in depth...

A guide to selecting a Cloud Service Provider: best practice (part 3)

How to select a Cloud Service Provider

With data at the heart of egaming performance, the security risks attached are significant. While recent developments in European Data Protection and the MGA consultation document introduce regulatory and compliance concerns, selecting a cloud service provider just got more complex. In this article/series of articles, Scott Hanson lifts the lid on the best practice guidelines anyone using cloud services within egaming should adhere to.


In the third and final chapter to our Best Practice Guide: How to select a Cloud Service Provider, I will cover what I think are the add-on services which really make a difference to your business. Note that these are not requirements – yes, you can do without them – but just like that recyclable paper sleeve that accompanies your take-away coffee, they do make it a lot more comfortable to enjoy the service. Cloud services are not a commodity when enjoyed with the right supporting services.


Monitoring will support some of your regulatory requirements, and will also enable your business to take a proactive approach. Monitoring can happen purely at the platform level, or it can extend to the full managed service. With effective monitoring you have full visibility of performance, events, and can even pre-empt some incidents. With capacity reporting and trending reports, you’ll be able to adjust your provisioning, plan for future, better scope out new projects – in short you will be able to take a proactive approach. By being better able to plan work your IT team is yet again better able to use their time and resources. A key question to ask, whether monitoring is handled inhouse or is out-sourced is ‘who monitors the monitor?’

Risk Management

Audit trails of changes ensure full accountability and auditability in the event of an incident. Other factors within the discipline which contribute to minimised risk are system logs and security logs, as well as server change tracking. Look for cloud service providers which can provide the full catalogue of risk management practise, which always starts at a scope assessment, where key processes and dependencies are identified, and a risk register is maintained. With essential risk management processes in hand, compliance requirements become easier to handle, and operational routines absorb less IT resource. There are tangible business benefits in implementing change control measures, configuration management, and incident management. (could this paragraph be built out?)

The extras that make the difference

The cost of con-compliance with PCI DSS does not require a great deal of illustration. High profile breaches have in the past attracted a lot of media attention; in part playing on end-users fears surrounding the integrity of their data, in part citing exorbitant remedial fees, and also no doubt from a data forensics angle, when it is unearthed how the breach could take place. Anyone who has been involved in preparing for a PCI audit knows the rigorous processes to adhere to, and the extensive reports that are required. The audit may be onerous, and in the public cloud the fear of a breach is real. When applying these requirements to a private cloud, partnering with the right specialists is critical. An operator whose card processing facilities are removed in response to an occasion of non-conformance will also be subject to card scheme fines with no upper limit and forensic investigation costs. This along with reputational damage can damage a business beyond repair. It is important to understand how your CSP meets your compliance requirements, and ensure that they are able to maintain flexibility around these needs. A capable cloud service provider will offer managed services which are ISO certified, and have an understanding of PCI DSS requirements on your business, as well as an ability to work with you to establish which parts of the service are within scope our outside of it.

Here are the keys to managing risk:

  • Look for cloud service providers who are ISO-certified to be assured of their ability to provide resilient services in line with best practice security processes. This will greatly ease your regulatory and compliance requirements, as a large part of the objectives can be met by the service provider. Not only that, it will offer you peace of mind that the managed services you’re enjoying as a client are effective and securely delivered.
  • Explore what areas of compliance can be outsourced, now or in future. Simplify your reporting, leaving these to the provider where possible.
  • Consider whether the provider’s accreditations can help your business adopt more resilient processes. This way your business can benefit in many ways from their approach.
  • Discuss change control and incident management with your cloud service provider. This will help you set expectations and identify whether you have a direct contact available when you need them



Still think all these elements are nice-to-haves that are added onto a commodity service? The cost of not comparing service providers is that you may face

-being tied to long contracts

– failing to realise full benefits of service

– lack of control

– lack of auditability

– non-compliance


In summary, therefore, adopt the following principles to ensure that your deployment of cloud services meets with the following checkpoints:

1 Certification

2 Geographic location

3 Backup and Disaster recovery

4 Right to audit

5 Reports for PCI compliance

6 Encryption

7 SLAs


We frequently run POCs (proofs of concept) for our clients and would be delighted to talk to you about your next project, whether it is running an additional environment or the launch of your startup. If you would like some more information on recent launches and recent clients, please get in touch with us!



Some definitions:

  • CSP: cloud service provider
  • Operator: company providing gambling to end users
  • Public cloud: deployment of services in a shared hosting environment;
  • private cloud: either on-premise or off-premise hosting which is not shared
  • hybrid cloud: a deployment which combines public cloud and private cloud deployments on for example external-facing domains and databases;
  • IaaS: infrastructure as a service or the renting of infrastructure on a contract from a provider, PaaS: platform-as-a-service, renting of for example a gaming technology platform on a contract from an external provider;
  • SaaS: software-as-a-service or the usage of software from a provider in a cloud deployment as opposed to on-premise.



Topics covered in this part of the guide – watch this space for further articles on these!

  • Scope
  • Processes
  • Dependencies
  • Maintain a risk register
  • Monitoring
  • Tracking
  • Audit trail
  • System logs
  • Security logs
  • Server change tracking


  • Case Studies
  • Guides
  • White Papers

Ask a Question? Set up a Demo? Put us to the test?

Call 0207 685 8000 or

Ardenta triumphs at EGR B2B Awards 2017

The e-gaming industry’s most prestigious awards event recognises Ardenta as IT Supplier more

Webinar: Myth Busting: The truth about Amazon, Cloud and promoting agility

If you missed the webinar, get in touch for a white board session and insights into more

Equinix Collaborates with VMware to Bring Direct, Private Access to vCloud Air, Globally

Ardenta and its customers benefit from the low-latency connectivity to vCloud Air in more

Trusted by