How to Evaluate Cloud Service Provider Security: A Comprehensive Guide

The cloud service market reached over $550 billion in 2021, and it's expected to top $2.5 trillion by 2031. The relatively hands-off approach is easier, faster, and generally cheaper. Even better, it frees up a lot of on-premise floor space and talent for your company. But there is a downside to working in a cloud environment since the curated services take security practices out of your hands.

I define cloud platform providers as any entity that provides on-demand computer and data migration services without you having to do anything about it. If you’re looking for a cloud service provider, let’s go over some common security risks, along with the metrics you should use to evaluate your providers' performance.

Common Security Challenges in Cloud Services

Before you can know how well your vendor is protecting you, you have to know what it's protecting you from. Unlike typical glitches, security breaches have talented people working on the other end to make them as bad as possible. Over the years, hackers have devised clever ways to exploit security flaws. Here are some of the most typical ways your cloud security can go sideways:

• Data Breaches: The direct route is the most popular (and potentially damaging) kind of security fault. Data breaches happen a lot on cloud services. They can happen over seemingly nothing, and when they happen, they can be devastating. Capital One is an excellent example of this. In 2019, a simple weakness in its Amazon Web Services (AWS) firewall led to the release of 100 million customers' data. It was bad enough that it now has a permanent link on its homepage to keep people updated on the class action lawsuit.
• Poor Identity and Access Management (IAM): About 67% of the world's cloud services are provided by just four companies, with AWS alone covering half of that. With so many customers, things will inevitably get complicated, and the all-important IAM security policies can easily slip, causing disaster. Big vendors are better about this than they used to be. However, they still have to work to maintain solid multifactor authentication and the principle of least privilege, which are pretty popular backdoors to massive data leaks.
• Insecure Interfaces and APIs: Sloppy interface design can have the general public logging into your accounts receivable department or the sales team accessing private HR data. You'll only be safe from this if you have decent testing done by a third party who gets a nice bonus for breaking your API.
• Poor Visibility and Loose Controls: Back in 2020, some clever hackers used a supply chain attack to insert malicious code into a government contractor known as SolarWinds. The contaminated software, Orion, spread laterally across multiple customers and introduced backdoors to their systems. Nobody knew what was going on for about nine months since there was pretty poor visibility and not much in the way of security validation. 
• Shared Security Model Issues: Shared security has more to do with lawyers than engineers. A typical cloud service vendor will take responsibility for the cloud infrastructure and other bits it controls, but you're on your own for the security of your data and whatever encryption you're investing in.
• Compliance and Regulatory Issues: If your enterprise handles anything health-related in the United States, you know about HIPAA. If you operate in the EU, you're familiar with GDPR. And in California, you have the CCPA. If your provider isn't properly certified in consumer data privacy standards, there's a real chance some of the fines will land on you, such as the €1.2 billion fine the Irish government slapped on Meta in May 2023 for breaching privacy rights. 
• Advanced Persistent Threats (APTs) and Ransomware: In May 2021, a ransomware attack on the Colonial Pipeline fuel distribution network essentially stopped gasoline deliveries on the East Coast. Aside from the enduring images of people trying to fill plastic shopping bags with gasoline, this event sent a chill up the government's spine. A single, sophisticated hack allowed malicious parties to encrypt crucial infrastructure control pathways and terrorize people in a dozen states.

Key Criteria for Evaluating Cloud Service Provider Security

Verifying Compliance and Legal Standards

• Industry-Specific Certificates: Your industry probably has standards specific to itself. Depending on how sensitive your work is, this could be heavy-duty audits and disclosure rules or a brief once-over to make sure you're not smuggling uranium. Either way, your cloud service provider should have whatever certificates your industry calls for. In health industries, this is HITRUST, credit card lenders have the Payment Card Industry Data Security Standard (PCI DSS), and so on. Big providers typically have several of these, such as AWS, which boasts 50 or so certificates.
• Regular Compliance Audits: Things move fast in cloud services, and compliance has to be ongoing. Ensure your provider gets regular compliance audits, particularly for SSAE 16 and other security-focused examinations.

• Adaptation to Evolving Laws: As technology changes, the law moves with it on a slight delay. Find out how your CSP adapts to changes in law. Does it offer guidance to clients when there's a significant change somewhere? Do you need it to? Finding out early can save you a lot of trouble later on.
• Special Circumstances: Many cloud contracts are off-the-shelf, especially for small and medium-sized enterprises. If you're a big player with unique needs, you might need a specially negotiated contract or at least some addenda.

Join our Newsletter

Discover how to deliver better software and systems in rapidly scaling environments.

• Your email*
• By submitting this form you agree to receive our newsletter and occasional emails related to the CTO. You can unsubscribe at anytime. For more details, review our Privacy Policy. We're protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
• Email
  This field is for validation purposes and should be left unchanged.

Δ

Ensuring Robust Data Protection

• Encryption: Encryption is not negotiable. Find the best in the business and go with them (to the exclusion of other factors). The industry standard is currently AES-256, and big vendors like AWS give you a choice between managing the keys yourself or doing it for you. 
• Backup and Disaster Recovery: Solid disaster recovery is likewise nonnegotiable. Hackers aren't the only way to lose data since a poorly designed system is vulnerable to server loss, fire, or asteroid impact. One of the biggest selling points of cloud services is the ability to recover lost data in a hurry. Your CSP has to have a good plan for this and a proven record of good data protection.
• End-to-End Data Lifecycle Management: Data lifecycle management is a suite of tools that covers classification, storage, archiving, and proper disposal of data. To be truly secure, your CSP should have procedures in place for all of these stages – like a medical office that shreds old records instead of just dropping them in a trash can out back.

Strengthening Identity and Access Management

• Comprehensive User Authentication: None of a CSP's security measures are really working if anybody can log in with your password. Does your prospective CSP use multifactor authentication? Biometric controls? Trick questions about where you went to high school? It's inconvenient, but the more of this you have available, the better and safer your access points are.
• Access Controls: People should only have the access they need to complete their jobs. In the spy game, this is called need-to-know. In tech, it's the principle of least privilege. Check whether users are restricted to the bare minimum of access they need or if a provider lets them wander around your confidential databases with unauthorized access.
• Audit Trails and IAM Reporting: Your CSP needs to have a transparent and comprehensive audit trail and lots of detailed reporting for all user actions in every environment. Don't go with a provider who likes to keep secrets or leaves little shadows in the reporting landscape where security threats can hide. 

Network and Infrastructure Security

• Modern Firewall Protection: The firewall protection you're getting should go well beyond the regular packet filtering you could do for yourself. Look for a CSP that offers next-generation firewall (NGFW) protection. This can detect and block more sophisticated attempts on your network than the industry-standard options.
• Intrusion Detection and Prevention Systems (IDPS): Remember that SolarWinds Orion hack I mentioned earlier? That disaster ran from probing attacks in late 2019 to the final fix that went out in November 2020. Your CSP needs to spot malware when it appears and get a fix implemented ASAP.
• Secure APIs: The interface is a weak point in any system. Ensure you have a secure API that uses something strong like QAuth or Google Cloud Endpoints with the proper validation to keep your vulnerable interface strong.
• DDoS Precautions: Distributed denial of service (DDoS) cyber threats are as old as the Morris Worm. It's trivially easy for a malicious party to choke your network with endless calls that use up all your bandwidth. Cloudflare is the industry leader for this, with a solid track record of handling some of the biggest DDoS attacks ever registered, up to millions of requests per second.
• Updates and Patches: Does your CSP actively manage your information security ecosystem with regular patches and updates that counter the newest threats? New vulnerabilities turn up all the time, and any cloud service should be ready to deal with them as they're uncovered.
• Proper Segmentation: Just like ocean liners have compartments below decks in case they hit an iceberg, sensitive data requires segmentation and their own security suites. You can even go deeper than this with micro-segmentation, which applies unique security protocols to individual pathways within processes.

Managing Vendor and Third-Party Risks

• Vendor Security for Third Parties: Most use third parties for some applications and data storage, and they all need to be solid. Make sure your CSP checks security certificates for all of its contractors, performs regular security audits, and at least considers their incident response histories. Also, consider the vendor’s approach to encryption, data access, and notification of breaches.
• Supply Chain Security: Every application and network is a chain of products and services, and a vulnerability anywhere in that chain is a risk to the end user, which is you. Your CSP needs to verify the entire chain and validate security certificates up and down the line.
• Incident Planning and Response: Bad things happen to good networks, so your provider should have a well-defined incident response plan to cope with emergent problems quickly. That can be a hack, a DDoS attack, malware detection, or anything else.

Physical and Environmental Security

• Physical Access Controls: We think about data security as encryption and access protocols, but the data center is also a physical location that needs locks and security guards. CTOs should tour CSP data centers to make sure they have the appropriate level of physical security.

• Environmental Controls: Data centers can also be compromised by fire and flood. Ensure the center has an adequate halon fire suppression system and reliable temperature and humidity systems. 
• Redundancy and Backups: No matter how well-designed a data center is, bad things do happen. Your CSP needs multiple redundant systems and a backup plan to restore damaged servers and lost data. Universal power supply (UPS) systems are standard, and some level of customizable RAID protection is ideal.
• Response and Recovery Times: Vendors will usually tell you about their incident response plans and their schedule for updating and testing them. Make sure they have a recovery plan in place that can be activated on short notice. Look at the provider's historic performance, including outage and downtime figures.

Customer Support and Legal Considerations

• Customer Support: Check to see what kind of customer support your CSP offers. Way too many providers have slow or nonexistent response times. Make sure yours has multiple communication pathways, such as phone, chat, email, and even text.
• Comprehensive Documentation: The services you're paying for are complex, and clear documentation is critical to understanding what you're signing up for. Read through the provider's user guides, manuals, and published protocols.
• Data Ownership and Portability: Data is an asset. Before you sign the contract, make sure you know who owns the data being hosted and how portable it is. Otherwise, you might wind up with what you think of as your own data trapped on remote servers and unable to move.

• Transparency in Data Handling and Security Measures: You need to have a window on how your data is being handled, and your provider should put transparency near the front of the priority list. Try to establish upfront how data is stored and moved, what kind of security is in place, and how these systems are maintained.
• Legal Support After the Fact: If your data does get breached, there could be legal trouble. How much support can you count on from your CSP? Will they pretend they never heard of you, or will you have access to their legal team? Will they assume shared responsibility, or are you on your own? Find out and plan accordingly.

Best Practices in Cloud Security Assessment

Conducting Thorough Risk Assessments

• Identify and Classify Assets: Know what you're migrating to the cloud, name it all, and classify it according to importance. That gives you a priority list of what needs the best security.
• Assess Vulnerabilities and Threats: No security suite is foolproof, and guarding against one threat makes you vulnerable to another. Know your exposed flanks better than hackers do, and keep an eye out for the specific threats active at any given time.
• Gauge Impact Versus Likelihood: Minor issues are common, major threats are rare. On the other hand, a minor gaffe is probably no big deal, while a major breach could shut you down. Weigh the likelihood of a threat against its seriousness and plan accordingly.
• Decide on Controls: Choose your security suite to fit your threat assessment. You're likely to wind up with a healthy mix of access controls, monitoring tools, and encryption on the cloud and on your own end.
• Keep a Rolling Risk Assessment: Threat environments change, sometimes daily, and you have to keep up. Maintain a continuously updated picture of what you're guarding against and always be ready to make changes.

Reviewing Service Level Agreements

• Know Your CSP's Obligations: The vendor is agreeing to provide you with a service, and it behooves you to know everything that entails. Establish from the start what it's willing to commit to for uptime, performance, and answering support tickets.
• Know the Available Remedies and Penalties: Suppose the CSP falls short somehow, and you have to seek relief for its performance gap. Do you have a clear set of remedies spelled out in advance? This would usually be cash penalties or discounts on future services.
• Establish Scalability and Flexibility: You're bound to grow after the move, so make sure your new cloud computing environment has room for you. Can the service rapidly scale up and down? What happens when you grow very rapidly? Do you have the option to seamlessly upgrade your service, or are you stuck in one contract?
• Plan Multiple Exit Strategies: Know going in how to get out. If you ever have to break off the relationship, make sure you have a data migration plan off of your provider's servers and into someplace safe, even if it's just a different SaaS vendor. 

Use the Tools You Have for Evaluating Cloud Security

• Industry Frameworks: There are already some industry-wide tools for evaluating security issues at a CSP, such as CSA’s Cloud Controls Matrix (CCM) and NIST’s Cybersecurity Framework. Use these as part of your premigration checklist.
• Automated Tools: There are also some advanced tools you can try that automate the process of scanning for vulnerabilities and regulatory compliance requirements. Don't be afraid to use these since they're usually worth the price.
• Cloud Security Posture Management (CSPM): CSPM can scan for risks you haven't found yet and take active steps to protect you before they arrive at your servers' doors. Include this in your general threat posture.

Safety First for CTOs

As you can see, a lot goes into a safe cloud migration. Many of the bigger providers, notably Microsoft Azure, will handle some of these issues for you, but it's up to you to verify that all the ducks are in a row.

I've shared my best practices for evaluating cloud service provider security, but there are more cloud security resources available. And you can subscribe to our newsletter for the latest insights from CTOs.