How to Evaluate Cloud Providers: Checklist Step 5

December 12, 2023 | 6 minute read
Text Size 100%:

Using the checklist introduced for this case study about evaluating cloud services, 123 Bank Corp defined their security, privacy, and functional requirements. Stakeholders then identified and researched their top potential suppliers. This post focuses on step 5 of their checklist, in which 123 Bank Corp evaluated the specific cloud services.

 

Step 5: Evaluate Cloud Services Against Detailed Requirements  

Having completed its research on financials, contract terms and other supplier considerations, 123 Bank Corp performed a detailed review of the cloud services themselves. Specific cloud services were compared for how fully they satisfied these categories of requirements:

Based on input from business and technical teams, 123 Bank Corp evaluated the Oracle cloud services in the table below. The team compared notes and highlighted the Oracle information resources that were helpful for their research.

Solution Needed

Oracle Cloud Services

Integrated Software as a Service (SaaS) applications for financials and personnel management

Cloud Applications:  

IaaS Compute environments for hosting Java-based customer banking portal

Oracle Cloud Infrastructure (OCI) Compute options:

IaaS database services to support customer banking portal

Oracle Autonomous Database

IaaS integration services to connect cloud services to legacy on-premises systems and other applications

Oracle Integration

IaaS artificial intelligence (AI) and machine learning platform

OCI Digital Assistant

 

Security and Compliance Resources 
When the 123 Bank Corp project team researched companies in a previous step, they noted that the Oracle Trust Center included the Cloud Compliance dashboard. That site identifies product groups which have attestations for one or more cloud services to various compliance frameworks. Some IT staff used their Oracle Cloud Infrastructure (OCI) account to download audit reports from the OCI Console. Other attestations were obtained from Sales. Compliance experts validated the time period, scope of cloud services and data centers for all relevant attestations (cloud audit reports).

123 Bank Corp’s security experts discovered that Oracle publishes details about the security of Oracle cloud services in Consensus Assessment Initiative Questionnaires (CAIQs). CAIQs are industry standard questionnaires from Cloud Security Alliance (CSA). They downloaded CAIQs for OCI, Fusion ERP and Fusion HCM from the public page. In the CAIQs, they found answers to hundreds of essential questions encompassing control domains such as application security, change management, human resources, governance, access management, mobile devices, encryption, and many more.

Resilience and Business Continuity Resources 

123 Bank Corp’s risk management team supported the cloud service evaluation by analyzing information about Oracle’s Risk Management Resiliency Policy, which defines requirements for all Lines of Business (LOBs) to plan for and respond to potential business disruption events. 

IT staff responsible for deploying and managing IaaS (compute, database, AI, etc) services for this initiative explored architectural strategies for designing resilience into an OCI tenancy by leveraging Regions, Availability Domains and Fault Domains recommendations.

Features and Functionality Resources

Hands-on learning opportunities such as free OCI trial tenancies and Always Free OCI services were particularly favored by the Development and IT teams. Several technical and business leaders got a great grounding in the products using Oracle University free learning paths for cloud applications and OCI. Oracle’s documentation about implementing, managing and using Oracle cloud services was considered as well.

To test out the OCI Digital Assistant for AI and machine learning, 123 Bank Corp completed this hands-on chatbot lab using OCI free tier services.

Cost Savings Resources

Finance and IT teams of 123 Bank Corp collaborated to estimate cost savings based on the types of cloud services and their planned workloads using the Oracle OCI Cost estimator and OCI Pricing.  

 Deployment Resources

Given the tight schedule for this initiative, 123 Bank Corp considered Oracle’s Dedicated Region (Cloud at Customer) solution but determined that they would leverage existing Oracle cloud data centers because the Oracle cloud services they want are already in their target locations, and the validation of security and privacy controls by independent third-party auditors has already occurred. This fast on-ramp met their timeline.

 

Lessons Learned: 123 Bank Corp’s Procurement Journey

123 Bank Corp’s approach to cloud service evaluation helped them purchase the cloud services which best fit their requirements. Additionally, the formal process used for the evaluation of the vendors, and the early identification of security and regulatory requirements allowed the bank to effectively manage the selection process while obtaining buy in from the key stakeholders. Performing a comprehensive needs analysis in the first two steps of the checklist made supplier selection more effective, as they had defined clear criteria for success.

Your organization may find this checklist and supporting Oracle resources helpful for choosing cloud services which align to your requirements for security, privacy, compliance, resilience, features, and cost management:

  1. Identify security, privacy, and compliance requirements for these specific solutions
  2. Define features and functional requirements, including resilience
  3. Generate “short list” of suppliers offering relevant cloud solutions 
  4. Research “short list” of cloud provider companies: financials, global cloud data centers, support
  5. Evaluate cloud services against requirements for each solution

Get started today:

  1. View the case study video: How to Evaluate Cloud Providers
  2. Take a video tour of the Oracle Trust Center
  3. Explore the Oracle Trust Center:
      1. Corporate Security Practices: dive deep on policies and practices
      2. Cloud Security Practices: completed Consensus Assessment Initiative Questionnaires (CAIQs)
      3. Cloud Compliance: attestations
  4. Apply this checklist to your cloud service procurement process

A person holding a flag on top of a mountain

Description automatically generated

This blog entry is part of a 4-blog series:

  1. How to Evaluate Cloud Providers: Checklist and Case Study
  2. How to Evaluate Cloud Providers: Checklist Steps 1 and 2
  3. How to Evaluate Cloud Providers: Checklist Steps 3 and 4
  4. How to Evaluate Cloud Providers: Checklist Step 5

Nancy Kramer

Nancy Kramer has over 20 years of experience managing risk, security, privacy, audit and compliance for complex business processes and computing environments. Nancy advises Legal and other teams making decisions about information security policy, customer commitments and obligation management. She also manages programs which seek to educate personnel and customers about Oracle's security and compliance posture in the Oracle Trust Center (oracle.com/trust). She offers actionable guidance to customers in blogs and webinars.

Oracle Chatbot
Disconnected