5 Criteria to Evaluate the Security of a Cloud Provider

How to evaluate security of a CSP cloud service provider

Over the past years, many businesses have moved or engaged with the cloud by using a Cloud Service Provider (CSP). A Cloud Service Provider is a company that offers some component of cloud computing in the form of infrastructure as a service, software as a service, or platform as a service. The Cloud Security Alliance takes it one step further: “A Cloud Service is any system that provides on-demand availability of computer system resources, e.g; data storage and computing power, without direct active management by the user.”

For many new businesses and start-ups the approach has been to adopt a cloud-first approach and use cloud service providers for the majority of their systems. This approach simplified their adoption of IT.

The rush to migrate to the cloud

But since the beginning of 2020, many organizations rushed to deploy remote and hybrid work environments. They accelerated their migration to the cloud as they scrambled to ensure their businesses could operate while supporting staff to work remotely. Many businesses rapidly migrated from on-premise solutions to cloud service providers. Their goal was to quickly provide cloud service based applications to their staff and customers. While this rush to the cloud might have addressed immediate business needs, it may not have included the appropriate steps to evaluate any security risks or regulatory impacts on the business.

Prior to 2020, the approach by businesses was to migrate systems to the cloud in a controlled manner. Examples include moving email from on-premise to a cloud based solution, or the Customer Relationship Management (CRM) system from their own internal systems to the cloud.

It’s important to evaluate the security of your cloud service provider, whether you rushed into migrating to the cloud or not. Using the cloud is trusting your business to an external third party. So the question you need to consider is this: How can I ensure that a third party is protecting my data, my systems, and ultimately, my business and reputation in the most appropriate way? In other words, how much can I trust my cloud service provider?

What is a Cloud Service Provider and why are they important?

According to the European Union Agency for Cybersecurity (ENISA) the cloud is defined as “an on-demand service model for IT provision, often based on virtualization and distributed computing technologies. Cloud computing architectures have:

  • highly abstracted resources
  • near instant scalability and flexibility
  • near instantaneous provisioning
  • shared resources (hardware, database, memory, etc)
  • ‘service on demand’, usually with a ‘pay as you go’ billing system
  • programmatic management”

In effect, the cloud provides companies with the ability to migrate all or part of their IT functions to an external third party firm specialized in that area. These third parties are better known as cloud service providers. Examples of Cloud Security Providers are Microsoft Azure, Amazon Web Services (AWS), and Google Cloud platform. Cloud service providers can invest time, money, and personnel to ensure the appropriate security controls are in place. This of course helps to protect customer data against cyber threats and cyber risks.

Advantages of using a Cloud Service Provider

The cloud provides many advantages, such as ease and speed of adoption, access from anywhere with reliable internet connectivity, and up-to-date software and services. From a security perspective the cloud makes good business sense, too. Many cloud service providers have large teams looking after the security of their environments; they often have much larger security budgets than their customers.

Assessing the security of a Cloud Service Provider

These steps help ensure the security of the data stored and processed in the cloud. They can be taken whether you’ve already moved to the cloud or are currently considering migrating.

Identify the data migrating to the cloud

To help achieve this you need to first identify exactly what data you will migrate to the cloud. The type of data you migrate can vary. Ultimately, they will be determined by the type of system, application, or service you engage with.

Here are a few examples of data that could be migrated to the cloud:

  • Customer data from your on-premise Customer Relationship Management system
  • Staff details when migrating to an HR cloud platform
  • Email data as you engage with an email cloud service provider
  • Intellectual Property, such as source code data

Conduct a risk assessment

Once you have identified the data, you then need to conduct a thorough risk assessment. This helps to identify the various security risks that could be posed to the data. This risk assessment should include security risks associated with the data no longer under your direct control. In other words, it should take into consideration the data being stored and processed by the cloud service provider. The risk assessment should take into account the various risks that are unique to the cloud. That includes the risks posed by any other organizations that cloud service providers may engage with to provide its services, such as hardware support personnel, helpdesk staff, or software developers. The European Union Agency for Cybersecurity (ENISA) provides an excellent guide on how to conduct a “Cloud Computing Risk Assessment.”

Consider a penetration test

A traditional way for you to assess the security of your on-premise applications would be to conduct a penetration test. A penetration test is where cybersecurity professionals run a series of security tests that emulate how an attacker would break into those target systems. The results of these tests can identify key security weaknesses that you can then address.

When you move to the cloud you may no longer have the ability to run your own penetration test. Your cloud service provider may not want you and multiple customers running penetration tests at the same time. So you might need to coordinate with your cloud service provider to find a date and time to run your penetration test. If that’s not possible, you may need to rely on your cloud service provider to engage an independent third-party firm that specializes in penetration tests. For obvious security reasons the cloud service provider may not provide you with a detailed report of the results. However they may provide you with a summary overview highlighting the findings.

Run a security assessment

You may also consider a security assessment of the technical controls employed by the cloud service provider to be conducted. This security assessment can be carried out by cybersecurity professionals. This ensures that the service you are using has been configured and adapted to suit your own particular security and compliance needs, such as the European Union General Data Protection Regulation or the Payment Card Industry Data Security Standard (PCI-DSS). It can also ensure that you are operating within that cloud service provider in line with industry-recognized good security practices.

Ensure compliance

Many businesses are bound either by laws, regulations, or customer contracts to ensure the data they manage on behalf of their clients is stored and managed under certain conditions. Depending on your industry, you need to ensure your cloud service provider is compliant with the applicable laws and regulations. While you can outsource applications and tasks to a cloud service provider, you can’t outsource your responsibility for them.

This is particularly the case for regulations such as the European Union’s General Data Protection Regulation (GDPR). Under the GDPR, your organization is legally accountable for ensuring the personal data entrusted to you by your customers. In turn, you entrust this information to cloud service providers, and it’s stored and processed in accordance with the GDPR. A key principle under the GDPR is that personal data belonging to EU residents can’t be exported to countries outside the EU and the European Economic Area. If the cloud service provider you use is located in a country that doesn’t meet those requirements, you must contractually oblige that cloud service provider to deliver levels of security in line with the GDPR requirements.

Specific criteria to evaluate the security of a Cloud Service Provider

Penetration tests and security assessments may provide you with details regarding the efficiency of the technical security controls employed by your cloud service provider, but you’ll need to go one step further. You need to seek assurances from the cloud service providers you use. You want to ensure that they have appropriate security governance in place. Here are some of the criteria to inquire about:

  1. Review their security policy, which should be available on their website.
  2. Examine their privacy policy, and in particular any references to the location of the cloud service provider’s data centers.
  3. Read third party reviews about the cloud service provider’s security, such as industry analysts’ reports or industry magazine reports.
  4. Inspect the cloud service provider’s Service Level Agreement (SLA) and focus on the areas in the SLA that discuss security responsibilities and how the cloud service provider will manage security.
  5. Seek evidence from your cloud service provider that they are adhering to recognized industry good practices and security standards, such as
    • the ISO 27001:2013 Information Security Standard, or
    • the Payments Card Industry Data Security Standard for credit card data (PCI DSS).
    • For more specific cloud security and governance controls you can check if your cloud service provider is part of the Cloud Security Alliance’s (CSA) Security, Trust, Assurance, and Risk (STAR) program. This is a security governance model specific to cloud service providers and can be used by cloud service providers to demonstrate the maturity of their security and governance programs.

A final word on Cloud Service Providers

Migrating to the cloud provides many advantages for organizations. Careful consideration of security and governance issues relating to cloud service providers will enable those advantages to be gained. While businesses can outsource the processing of their data, they need to remember that they can’t outsource the responsibility for any compliance requirements for said data.

Photo by Adi Goldstein on Unsplash

Brian Honan is CEO of BH Consulting, an independent cybersecurity and data protection consulting firm based in Dublin, Ireland. Brian is recognized internationally as an expert on cybersecurity. He is an expert advisor to the European Union Agency for Cybersecurity (ENISA) and has acted as a Special Advisor to Europol's Cybercrime Centre (EC3), founder of Ireland's first CERT, and sits on the advisory board for several innovative security companies. Brian is the author of several books and regularly contributes to various publications. For his contribution to the cybersecurity industry, Brian has been awarded the "SC Magazine Information Security Person of the Year" and was also inducted into the Infosecurity Hall of Fame.


Related posts

How to Promote Workplace Ethics in your Business

Published: 2022/11/30 | Carlos Quintana

Concerned about workplace ethics? You should be. As it turns out, simply hiring good people and hoping they’ll make the ...

Read more

“The most important thing a CFO can do is to win the confidence of your peers” – The CFO Journal with Giulia George of Local Measure

Published: 2019/3/7 | Helen Poliquin

In The CFO Journal we talk to Chief Financial Officers from diverse sectors and backgrounds about their insights, experience, and ...

Read more

Fostering Occupational Health and Safety [with Insights from 3 Experts]

Published: 2020/10/28 | Helen Poliquin

Occupational health and safety (OHS) is multidisciplinary, encompassing a range of issues related to health, safety, and welfare at the ...

Read more