14 min read Technology Assessment

Cloud Infrastructure Assessment

Evaluating cloud architecture, costs, and operational maturity

Cloud infrastructure assessment evaluates how target companies leverage cloud services, their operational maturity, and cost efficiency. Cloud spend is often the second-largest technology cost after personnel—and frequently has 20-40% optimization potential that directly impacts EBITDA.

Why Cloud Assessment Matters in M&A

Assessment AreaM&A ImpactTypical Finding
Cloud CostsDirect EBITDA impact20-40% optimization opportunity
Architecture MaturityScalability ceilingSingle-region = growth risk
Operational MaturityTeam efficiency, incident riskManual processes = higher OpEx
Vendor Lock-inMigration costs, flexibilityProprietary services = switching costs
Security PostureBreach risk, complianceMisconfiguration common

Cloud Cost Analysis (FinOps)

Cost Breakdown Structure

Request the last 12 months of cloud bills and analyze:

CategoryTypical %Optimization Potential
Compute (EC2, VMs)40-60%High - rightsizing, reserved instances
Storage (S3, EBS)10-20%Medium - lifecycle policies, tiering
Database (RDS, managed DB)15-25%Medium - rightsizing, reserved
Data Transfer5-15%High - architecture optimization
Other Services10-20%Variable

Key Cost Metrics

  • Cost per Customer: Cloud spend / active customers (track trend)
  • Cost as % of Revenue: Healthy SaaS: 10-25% of revenue
  • Reserved Instance Coverage: Target: 60-80% of steady-state compute
  • Utilization Rates: Average CPU <20% indicates oversizing
  • Cost Growth vs Revenue Growth: Should scale sub-linearly

Common Cost Optimization Opportunities

OpportunityTypical SavingsImplementation Effort
Reserved Instances / Savings Plans30-40%Low - commitment decisions
Rightsizing Instances20-30%Medium - analysis and changes
Spot Instances (where applicable)60-90%Medium - architecture changes
Storage Tiering30-50%Low - lifecycle policies
Idle Resource Cleanup5-15%Low - identification and cleanup
Data Transfer Optimization10-30%High - architecture changes

Cloud Architecture Assessment

Architecture Maturity Levels

LevelCharacteristicsM&A Implication
Level 1: Lift & ShiftVMs in cloud, on-prem patternsLimited cloud benefits, migration opportunity
Level 2: Cloud OptimizedManaged services, auto-scalingGood foundation, some optimization needed
Level 3: Cloud NativeContainers, serverless, event-drivenHigh operational efficiency
Level 4: PlatformInternal platform, self-serviceScale-ready, high team efficiency

Resilience and Availability

  • Multi-AZ Deployment: Are databases and compute spread across availability zones?
  • Multi-Region Capability: Is there disaster recovery in a separate region?
  • Auto-Scaling: Can the system handle traffic spikes automatically?
  • Load Balancing: Proper health checks and failover?
  • Backup Strategy: Automated backups with tested restoration?

Vendor Lock-in Assessment

Service TypeLock-in RiskExamples
Compute (VMs)LowEC2, Azure VMs, GCE
Containers (Kubernetes)Low-MediumEKS, AKS, GKE
Managed DatabasesMediumRDS, Cloud SQL, Azure SQL
ServerlessHighLambda, Azure Functions
Proprietary ServicesVery HighDynamoDB, Cosmos DB, Spanner
AI/ML PlatformsVery HighSageMaker, Vertex AI

Operational Maturity Assessment

Infrastructure as Code (IaC)

MaturityCharacteristicsRisk Level
NoneAll manual provisioningHigh - no repeatability, drift
PartialSome Terraform/CloudFormationMedium - inconsistent
ComprehensiveAll infrastructure in code, versionedLow - auditable, repeatable
GitOpsGit as source of truth, auto-reconciliationVery Low - self-healing

CI/CD Pipeline Maturity

  • Deployment Frequency: Daily is good, weekly is okay, monthly is concerning
  • Lead Time: Code commit to production—hours is good, days is okay, weeks is bad
  • Change Failure Rate: <15% is good, >25% needs improvement
  • Mean Time to Recovery: <1 hour is good, >4 hours is concerning

Monitoring and Observability

The "Three Pillars" to assess:

  • Metrics: Are key business and technical metrics tracked? (Datadog, CloudWatch, Prometheus)
  • Logs: Centralized logging with search capability? (ELK, Splunk, CloudWatch Logs)
  • Traces: Distributed tracing for request flows? (Jaeger, X-Ray, Datadog APM)

Cloud Security Configuration

Common Misconfigurations

IssueRiskPrevalence
Public S3 buckets / storageData exposureVery common
Overly permissive IAMLateral movementVery common
Unencrypted data at restCompliance, breach impactCommon
Missing VPC flow logsForensics gapCommon
No MFA on root/adminAccount compromiseModerate
Default security groupsExcessive accessVery common

Cloud Red Flags and Costs

Red FlagRiskRemediation Cost
No Infrastructure as CodeDeployment risk, no auditability$75K - $200K
Manual deploymentsHuman error, slow releases$50K - $150K
Single region, no DRBusiness continuity$100K - $500K
Shared root credentialsSecurity, accountability$25K - $50K
No cost monitoringBudget overruns$10K - $25K
No auto-scalingOutages during peaks$50K - $150K
Lift-and-shift onlyInefficient, high costs$200K - $2M (modernization)

Cloud Migration Assessment

If post-acquisition cloud migration or consolidation is planned:

Migration TypeComplexityTypical DurationCost Range
Re-host (lift & shift)Low3-6 months$100K - $500K
Re-platformMedium6-12 months$300K - $1M
Re-architectHigh12-24 months$500K - $5M
Cloud-to-cloudHigh12-18 months$500K - $3M
Key Takeaway: Cloud costs often have 20-40% optimization potential that flows directly to EBITDA. Beyond cost, assess operational maturity carefully—immature cloud operations create ongoing risk and efficiency drags. Request 12 months of cloud bills and architecture documentation as standard TDD data room items.
← Previous Security Assessment Next → Data & Analytics Assessment