Choosing a Cloud Service Provider in 2026

Nobody in 2026 wakes up wanting to shop for a cloud provider. The conversation starts when a VMware renewal comes back at three times last year’s quote, or a Microsoft licensing change blows up the budget, or an MSP that set this up years ago stops returning calls.

That’s a different conversation than “how do I choose a cloud provider.” Almost nobody is choosing from scratch. Most are reacting to a bill, a renewal, or a relationship that broke.

This post is for the owner or operations lead who just found themselves in one of those conversations. The questions that matter in 2026 are not the ones on any vendor’s landing page.

Your Productivity Suite Already Picked Your Cloud

The user-facing cloud decision got made upstream of the admin conversation. If you run Microsoft 365, your identity lives in Entra, your files in SharePoint and OneDrive, your collaboration in Teams, and your security center in Defender. That’s one ecosystem on Microsoft’s cloud. If you run Google Workspace, the same story plays out on GCP. The coupling that decides your migration cost is productivity, identity, and data gravity. It barely moved in 2026.

What did move is the AI layer underneath. Frontier labs are compute-constrained and buying wherever they can get it. Microsoft’s Copilot now calls Anthropic’s Claude alongside OpenAI’s models. OpenAI is sourcing capacity from Oracle and Google in addition to Azure. AWS, Azure, and Google Cloud are each selling compute to every major lab that will take their invoice.¹ The one-provider-per-AI-vendor story that held in 2023 is not how 2026 looks.

The practical takeaway for an SMB buyer: the model underneath matters less than the productivity suite on top. The model gets swapped in the background every few months. The identity, data, and collaboration surface does not. That is what pulls you into a cloud ecosystem and decides what your migration actually costs.

Among small and mid-sized businesses, AWS still leads in raw infrastructure usage at 53%.² That number hides what most Florida SMBs actually do: they run productivity on Microsoft 365 and pick infrastructure workloads later, if at all. The users and the data are already in one ecosystem. The infrastructure decision follows.

The real 2026 question is not “which of the three hyperscalers.” It is “what do I already run, what does my team already use, and what is the honest path from here to a working stack without burning six figures on migration theater.”

Why We Run One Stack for Every Managed Client

Every Florida business we manage runs on Microsoft 365 and Azure. Every one. That is a conviction, not an accident.

Pattern recognition compounds. When dozens of tenants hit the same misconfigurations in Conditional Access, the same gaps in legacy MFA, and the same cost surprises in Azure reserved capacity, we see it coming before it breaks. An MSP that runs five different clouds has five first-timer experiences every quarter.

The stance has a cost, and we will say it out loud. If your business runs on Linux-native infrastructure, builds custom AI models on raw GPUs, or lives in AWS GovCloud for federal reasons, we are not the right partner. Call a specialist. The answer to “which cloud” should never be “whichever one our MSP is comfortable with.”

For everyone else, which in Florida is most SMBs, Microsoft 365 plus Azure plus a partner who already knows the specific potholes is the stack that works.

Identity Is the Actual Security Question

The last time most business owners vetted a cloud provider, the questions were about where the data center sat and what physical security protected it. That conversation moved. Credentials are the perimeter now.

The Verizon 2025 Data Breach Investigations Report found stolen credentials in 88% of basic web-application attacks.³ Mandiant’s 2026 M-Trends report measured the median time from initial compromise to handoff between threat groups at 22 seconds, down from more than eight hours in 2022.⁴ By the time an endpoint alert fires, the next crew is already inside.

The attack pattern specific to Microsoft 365 shops is the one we see most. A phishing page in the middle captures the session token after the user completes their MFA prompt. The attacker replays the token, skips the login flow, creates inbox rules to hide security alerts, then pivots outward to the victim’s contact list before anyone notices. eSentire measured a 389% year-over-year surge in account compromise incidents in 2025. Half of those targeted Microsoft 365.⁵ Our ransomware guide walks through the full attack chain.

The four 2026 questions to ask a cloud provider about security:

• Do you enforce phishing-resistant MFA, meaning hardware keys or passkeys, on administrative access?
• Do you support Continuous Access Evaluation, so a compromised session gets revoked in seconds instead of hours?
• Where do the backups live, and can a single domain-admin compromise reach them? The right answer is no.
• What happens to our session tokens the moment a risk signal fires?

A provider that answers those four with specifics is a different category of provider than one that sends a SOC 2 report and hopes you stop reading.

Where Cloud Bills Actually Come From in 2026

Cloud pricing has four surprises in it in 2026, and “hidden charges” is the least interesting of them.

Cloud spend waste runs around 28% across the industry.² A business on pay-as-you-go pricing for workloads that run every single month is paying a 30 to 40 percent surcharge for flexibility it is not using. Reserved Instances and Azure Savings Plans close that gap with a one-year commitment. Most SMBs never buy them.

Egress fees, the cost of moving your own data off your provider, were the classic cloud lock-in complaint. All three hyperscalers now waive egress for customers leaving the platform, but the waiver is not automatic. You have to request it, prove the migration, and work inside a credit window.⁶ The daily data movement you do on purpose still costs what it always did.

The AI workload added a new category of bill shock. H100 GPU instances run $30 to $50 per hour at a hyperscaler.⁷ A dev team spins up GPU-backed services for an AI pilot, the pilot drifts into production, nobody sets spending alerts, and a five-figure monthly invoice shows up before finance notices. For most SMBs the analog is less dramatic: AI API token overruns, Copilot license sprawl, the fifth Power BI workspace nobody opens. Same dynamic, smaller numbers.

The repatriation story made the rounds last year. 37signals finished deleting its AWS account in 2025 and projected more than $10 million in savings across the following five years.⁸ The math held for 37signals: stable, predictable SaaS workloads, a dedicated ops team, and $2.2 million in hardware they bought and racked themselves. It does not translate to a fifty-person business without an infrastructure team. The narrower lesson stands: cloud economics favor variable workloads. Predictable, month-after-month workloads deserve a hard look at reserved pricing or, occasionally, at bringing the thing home.

The Real Questions to Ask

Four groups of questions separate a real cloud operator from a reseller. A good provider answers each of them in a sentence.

Identity and access. Do you require phishing-resistant MFA on admin accounts? Can you show me how Conditional Access is configured for my tenant today? How are service accounts and API keys inventoried, rotated, and retired?

Compliance and certifications. May I see your SOC 2 Type II report, not the marketing claim? Will you sign the agreement my industry actually requires, the HIPAA BAA for healthcare, the CJIS security addendum for law enforcement, the PCI DSS AOC for retail? Where is my data physically stored, and will you commit to it in the contract?

Data protection and recovery. Are your backups immutable, and do they live in a separate authentication domain from production? When did you last run a full restore test on an account my size, and what was the actual recovery time? What is the written procedure if your platform is the initial vector in an attack on my business?

Shared responsibility. Can I have a written matrix that names every control in our deployment as yours, mine, or shared? Snowflake’s customers learned in 2024 that “shared” without specifics means “yours when there is a bill and theirs when there is a lawsuit.”⁹

If the person across the table cannot answer those crisply, you are not speaking to the person who will be on the phone the night something goes wrong.

Red Flags in a Cloud Proposal

Four patterns that reliably mark a pitch you should walk away from.

“We partner with everyone.” Translation: we have committed to nothing. The MSP that sells AWS, Azure, GCP, and three private clouds is expert at none of them. Pick a partner whose hammer matches your nail.

All-you-can-eat pricing with no commitment detail. A flat monthly number that never explains what is included under which workload assumption will always reconcile in the provider’s favor. The pricing conversations that end well end with a per-user, per-tenant, per-workload breakdown you can model.

No identity story. If the deck is about uptime SLAs and data-center tours, you are being pitched a 2014 product. The 2026 pitch leads with how they secure administrative access, how they detect token theft, and how they revoke sessions.

No named backup product. “We take backups” is not a backup strategy. The answer you want names a specific vendor, a specific immutability posture, a specific retention window, and a specific date of the last successful restore test.

Where Think Fits

We have run Microsoft 365 and Azure for every Florida business we manage since 2011. Every managed client, no exceptions. Across those businesses, law firms and country clubs and healthcare practices and retailers and family offices, the three things we catch every month are identical: Conditional Access gaps that let token theft slip through, admin accounts on MFA that phishing kits now bypass in real time, and SharePoint sharing defaults that nobody has looked at since setup.

Here is what the work looks like once we are in. Our Microsoft 365 tenant configuration is scripted and pushed programmatically, same security baseline every time. Cybersecurity runs SaaS Alerts on the tenant and feeds the events to the Rocket Cyber SOC in Miami, where real people answer at 3 AM. Backup and disaster recovery protects email, OneDrive, SharePoint, and Teams through Datto every six hours. We are a Microsoft Solutions Partner, which means we skip tier-one support when a ticket needs to move.

We architect cloud stacks for a living. We just don’t do it on day one. The first ninety days of every managed engagement is for learning the environment, the business, and what is actually at stake. Recommendations come after that. Anyone pitching a cloud strategy on day one is guessing.

If you are done buying cloud advice from people who have not lived inside your business, start a conversation with us. Our ransomware guide covers the security side of the same threat model, and our business continuity guide covers the recovery side. If you are not ready for a managed relationship, the checklist above should still save you from a bad decision. That, by itself, is worth publishing the post.

Sources

1. AI Capex 2026: The $690B Infrastructure Sprint. Futurum Group, 2025. Combined 2026 hyperscaler AI infrastructure spend; approximately 75% of capex directed at AI. The scale of demand explains why frontier labs source compute across multiple providers rather than a single partner. futurumgroup.com

2. Flexera 2025 State of the Cloud Report. Flexera, March 2025. Survey of 759 cloud decision-makers. SMB AWS/Azure usage share, MSP adoption growing 12 points year over year, 28% cloud spend waste, FinOps maturity gaps. flexera.com

3. 2025 Data Breach Investigations Report. Verizon, April 2025. Stolen credentials in 88% of basic web application attacks; credential abuse as the leading initial access vector for the second consecutive year. verizon.com

4. M-Trends 2026. Mandiant / Google Cloud, March 2026. 500,000+ hours of incident response analyzed. Median time from compromise to threat-actor handoff: 22 seconds in 2025 vs. 8+ hours in 2022. cloud.google.com

5. Account Compromise Threats Surge 389% in 2025. eSentire, January 2026. Year-over-year surge in cloud identity compromise incidents; half targeted Microsoft 365. esentire.com

6. AWS Follows Google in Canceling Egress Fees. SiliconANGLE, March 2024. Documentation of the AWS, Azure, and Google Cloud policy changes that waive egress fees for customers leaving the platform, with the procedural caveats. siliconangle.com

7. GPU Price Report 2025. Cast AI, 2025. H100 hourly pricing across AWS, Azure, GCP, and specialty providers; CoreWeave contract structure shifts in late 2025. cast.ai

8. 37signals: Cloud Repatriation Saves $10M. The Register, May 2025. Final phase of 37signals’ multi-year AWS exit, storage moved off S3, five-year projected savings, and DHH’s own caveat about where the math does and does not translate. theregister.com

9. Unpacking the 2024 Snowflake Data Breach. Cloud Security Alliance, May 2025. 165+ organizations compromised through credential replay; the platform did not enforce MFA; how shared-responsibility confusion shaped the outcome. cloudsecurityalliance.org

Further Reading

• Cloud Controls Matrix v4. Cloud Security Alliance. The reference framework for cloud-specific security controls. The CSA STAR Level 2 attestation is an assessment against this matrix, with results published in a public registry. cloudsecurityalliance.org

• NIST Cybersecurity Framework 2.0. NIST, 2024. The updated framework expanded beyond critical infrastructure to all organizations. Useful vocabulary when mapping responsibilities across a cloud deployment. nist.gov