Evaluating & Selecting Cloud Service Providers

## Industry Standards & Certifications When choosing a cloud provider it is critical to assess their compliance with industry standards and certifications. Standards such as ISO/IEC 27017 provide cloud-specific security controls designed to secure cloud services (they serve as a baseline for security practice evaluations). ## ISO/IEC 27017 Extends the ISO/IEC 27002 standard with additional controls specific to cloud services. These controls offer guidance on implementing robust security in the cloud. ## Industry Regulations For cloud services handling sensitive data, compliance with regulations such as PCI-DSS which addresses payment data security. Such regulations set forth stringent requirements for protecting customer data. ## Product Certifications Verify that specific security functions are evaluated and validated. Notable examples include Common Criteria (CC) and FIPS 140-2. ##### Common Criteria (CC) Evaluates the security functionalities of products ensuring that they meet required security standards. Its widely recognized and utilized for assessing product security. ##### FIPS 140-2 This certification is essential for cryptographic modules. It ensures that cryptographic components meet stringent requirements for data encryption and integrity. ## Audits & Reports Reviewing providers audit reports is critical for the evaluation process. These reports typically include ==SOC 2 Type II==, which assesses a providers information systems relevant to security, availability, and confidentiality. ## Service Level Agreements (SLAs) Outline the expected performance standards between a provider and a client. They typically cover availability, response times, and security responsibilities. ## Security Whitepapers Offer an in-depth look into the security measures and architectures a provider implements. Evaluating these documents helps to assess the robustness of a providers security strategies. ## Additional Considerations - Data Location: - The location of data centers can affect compliance due to varying international laws and regulations. Ensure that data residency complies with jurisdictional requirements. - Incident History: - A providers incident history can indicate how well they manage breaches and vulnerabilities. Evaluating past security incidents can aid in understanding their risk management capabilities. - Contractual Rights to Audit - Contractual agreements should allow for client audits of a providers security measures. Having the right to audit ensures transparency and accountability in securing data. NOTE~ Lack of right to audit in contracts may expose your data to unforeseen risks.