
As you can see, there is no simple apples-to-apples comparison to make when it comes to prices. It’s not like AWS costs $5 and GCP costs $10. Instead, you’ll need to look at your usage patterns (or predicted usage patterns) and determine which of the three best fits your business model, budget, timeline, and so on.
Bonus: Container Capabilities
If your organization is looking to transition its virtual server workloads to containers, container orchestration, managed containers, and/or serverless architecture, you should absolutely look to evaluate the container capabilities of each CSP. Each of the major providers offer support for container management, deployment, and operations, with competitive offerings:
While the seven criteria (plus one bonus) discussed above won’t give you all the information you need, they will help you build a solid analytical framework to use when you are determining which cloud service provider(s) you will trust with your data and applications. You can add granularity by doing a thorough analysis of your organization’s requirements to discover additional factors that will help you make an informed decision. This will be key to determining which provider will be the one that can deliver the features and resources that will best support your ongoing business, operational, security, and compliance goals.