Cloud computing has revolutionized how organizations work, offering an increased ability to process high volumes of data and scale applications without additional on-site hardware. The cloud market is rapidly expanding, and Gartner projects it will be a $678.8 billion industry by the end of 2024. When selecting a cloud provider, it is essential for organizations to consider alternatives and weigh factors such as availability, pricing models, and specific security and compliance needs.
Security in the cloud
The shift to the cloud brings an increase in cybersecurity risks and breaches. As such, it is vital for organizations to prioritize the security of their cloud-based applications. Cloud security operates under a shared responsibility model, a framework delineating which security tasks are the cloud service provider’s responsibility and which are the client’s duty. Common service models offered by cloud providers include:
- Infrastructure-as-a-Service (IaaS) model. The cloud provider assumes responsibility for securing the physical network, compute, and storage, including patching and configuration. The client is tasked with safeguarding its data, applications, virtual network controls, operating system, and user access.
- Platform-as-a-Service (PaaS). The provider secures compute, storage, physical and virtual networks, and the operating system, while the client is responsible for safeguarding data, user access, and applications.
- Software-as-a-Service (SaaS). The provider extends its security coverage to include compute, storage, networks, operating systems, applications, and middleware, leaving the client accountable for securing data and user access.
Prominent cloud service providers incorporate secure-by-design infrastructure and layered security directly into their platforms and services. This can include zero-trust network architecture, identity and access management, multi-factor authentication, encryption, and continuous logging and monitoring. Additional security features include data loss prevention (DLP) and advanced threat detection.
While the absolute prevention of attacks and vulnerabilities is unattainable in cloud security, a well-designed cloud security strategy can significantly contribute to reducing breaches, minimizing damage, enhancing regulatory compliance, and increasing customer trust.
Criteria to consider when choosing a cloud platform
The most critical considerations in determining the ideal cloud provider for an organization include:
- Organizational cloud strategy. Diverse organizations employ distinct cloud platform adoption strategies. While some opt for alignment with a singular cloud provider, others prefer a hybrid or multi-cloud solution to avoid vendor lock-in and capitalize on the optimal offerings provided by various cloud service providers. For example, the Center for Disease Control and Prevention (CDC) uses AWS and Azure and builds its tools to be cloud-agnostic. Additionally, some organizations might require niche services that all providers do not offer. For example, media companies prefer AWS because it offers the most tools for encoding, processing, storage, and distributing media content.
- Certifications and standards. Adopting recognized standards and quality frameworks is vital when choosing a cloud provider. Essential standards and certifications include guidelines and frameworks from the International Organization for Standardization (ISO), the Distributed Management Task Force (DMTF), the Office of the Comptroller of the Currency (OCC), the Storage Networking Industry Association (SNIA), and the Institute of Electrical and Electronics Engineers (IEEE). Additionally, companies should consider security standards, including the Payment Card Industry Data Security Standard (PCI DSS), Statement on Standards for Attestation Engagements no. 16 (SSAE 16), and those from the Cloud Security Alliance (CSA). It is also essential to follow IT standards and architectures, including those from the Information Technology Infrastructure Library (ITIL), the International Organization for Standardization (ISO), The Open Group Architecture Framework (TOGAF9), and the Common Industry Format (CIF) from the National Institute of Standards and Technology (NIST).
- Personal data security guidelines. These include the Health Insurance Portability and Accountability Act (HIPAA), the Federal Risk and Authorization Management Program (FedRAMP), and the Rapid Modernization Plan (RAMP).
- Pricing. Every cloud service provider presents a distinctive array of services and pricing models, including pay-as-you-go, subscription-based, and spot pricing. It is important for each organization to compile a comprehensive list of services and offerings they intend to utilize and conduct a price estimation and comparison across different cloud platforms.
- Regional availability and data residency. Some cloud providers may be limited in their geographical availability. Additionally, some countries, including China, require user data to be stored in the country of origin.
- Reliability and performance. To assess the reliability of a service provider, organizations can compare the service provider’s performance to its service-level agreements (SLAs) over the preceding six to 12 months. Some providers may publish this information, while others will readily furnish it upon request. While providers cannot achieve zero downtime, observing how effectively the provider has managed prior instances of downtime is critical. Providers’ contingency plans should include communication protocols with customers that detail the timeframe, prioritization, and severity level of disruptions.
Cloud providers
Three major cloud platforms, each launched by a major tech company, dominate the market. They are:
- Amazon Web Services (AWS). AWS is the oldest and largest cloud provider, holding 33 percent of the market share. Its product offerings and third-party tool marketplace are the most robust. AWS creates isolated environments for each instance, which ensures enhanced security but can complicate management.
- Azure. Microsoft’s Azure is AWS’s largest competitor. Azure takes a centralized approach to identity access management (IAM), which is convenient but has some security trade-offs. Among the three major cloud providers, Azure has the most robust virtual private network (VPN) offerings.
- Google Cloud Platform. Google Cloud Platform is less established than some other services, and the market for its tools is not as robust. Its VPN offerings are more modest compared to Azure’s. On the other hand, the platform’s models and analytical tools have access to Google’s massive moat of data. Google Cloud Platforms takes a centralized approach to IAM, similar to Azure’s.
While these providers comprise 62 percent of the market, they are not the only options. Other cloud providers include:
- Alibaba Cloud. Focused on the Asia-Pacific region, Alibaba Cloud offers products comparable to the big three providers.
- IBM Cloud. IBM allows customers to use a public or private cloud, either stored in IBM’s data centers or on-premises. Additionally, IBM Cloud has several tools that integrate with IBM’s artificial intelligence tool, Watson.
- Salesforce. Salesforce’s cloud offerings focus on customer relations management (CRM).
What’s next for cloud computing?
The future of cloud computing will likely integrate artificial intelligence (AI) and machine learning (ML). “Smart platforms” could learn from user behavior and increase the fault tolerance of applications. As cloud computing becomes more ubiquitous and advancing technology lowers the entry barrier, more companies, including smaller regional companies, will move into the game. While regional companies may not be able to offer all the same products, they may appeal to smaller organizations by providing more attentive service that larger companies cannot offer. Understanding each provider’s advantages and disadvantages can help organizations make the choice that best suits their needs.
By Surya Kant Verma