WEBVTT 00:00:01.040 --> 00:00:04.460 Selecting a cloud provider is an important and quite 00:00:04.460 --> 00:00:06.560 risky step for an organization. 00:00:07.040 --> 00:00:10.720 Therefore, it is often good to look at some of the ways to evaluate 00:00:10.720 --> 00:00:14.340 the different cloud providers so that hopefully we select the one 00:00:14.340 --> 00:00:17.360 that's the best fit for our organization. 00:00:18.740 --> 00:00:21.550 During this course, we've looked at three different areas, 00:00:21.560 --> 00:00:24.260 cloud computing concepts and architecture, 00:00:24.740 --> 00:00:28.330 security principles of cloud computing, and now we're going to 00:00:28.330 --> 00:00:32.150 look at the evaluation of those cloud providers. 00:00:33.140 --> 00:00:36.730 One of the most important things to remember from the perspective of the 00:00:36.730 --> 00:00:42.400 exam is that everything to do with this external relationship with a cloud 00:00:42.400 --> 00:00:45.730 provider should be protected through contracts, 00:00:45.740 --> 00:00:49.760 service agreements, and service level agreements. 00:00:50.140 --> 00:00:55.560 These allow us to have, formally, a recognition of what are the 00:00:55.560 --> 00:00:59.900 responsibilities of the two parties in the contract towards 00:00:59.900 --> 00:01:05.430 providing, paying for, and of course, supporting services. When 00:01:05.430 --> 00:01:07.490 we evaluate cloud providers, 00:01:07.500 --> 00:01:11.720 it's important that we look at it from the perspective of our business. 00:01:12.040 --> 00:01:14.160 Each business is a bit different. 00:01:14.540 --> 00:01:17.670 We have different security needs, different laws, 00:01:17.780 --> 00:01:22.300 different expectations, so the first thing is to look at which of 00:01:22.300 --> 00:01:26.940 the cloud providers will provide the services that we need in 00:01:26.940 --> 00:01:29.260 order to support business operations. 00:01:29.740 --> 00:01:34.500 We may even choose to go to a cloud where we're having a hybrid 00:01:34.560 --> 00:01:38.110 that we have a combination of different cloud providers 00:01:38.110 --> 00:01:40.450 providing different services as well. 00:01:41.140 --> 00:01:45.800 We have to look at what are the choices available for us. Do we go with one 00:01:45.800 --> 00:01:50.270 of the big companies? Do we go with a smaller firm? And each of those has 00:01:50.270 --> 00:01:53.720 advantages and, of course, disadvantages as well. 00:01:54.340 --> 00:01:59.800 We need to ensure that we've gone through a good evaluation process, maybe 00:01:59.800 --> 00:02:05.370 a matrix that compares the different cloud providers so we can choose which 00:02:05.370 --> 00:02:09.449 is the one that has the services we require. 00:02:10.340 --> 00:02:14.140 These should be listed in the various requests for proposals 00:02:14.140 --> 00:02:19.470 that we actually prepare, and in that request for proposal we 00:02:19.470 --> 00:02:24.010 should always specify what are our requirements as far as 00:02:24.010 --> 00:02:30.560 security and as services provided, but certainly at what cost as well. 00:02:32.040 --> 00:02:33.310 When we go to the cloud, 00:02:33.310 --> 00:02:37.950 there are a number of new legal considerations that come in as well. 00:02:38.340 --> 00:02:40.170 We have concerns, for example, 00:02:40.170 --> 00:02:46.990 about things like jurisdiction, where is my data being kept, and ensuring 00:02:47.140 --> 00:02:52.480 that that cloud provider has the same attitude towards the protection of my 00:02:52.480 --> 00:02:57.740 data as I would require, and that of course is very often based on the 00:02:57.740 --> 00:03:01.050 sensitivity and criticality of that data. 00:03:01.740 --> 00:03:03.850 Many companies are restricted. 00:03:04.180 --> 00:03:08.620 They cannot enter into a relationship with a cloud provider that will 00:03:08.620 --> 00:03:13.050 store their data outside of their local region or country. 00:03:14.740 --> 00:03:19.280 One of the things we should always look at is the ability to audit 00:03:19.290 --> 00:03:24.140 and review to make sure that each party to the contract is living 00:03:24.140 --> 00:03:27.060 up to their terms and obligations. 00:03:27.440 --> 00:03:33.800 So, this could allow a cloud consumer the right to audit some 00:03:33.800 --> 00:03:37.270 type of, should we say, cloud relationship. 00:03:37.280 --> 00:03:40.980 They can review the contract to make sure that all the things 00:03:40.980 --> 00:03:45.290 in the contract are being done, and the right to audit can be 00:03:45.290 --> 00:03:47.960 built into that contract as well. 00:03:48.740 --> 00:03:56.660 The ability to review and audit may be done as a scheduled process, and could be 00:03:56.660 --> 00:04:00.420 done with external parties that have the skills necessary, 00:04:00.430 --> 00:04:04.160 for example, to do various types of penetration testing. 00:04:05.040 --> 00:04:08.350 One of the things with all of this is to make sure that we 00:04:08.350 --> 00:04:13.860 don't have unrealistic expectations and that everything is 00:04:13.860 --> 00:04:16.399 specified in the contract properly. 00:04:16.890 --> 00:04:23.280 That is why the contract also should always say where any dispute 00:04:23.280 --> 00:04:25.970 would be heard if there was to be a problem. 00:04:26.110 --> 00:04:31.740 We conduct an audit, we don't believe that the cloud provider is living up to 00:04:31.740 --> 00:04:37.400 the terms of the contract, where will that dispute then be resolved? In the 00:04:37.400 --> 00:04:44.390 courts of our local area or maybe even another country? This ability to evaluate 00:04:44.390 --> 00:04:48.640 cloud providers is important, and something we'll look at some of the ways to 00:04:48.640 --> 00:04:50.900 evaluate them in the next section.