Q
Manage Learn to apply best practices and optimize your operations.

What cloud security controls are best for due diligence?

With increasing use of cloud sending more enterprise data outside of the organization's control, due diligence is crucial. Expert Dan Sullivan offers advice on how to get it right.

My organization is increasing cloud use and was told that extensive due diligence was critical. What are some of...

the cloud security controls that should be considered for both internal and cloud provider due diligence?

Due diligence is the process of evaluating cloud vendors, and in some cases internal procedures and resources, to ensure business objectives are met and the company's interests are protected. In the case of selecting a cloud computing provider, due diligence entails investigating the potential cloud providers to understand how they implement best practices, protect their customers' assets and meet the scope of your requirements.

Due diligence should include verifying that the cloud provider can offer the cloud security controls and meet the scope of services expected by the enterprise. A request for proposal (RFP) can be used to define what is expected and cloud providers can then use the RFP to formulate their responses. The RFP should specify what is required in terms of service-level agreements, cloud security controls, compliance requirements, data and systems integration needs, service management, access to cloud provider audit reports, and in some cases on-site reviews.

Customers should review the certifications obtained by cloud providers. Amazon Web Services (AWS), for example, publishes a risk and compliance whitepaper that describes its risk management practices and cloud security controls. It also lists its certifications with respect to ISO 9001, HIPAA, PCI DSS and others.

When reviewing certifications, consider which services the compliance applies to. For example, AWS EC2, S3 and Redshift are all certified for use with data subject to HIPAA regulation but others, such as Simple Queue Service and the Container Service, are not. In some cases, such as Elastic MapReduce, particular configurations are required to comply with HIPAA requirements.

When conducting due diligence, use multiple techniques including document review, proof of concepts and trial evaluation periods to collect as much information as possible, in order to mitigate risk to your organization.

Next Steps

Find out how redundant cloud controls are creating problems for enterprises

Read more on assessing enterprise cloud security controls

Discover the security controls offered by Amazon Elastic File System

This was last published in March 2016

Dig Deeper on Evaluating Cloud Computing Providers

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Which cloud controls does your organization use for due diligence?
Cancel

-ADS BY GOOGLE

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly.com

Close