2. How transparent is the cloud service?
"There's a lot of mystery in clouds," according to Chris Wolf, analyst with the Burton Group. There's no need to understand the underlying infrastructure and the company's plans to upgrade or reinforce it if you're just using Google for Gmail. But any company hiring a provider for important business functions deserves to know what kind of technology -- and secondary or tertiary service providers -- actually makes up the cloud and how reliable it is.
3. How prepared is the cloud provider to answer due-diligence questions?
Some of the most critical questions are the most basic: what does the company do to ensure physical security; what servers and software does it run and what are its arrangements for disaster recovery; are its employees all well trained, background-checked, bonded and secured?
"All the basic stuff is pretty important, but you have to verify that," Wolf says. "You have to know they're relatively stable and reliable in hiring and you have to check on things like making sure they have redundant telecom arrangements and high availability/DR options so you don't go down for three days when they have a power outage."
4. How much access does the cloud provider offer?
"You should be able to go through your list of criteria with the vendor and get answers to your questions and have them revisit that periodically to demonstrate how they're living up to your expectations," Golden says. "If it's a big contract, you're going to want to do audits periodically to verify SLA and compliance and security issues."
5. How much access does the cloud provider deny?
On the other hand, Golden says, no service provider can afford to spend all its time answering questions from customers.
"Amazon is maybe a little too distant, but you don't want to have a provider verifying their physical security by letting you walk around the data center and look at it. Then you know some other customer is doing the same when you're not there, and you'd rather no one has physical access to your servers that doesn't work for that company," Golden says.
Sign up for Computerworld eNewsletters.