Powerful, useful technologies nearly always have a dark side.  Airplanes have made the world a smaller place, especially for business, but every now and then they kill everyone on board.  The Internet has been beneficial in countless ways, but it's also been a boon for spammers and pedophiles.  As with the horrors of warfare, we accept a certain quantity of tragedies in exchange for a great enough ongoing utility, while trying to make airplanes and the Internet as safe as we can.  But it often seems like the more valuable the technology, the more troublesome the side effects.

For better or worse, it is increasingly clear that the best of cloud-based IT services are very valuable indeed.  Not only do they create bottom-line savings for their customers, but they also deliver better performance, security, and business intelligence.   But all too predictably they also come with the potential for serious problems.

The worst case scenarios for cloud-based services nearly all come down to the provider not doing a good job.  A reputable cloud provider is likely to provide customers with better service than they could hope to provision in-house.  But if quality slips, the customer can be completely poleaxed by a security or service failure.

This is a scary enough scenario that it has kept a few companies from taking advantage of the state of the art by moving to the cloud.  But I think that's a false conservatism.  Such reticence might make some sense for a company that had a world-class IT department, perhaps, although even that department would be roughly equally vulnerable as a cloud provider.  But in most companies whose business is anything other than IT, infrastructure is a disaster waiting to happen.  When such companies adopt cloud services, they aren't jumping from dry land onto a rickety boat, they're jumping from a small iceberg onto an ocean liner.  The small possibility of the ocean liner sinking doesn't stop them from jumping away from something that is certainly worse. 

Still, even if you've accepted the desirability, or at least the necessity, of moving to the cloud, that doesn't help with the most critical first step -- choosing a cloud provider.  Since the whole point is that cloud providers are likely to do a better job than you could in-house, you need to be sure you're not choosing an exceptioanlly bad one.  You need a cloud provider that you can trust to be both ethical and competent, but you're not exactly an expert in evaluating cloud providers.  What do you do?

Basically, you become an informed consumer.  You look for comparisons of service providers by neutral third parties.  You look for relevant certifications such as ISO 27001 for cloud security.  And you make prospective cloud vendors answer some tough, intelligent questions.  

At Mimecast, we've recently put together a list of questions that cloud vendors might not want to be asked.  It's tough enough that you might not find any vendor with a perfect answer to every one of them -- including us.  But you'll learn a great deal about a provider from how they try to answer questions such as these:

-- How do you manage your cryptographic keys?
-- How do you handle change control in your software?
-- How do you handle patches to your OS and other key software?
-- How do you encrypt all client data at rest? Do you guarantee its integrity? What is the customer's role in keeping it safe?
-- Are your development and operational platforms well separated?
-- What access do your administrators have to customer data?
-- What are your BCPs on matters like testing, documentation etc?
-- How redundant is your data and how do you prevent/recover from outages?
-- Do your employees have constrained, granular roles that are easily configured?
-- How do you manage security incidents? What is logged? How long is it retained?
-- Who are your third party security auditors?
-- Do you do regular penetration testing and vulnerability scanning?
-- Is your platform and business IOS27001 accredited? If not, why not?

Nothing can guarantee that you won't have a bad experience with a cloud provider, any more than an airline can guarantee that it won't kill you.  But that doesn't mean you should start building your own plane, because the professionals will almost certainly do a better job.  Similarly, bad cloud experiences should be vanishingly rare if we have informed, questioning customers, professional service providers, and neutral third party auditors for compliance and security,