Cloud Security

How to assess the security of a cloud service provider

Ways to assess the security of a cloud service provider.

Assessing cloud security

There are a number of ways to assess a cloud service provider's security, from inspecting their premises to questioning if the provider has some third party validation or accreditation to back up the service contract, and here are a few items that are important to do:

  • Identify what type of cloud-based services you want
    Really nail down your personal or company needs–you don't want to end up with the wrong service or paying for the features you don't need;
  • Identify who your data controller is
    Organizations or businesses processing personal data must identify who is the controller of their data. Like it or not, this is the person who will be legally held to account for the results, even if he is in the cloud–yes, a shared problem is still your problem!
  • Decide what level of information assurance your data requires
    You need to determine the effect your business/individuals would have on the loss of that data. This will decide the level of service needed in terms of confidentiality (how much protection does the data need in transit and storage, for example, will it be encrypted at all times?); Integrity (the more integrity a cloud service has, the more sure you will be that data won't be interfered with); and consistency (how available do you want your data to always be, e.g. instant access?) These standards should all be stipulated very clearly in a written contract or a service level agreement.  
  • Check where your data is being stored
    The Data Protection Act 1998 lists trusted areas as the European Economic Area (EEA), US companies party to the Safe Harbor agreement, and countries of "Adequacy".With some of the larger cloud service suppliers that have 24/7 "follow-the-sun" operations, this may very well mean that the data is supported and processed from countries that do not fall within the three trust categories described above, potentially placing your personal data at risk.