Cloud Software Supplier Assessment: What to ask?

One of the main attractions of moving to the Cloud is the opportunity for an organisation to shift responsibility for security, maintenance and uptime to a third-party software provider. Whilst there are many benefits to businesses utilising third-party applications to power critical day-to-day operations, reliance on these services introduces new and significant risks.

With companies experiencing double the amount of IT-related incidents since the beginning of the pandemic, and in some verticals 11x the number of incidents1, businesses must ensure they are assessing and managing third-party risk effectively.

So what can businesses do to protect operations when selecting a third-party software provider to run business-critical applications in the cloud?

In addition to assessing the basics such as supplier competency and cost of service, we’ve created a handy checklist of questions you should be asking when selecting a new partner in the cloud:

Cloud Supplier Certifications and Standards

Here you are looking to gauge a supplier’s long term commitment and if they are following industry best practice when designing and developing their cloud application. Concerns over either could compromise your long-term access to the application.

• Do you have any certifications?
• Do formal coding, user interface and design documentation standards or guidelines exist?
• Are standards subject to change control?

Security in the Cloud

Here you are looking to get an idea of how well guarded your cloud environment and data will be. Poor security practices could leave your cloud environment vulnerable to cyber-attacks which will most likely cause significant financial and reputational damage to your organisation.

• Where are your data centres located and how are they secured?
• Are there controls to ensure that data can only be entered and changed by authorised personnel?
• Is privileged access restricted?
• Is the system secured by unique IDs and passwords?

Cloud Governance

Here you are looking to see if the supplier has sufficient processes in place to ensure you comply with regulation governing your use of third-party hosted software as well as assuring the resilience of the cloud application.

• Is there an audit trail for critical data and activities?
• Can the audit trail be reviewed for irregularities?
• Do you have procedures in place to ensure business continuity and disaster recovery? Have these procedures been tested?

Contractual Service Level Agreements (SLAs)

Here you can establish the minimum acceptable level of performance to ensure that in the event of supplier failure your organisation is protected. SLAs are a way to ensure that software suppliers are held accountable for meeting service objectives.

• What Service Level Agreements (SLA) do you offer?
• Are the SLAs in line with what we are trying to accomplish?
• Are these specific to cloud-hosted applications?
• If the SLAs are not met what compensation is available?

Cloud application Reliability and Performance

Here you can get a better idea of what the software supplier is doing to protect the cloud software application from downtime or failure and how they would support you if access to the service was compromised.

• Do you perform backups? How often?
• How often do service outages occur and how long do they last?
• Do you have a guaranteed uptime?
• How do you ensure the resilience of your application?

General Cloud Supplier Risk Assessment Questions

Here you are looking to find out more about the software supplier’s solution and to decide if you will be able to work with them.

• What industry is the solution designed for? How long has it been on the market?
• Do you have any examples of software customers successfully using the solution?
• How is your solution superior, both functionally and economically, to other available solutions?
• Am I able to effectively manage my operational, security, and compliance risks?

Outsourcing business-critical technology has its benefits, but at the same time can potentially put your organisations business continuity, regulatory compliance, brand reputation and financial status at risk.

Proactively taking action by asking these questions will allow you to build a better picture of the solution and service that a supplier is offering – and as a result, you’ll be more prepared and equipped to manage any potential risks of service disruption.