How to Evaluate Cloud Service Provider Security (Checklist)

7 mins to read

Public cloud adoption is rising among companies across all industries. In a recent survey, over half of the companies indicated they’re now running at least 41% of their workloads in the public cloud — a trend that’s bound to accelerate in 2022.

As companies increase their public cloud usage, new security challenges are emerging. For example, that same study shows that cloud issues and misconfigurations are the leading causes of breaches and outages. In light of this, companies need to understand what to look for when vetting cloud service providers. Read on for an overview of the cloud market and key security considerations to keep in mind when searching for a cloud service. 

The Big Three Public Cloud Service Providers 

The top three cloud providers in 2022 are: 

  • Amazon Web Services (AWS), with 62% of the market, 
  • Microsoft Azure, with 20%, and 
  • Google Cloud Platform (GCP), with 12%. 

Other popular options include Oracle Cloud, Alibaba Cloud, and IBM Cloud, among others. Several new niche providers are also entering the space and providing competitive services. 

Oftentimes, businesses assume that security is a non-issue when working with big-name brands like AWS, GCP, and Azure. But cloud security controls and policies vary between different providers, so it’s important to do your due diligence before making a selection to make sure the provider aligns with your exact needs. A strong word of caution – just because you’re in the cloud, does not mean your cloud is secure. The Shared Responsibility Model outlines where the customer is accountable in securing their cloud.

How to Evaluate Cloud Service Provider Security: 16 Criteria

Now that you have a better idea of some of the top players in the cloud services space, let’s turn our attention to what to consider when choosing a cloud provider.

1. Check adherence to standards and frameworks

Some common standards to look for include ISO-27001, ISO-27002, and ISO-27017 which indicate the provider follows security best practices and actively strives to reduce risks. Another important standard is ISO-27018, which indicates the provider sufficiently protects personally identifiable information.

There are also government and regulatory protocols to consider, including the EU’s General Data Protection Regulation (GDPR), the California Consumer Protection Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS), among others.

2. Audit operational and business processes

Most cloud providers offer documentation that outlines their compliance with corporate, government, and industry guidelines and regulations. This is a start, but it’s important to go a step beyond and request additional information.

As a rule of thumb, consider looking for third-party security reports from independent auditors and agencies. In addition, the cloud provider should offer prompt access to security events and log data as part of their service-level agreement (SLA). 

Cloud providers should be willing to work with you to provide security insights and accommodate data and event requests. If a provider pushes back or can’t promptly provide information, it could be a red flag that they are failing to operate with your best interests in mind.

3. Check authentication and identity controls 

Storing data and applications in the cloud introduces new access risks. Instead of accessing data and applications on-site, workers can use them from just about any global location. This increases the likelihood of theft and misuse.

For this reason, it’s critical to partner with cloud providers that offer strong authentication and identity controls. For example, the provider should offer multi-factor authentication (MFA) for logins. Additionally, real-time identity monitoring and cloud infrastructure entitlements Management (CIEM) tools keep a close watch on all the identities (person and non-person) in your environment. 

4. Understand vendor governance and access policies 

Migrating to the cloud and using third-party infrastructure requires a great deal of trust between the organization and the cloud provider. After all, a significant portion of your workloads will flow through a third party’s infrastructure when you’re using the cloud. 

To protect your business, it’s necessary to outline vendor governance and access policies. In doing so, you’ll have a clear understanding of what the cloud provider controls — and what they have the ability to do with your data. Without a robust vendor governance and access policy in place, your business could risk losing security incidents and privacy violations.

5. Ensure access to corporate audit trails

An audit trail is a record that outlines the date and time of specific cloud transactions. In other words, it shows who takes specific actions and when they perform them.

The cloud provider should provide direct access to corporate audit trail data, for complete visibility and transparency. Without this type of information, it can be difficult or even impossible to pull records and string together audit trails.

6. Understand the internal management resources

Migrating to the public cloud isn’t something that you set and forget. You need to have a thorough understanding of the available resources that you’re using. At the same time, you also need to know what you need to do to protect your cloud environment. 

Keep in mind that cloud providers often have shared responsibility models, with specific frameworks for securing and monitoring workloads. Cloud security frameworks may include governance controls, compliance reporting, and misconfiguration and identity management protocols.

7. Scour cloud SLAs

The cloud SLA is the official agreement between the organization and the cloud service provider. At a high level, the SLA is responsible for outlining the level of service that the customer receives. It also defines security considerations — including shared responsibilities, reliability, maintenance and support, governance, and auditing data.

Since your SLA essentially governs the relationship with your cloud provider, it’s necessary to scour the document and have a complete understanding of what it entails. It’s also a good idea to include security leaders, legal teams, and other decision-makers in the process to avoid leaving anything to chance.

Failure to scan an SLA for security purposes could result in miscommunications that carry significant consequences like privacy violations, high costs, and data breaches. This could also lead to disputes that damage relations with the cloud provider.

8. Understand security service pricing

Many leading cloud providers offer advanced security services for an additional charge. For example, AWS has the AWS Security Hub and GCP has the Security Command Center. These types of services provide centralized visibility and control, misconfiguration reports, threat intelligence, and more.

Talk with your security advisors and determine whether you need to pay for this type of service or whether you’re better off using standard tools. You may be able to avoid paying hefty subscription fees and bring down the total project cost.

9. Look into data storage location(s)

Before you migrate to the cloud, determine the level of security and confidentiality that your data needs, in other words, classify your data. This will help you analyze the cloud provider’s storage environment and determine whether it matches your specific needs.

You’ll also want to look into where the provider is actually storing your data. Providers will often store and process data in countries with minimal security standards. This could potentially threaten your personal data in the cloud and expose you to privacy violations. 

10. Assess third-party integration capabilities

It’s necessary to check whether the platform supports third-party security integrations to determine the level of control and customization you’ll have. 

Companies often piece together custom cloud security models using various third-party protections and monitoring services. A cloud provider should never limit you to their preferred services. Flexibility and integrations are key to success in the cloud.

11. Evaluate uptime and performance

Cloud providers may suffer from outages and downtime just like any other business. When this happens, customers are directly impacted. In one recent example, Apple had a massive service outage that impacted numerous applications.

As a best practice, look deep into uptime and performance metrics and analyze data to determine how often the cloud provider experiences outages and the average resolution time.

12. Check for history of data breach or loss

Another way to vet a cloud provider for security is to investigate its total amount of data loss and breaches.

When looking into this type of information, you first need to consider the context. You’ll also want to examine the size and scope of the provider and the level of shared responsibility that they offer. Try and get a sense as to why a provider may have a high number of incidents and whether the blame typically falls on the provider or its customers. 

13. Analyze backup and disaster recovery processes

Outages and disasters can happen at any time. It’s vital to have a strong backup and recovery process in place to protect your assets in the cloud. 

When selecting a cloud provider, look into their disaster recovery provisions and processes. Make sure they have the ability to seamlessly preserve and restore data. 

It’s also worth investigating roles and responsibilities to determine whose job it is to manage backup and recovery. In some cases, the cloud provider may expect your company to handle the bulk of the work.

Whatever the case may be, all backup and disaster recovery details should go into an SLA so everything’s clear from the outset.

14. Look for migration services and support

Migrating workloads from on-prem environments to the cloud can be a big undertaking. Businesses that attempt to do this using in-house resources often struggle and run into performance issues, migration challenges, and security blunders. 

To avoid complications, you’ll want to check and see whether the cloud provider offers migration services. For example, Azure and AWS both make it easy to transfer workloads safely and efficiently.

15. Review exit planning and avoid lock-in

As the saying goes, know where the exits are. You may start working with a cloud provider and need to jump ship due to security, costs, performance, or a change of strategy. 

Cloud vendor lock-in occurs when a cloud provider makes it difficult or even impossible to sever ties with them. This typically happens when the cost of leaving the provider is so exorbitant that the business has to keep working with the vendor. 

De-risk your public cloud with Sonrai Dig

As you can see, migrating to the cloud isn’t a walk in the park. Instead, it’s a complicated process with a lot to consider — especially when it comes to security. 

Getting a hold on cloud security can be very complex whether you’re managing one or more cloud platforms. To make the process easier and advance your level of security, it helps to leverage a cloud security platform that delivers visibility across providers. 

Sonrai Dig is a leading cloud security platform that runs on a sophisticated graph that continuously monitors data and identity relationships between GCP, AWS, and Azure environments. Dig eliminates identity risks by revealing a granular view of all your identities effective permissions, so you can get to least privilege security and stay there. The platform also discovers, classifies, locks down, and monitors “crown-jewel” data, ensures your cloud is secure at its foundation with intelligent CSPM, and offers critical context to your workload vulnerabilities.

Ready to see what Sonrai Dig is all about? Request a free demo today.