Questions to Ask a Cloud Provider

Here's a detailed list of the questions to ask
a potential hedge fund cloud provider

Questions on the Service Provider’s Practices
 

  • Is the provider's cloud infrastructure built with an N+1 configuration to withstand equipment failure?
     
  • What are the cloud provider's backup and retention procedures? How long is data retained?
     
  • What is the provider's disaster recovery strategy, and how frequently is it tested?
     
  • What type of security and monitoring practices are in place at the data center?
     
  • Who can access the provider's data and at what level?
     
  • Can the provider share an audit trail which logs who has accessed what?
     
  • Is data encrypted at rest as well as in transit?
     
  • What Service Level Agreements (SLAs) are in place for the infrastructure and applications? What is the agreed upon uptime?
     
  • How are support requests handled, and what is the expected response time?
     
  • Has the provider ever experienced a security breach? If so, how was it resolved, and what safeguards were implemented to prevent a repeat experience?
     
  • Is the data center SAS70 Type-II or SSAE 16 Type II (new standard 2012) certified?

Questions on Internal Practices
 

  • How financially stable is the cloud provider? Can they provide audited financials? Can they sustain business in the long run?
     
  • When an employee leaves, what is the process for blocking access to applications to prevent data downloads?
     
  • How do we prevent employees from sharing login credentials with unauthorized employees?
     
  • How do we define and enforce user roles to control access levels?
     
  • Who has the authority to add new users?
     
  • How often will employees be required to reset passwords? Are there requirements around complexity standards for passwords?

Questions on Application Hosting
 

  • Which application vendors have systems operating in the cloud?
     
  • Does the application vendor confirm their product works in a hosted environment?
     
  • Are there any issues associated with virtualizing the applications?
     
  • How is the application deployed? Does the software run native over the Internet, or does it require a delivery mechanism such as Citrix?
     
  • Are there any limitations with this type of deployment? Are there certain pieces of functionality that will not work if remotely deployed? Are there display limitations?
     
  • How many clients for the specific application have a hosted implementation? 
     
  • What certification levels does the cloud provider have with these application vendors?
     
  • Will the application vendor help with a “proof of concept”?
     
  • Will there be any changes to the level of service if the application is deployed in a hosted environment?