Increasingly, small and medium-sized businesses (SMBs) are relying on cloud service providers (CSPs) to help accelerate their growth. A CSP provides smaller enterprises with greater business agility to respond to competitive pressures, to exploit advances in IT, and to enter new markets and grow their businesses.

This white paper lays out questions SMBs should ask prospective CSPs. It’s divided into seven critical areas involved in selecting a CSP:

  • Experience
  • Pricing
  • Security
  • Compliance
  • Service levels (uptime, availability, capacity)
  • Disaster recovery
  • Support


What Every SMB Should Ask a CSP

Cloud services are flourishing. According to Gartner, the worldwide public cloud services market is projected to total $246.8 billion in 2017, an 18 percent hike from $209.2 billion in 2016. Gartner predicts that through 2020, cloud adoption strategies will influence more than 50 percent of IT outsourcing deals.

A healthy percentage of the cloud adoption stems from SMBs, who are increasingly relying on CSPs to help accelerate their growth. Applications and services previously available only to large enterprises are now benefiting millions of smaller businesses thanks to the cloud.

As IT gets more complex and sophisticated, it gets more expensive for SMBs to keep pace. A CSP provides smaller enterprises with greater business agility to respond to competitive pressures, to exploit advances in IT, and to enter new markets and grow their businesses.

Turning over everyday and mission-critical business applications to a CSP is a big step. SMBs need a trusted partner. To choose from the many CSPs out there, an SMB needs to vet prospects with the right questions. And that’s the purpose of this white paper.

Following is a checklist of questions to ask prospective CSPs, divided into seven critical areas involved in the selection process:

  • Experience
  • Pricing
  • Security
  • Compliance
  • Service levels (uptime, availability, capacity)
  • Disaster recovery
  • Support


SMBs should look for a CSP that has success with businesses and technology similar to theirs. The CSP should have demonstrable experience moving applications to the cloud, and processes to help ensure a smooth migration.

  1. How long has the CSP been in business?

Years in business is only one measure of experience, and not necessarily the most important one. Ask about the CSP’s target clients and applications and services expertise. How many support engineers does the CSP have? Are they up on the latest technology? Has the provider ever suffered a security breach? If so, how was it remediated?

  1. How will the CSP relate to you on an ongoing basis?

Will there be one person assigned to you or different people for individual services? How will service-related matters be communicated? What is the contact information and hours of contact? Will service or integration status reports be provided regularly? Does the CSP have a self-service portal or web interface for communications?

  1. Can the CSP scale to meet your business needs?

As your business grows, you want to be assured the CSP has the staff, capacity, and other resources to scale with your business. Can you easily add additional users to your account? You want a CSP with the resources and flexibility to scale up when your business expands and scale down if your business contracts.

  1. For migration, what are the duties of the CSP? What are your duties?

Ask for documentation showing all the migration steps the CSP will handle and what you will be responsible for. You don’t want to discover gaps in the process during an actual migration. Can virtual machines be imported, or will you have to move data and applications to new machines? Does the CSP perform migrations regularly? What is the CSP’s record for minimizing downtime and maintaining data integrity?

  1. How can you get your data back, if needed?

If your service agreement with the CSP ends, you need to know the terms for retrieving your data. How much time do you have to get the data? How long does the CSP hold data before deleting it? Can you retrieve your data without assistance from the CSP? What format will the retrieved data be in?


Cost savings is one of the chief benefits of using a CSP, as is the advantage of having predictable recurring costs. Cloud computing is based on a usage model. Usage can fluctuate, however, and service-level agreements (SLAs) can also impact price. As with any outsourced service, it’s important to understand the CSP’s pricing structure and exactly what you’re paying for.

  1. For each service you want, what are you purchasing and what is the cost?

What is the CSP doing for the pay-as-you-go service? Is the cost based on data size, data usage, number of users, or another condition? If there are add-on services, what is the cost and process for adding them? Are fees charged hourly, monthly, semi-annually, or annually? Be skeptical of large upfront costs.

  1. If your service agreement with the CSP ends, when will billing cease?

Also, find out how termination is communicated. Email, phone, written letter?

Online Security


Security is a top concern when it comes to outsourcing any business application or service. Security measures should be in place not only for the CSP’s hardware and software, but also for the provider’s data centers and personnel. Additionally, the same provider may have different security standards for different services.

  1. Where are the CSP’s data centers located?

Inquire about the location of the data centers and servers where your company's information will be stored. If outside the U.S., do laws of another country affect use of the data? Can the CSP follow the privacy requirements of the locations your company does business in? Are data centers geographically dispersed to help ensure recovery from natural or other disasters?

  1. How are the data centers safeguarded physically?

Physical access to the provider’s data centers should be strictly controlled in multiple ways, for example, badge readers on external doors, biometric locking mechanisms throughout the facility, and keyed or combination locks on cabinets. What other measures are in place to prevent data and equipment theft? Are the loading docks secure?

  1. What security software and technology does the CSP use?

Ask about antivirus, anti-malware, firewall, data encryption, and other security protections. Does the CSP conduct background checks on its employees?

  1. How is your data protected in transit?

Ensure the provider can guarantee data segregation and protection for documents and data during transfer. Is SSL encryption used? Is SSL from a third-party Certificate Authority, or CA?

  1. What are the CSP’s authentication and access procedures?

The cloud provider should demonstrate adequate oversight and access controls. How is access authenticated? Is multifactor authentication used? How granular is the access, for instance, do you have the ability to access specific folders?

  1. Who has access to your data, both physically and virtually?

Are there locks, alarms, or other physical security safeguards to protect your data from unauthorized access. How is your data accessed virtually? Is it over a VPN? Is it encrypted?

  1. How is your data segregated from the data of other clients?

Ask the CSP to describe its multitenant architecture. If the CSP is sharing hardware resources among multiple clients, or tenants, what protections are in place to ensure your data remains isolated? If disks are reused, how well are they scrubbed before being allocated to another tenant?

  1. How long will the CSP store your data?

Find out when and how your data will be deleted to ensure it can’t be accessed later. Does the CSP provide all the data storage in-house, or is it outsourced to a third party?

  1. What monitoring and reporting controls are in place?

How is the provider’s network monitored? How does the CSP monitor its data centers and network? Are security personnel available 24/7? Can the CSP supply proof of monitoring and reporting controls, if investigated?

  1. If a breach occurs, how will you be notified?

The CSP should have documented procedures detailing the steps that will be taken to communicate the breach (initially and throughout the incident), mitigate risk, and successfully remediate the issue.


Any SMB that has government or industry compliance requirements must vet the CSP’s commitment to helping ensure those requirements are met consistently.

  1. What compliance standards does the CSP have expertise in?

Practices and procedures for compliance should be documented and up to date.

  1. What measures are in place to ensure that data will comply with regulatory audits?

The CSP’s platform should meet rigorous privacy and compliance standards. Are independent audits of the provider’s infrastructure, services, and operations conducted periodically? Does the provider undergo third-party audits or certifications?

Service Levels

When it comes to SLAs, there shouldn’t be any doubt over precisely what they do and do not cover.

Learn about each server's redundancy and ask for details and related costs about the restoration process.

  1. What uptime does the CSP commit to?

Some CSPs commit to 99.9 percent uptime and back it up with a financial guarantee if the uptime isn’t met. Ask about the provider’s uptime history.

  1. How does the CSP manage capacity?

What processes and systems are in place to anticipate and respond to impending needs and fluctuating workloads? Is capacity added when utilization reaches a specified percentage or other threshold?

  1. How many other clients and users will be sharing the same bandwidth with you?

What minimum upload and download speeds can you expect on a consistent basis? You want to ensure sufficient bandwidth for your applications to perform well.

  1. How is resource utilization monitored and reported?

How are alerts issued? Under what conditions? How thoroughly does the CSP monitor its environment? Are real-time monitoring tools used consistently?

  1. How does the CSP ensure performance and availability?

Are there any single points of failure in critical systems? If so, how are they handled? Will your application run on a single data center or geographically redundant systems? Is effective load balancing done to handle requests on multiple servers?

  1. What is the CSP’s average total downtime for the applications or services you’re using?

Ask for the average total downtime annually, over two years, three years, or another time period. Of course, you’re looking for a low percentage relative to the service provided.

Disaster Recovery

Outages are bound to happen. You need to know if you, the CSP, or both are responsible for recovery. All disaster recovery measures should put a priority on security and uptime.

  1. What is the CSP’s backup and recovery strategy?

The provider should have complete data restoration capability. How often are backups performed? Is backup conducted offsite? Is backup data encrypted? What data redundancies are in place to mitigate the risks of data loss? Is there a documented disaster recovery plan?

  1. Are there provisions in the SLAs that address data loss? Recovery SLAs for your applications?

Will the provider compensate you for losses? Does the CSP have insurance in the case of an outage or data loss? Has the CSP experienced any significant issues resulting from the loss of customer data? Ask the CSP about recovery point objectives (RPOs) and recovery time objectives (RTOs).


The level of support an SMB needs depends on the SMB’s internal IT expertise and the complexity of the applications or services. One SMB may never have to call on the CSP for support, while another SMB may depend heavily on the CSP for guidance and troubleshooting. Regardless of the level of support needed, a CSP should be backed by knowledgeable, reliable tech support.

  1. Is tech support offered around the clock?

It should be. You shouldn’t have to worry about being in a situation without available support. How many support engineers does the CSP employ? What’s the average response and resolution time, or mean time to respond and mean time to repair? Are self-service alternatives in place, with live representative backup?

  1. How does the CSP keep up with advances in technology?

What training does the support staff undergo? What industry and vendor certifications do they hold? Are the certifications up to date?


SMB adoption of cloud services will continue to rise. The business agility and competitive gains of using a CSP are too compelling for most SMBs to dismiss without consideration. Thorough vetting of prospective CSPs should allay any lingering reservations an SMB may have about cloud adoption. And help to lay the foundation for a lasting relationship with a trusted partner.

[Insert Insynq promo as a pullout in the margin or other white space on the page]

Insynq: The Gold Standard for Cloud Services

Insynq partners with some of the industry’s best—Intuit, Microsoft, Dell-EMC, and others— to provide SMBs with leading applications such as QuickBooks, Sage, Lacerte Tax, Drake Tax, SAP, Microsoft Office, and Microsoft Dynamics, Act!, and Goldmine CRM.

If you would like to find out more about Insynq’s proven expertise and excellence in cloud services, call the provider at 866-206-1781 or visit

[End Insynq pullout]

REFERENCES:, “Gartner Says Worldwide Public Cloud Services Market to Grow 18 Percent in 2017”

Business Wire, “Odin SMB Cloud Insights Report Forecasts 11.4 Percent Industry Growth over the Next Three Years in the United States,” May 12, 2015

CloudTech, “Three Major Cloud Trends for 2017: SMBs, Vendors, and Architecture,” January 26, 2017

Blog cloud computing cloud hosting cloud provider cloud service Cloud Solution Cloud Supports cloud technology Compliance CSP disaster recovery enterprises Experience Accounting in the Cloud IT outsourcingIT outsourcing large enterprises mission-critical business public cloud security SMB Support

Got a question? Ask us.