Cloud provider due diligence done right

The key questions and considerations for your organisation before it moves to public, private, or hybrid cloud.
Written by Tim Lohman, Contributor

Moving to the public cloud, or building your own private public hybrid? Success isn't guaranteed. But success is a lot more likely if you've done your proper due diligence.

As RealEstate.com.au's technology services manager Damian Fasciani explained, REA Group, the owner of RealEstate.com.au, approached its due diligence ahead of creating a 90 percent virtualised private cloud, and now, hybrid private/public cloud. This hybrid cloud will allow the company to host its RealEstate.com.au site in the Amazon Web Services (AWS) public cloud, as well as give IT and the business the tools they need to create daily improvements and upgrades to critical systems.


"When we started looking over due diligence a couple of years ago, one of the things I did was create a due diligence process internally with different categories on what you need to do when you want to migrate to cloud — how you can have a structured approach when talking with vendors," Fasciani said.

"I would advise that the due diligence process is essential in setting up success for an organisation. You do need to take your time, ask the right questions in order to get the right responses you need."


"Our due diligence model covers a few key areas, beginning with security," he explained. "That's everything to do with data integrity, security of our infrastructure, data encryption, where data is held, how backups are executed, and what third-party vendors a cloud vendor relies on to provide the services back to us."


"We also have areas which cover off underlying cloud infrastructure," Fasciani said. "That's everything from where their services sit, how they operate, disaster recovery, and vendor lock-in as well. That means having a level of terms which aren't negotiable.

"When we sign up with a cloud provider, we don't want to sign contracts which are longer than 12 months, because 12 months is a lifetime now in our industry, and anything can change."


"We also look at how we can export and manage our own data, getting access to code or customised code if we have gone down that path with the provider — having access to that," he said.

The vendor

"Our due diligence process also covers off how the cloud vendor is structured — who is in charge of what areas; what certifications they have around security, how do they obtain those certifications, and how they keep up to industry standards around security as well as operational efficiencies around data centre practices," Fasciani said.

"We make it quite clear that we are willing to sign NDA [non-disclosure agreements] with vendors as well, so that we can get access to the information we need.

"Some vendors are easier to deal with than others. The due diligence process is a really good way of assessing the kinds of vendors you'll be dealing with. The quality of the responses you get back, the engagement you get over the due diligence process tends to tell you how that company operates."

ROI assessment/product brief

"Based on all the information we get back, I would always advise that the IT department needs to clearly articulate the return on investment and what the business impact will be when you incorporate cloud into your organisation," Fasciani said.

"We also write a product brief after we get our due diligence answers from vendors and that product brief articulates the business value, a business summary, and puts the product into key business terms for the areas of the business which will utilise the product.

"We give that product brief to our legal team, which goes over the terms and conditions of the service, and we bundle all that together. What that does is drives the terms of service of that product internally.

"My team then plays the role of advisor: 'You need to solve these business challenges, we're advising that we use this cloud technology, here's our product brief and due diligence process'"

Industry bodies

"For companies which don't have the guidance on what to ask, my understanding is that the federal government is coming out with some standards around cloud governance and security and due diligence ... that will give businesses a good framework to follow," Fasciani said.

"The Cloud Security Alliance, a US organisation, is also starting to provide some good guidance on due diligence and cloud vendors. We have looked to them as well to tighten up our due diligence process.

"Getting information from different sources, pulling it all together, and making sense of what's right for your organisation and forming your own due diligence process is essential.

"I think the one gap in our industry right now is that there really isn't an independent body which doesn't have a vendor or a product in their back pocket which they are trying to sell, and who can give you a non-biased opinion on which cloud technologies to adopt, how to adopt them, how to turn them on, and how to maintain them.

"Normally, when you speak to vendors, there is always a product they are trying to sell, or they are speaking on behalf of another vendor. That is a gap we are currently experiencing now. Companies like REA, that are lucky enough to have technical knowledge internally, and a wealth of experience we are OK. We evolve our own process. But for companies who don't have that, it can be a little bit more of a challenge." 

Review your due diligence

"We review our due diligence process every three months. It has gone through nine iterations since 2011, and those iterations have covered off more questions — different questions around security, data encryption, and the business-related questions we ask," Fasciani advised.

Editorial standards