How to evaluate, choose and work securely with cloud service providers

Last updated:August 2014

Editor's note

In nature, clouds come in a variety of sizes and shapes, and the same is true in IT. Cloud service providers (CSPs) deliver a variety of cloud computing services, like infrastructure as a service (IaaS), software as a service (SaaS) and platform as a service (PaaS). The security risks inherent in using a CSP are varied, too. There's the threat of corporate espionage and data theft, but also of information contamination.

Yet the move to the cloud is increasingly inevitable. The way forward, then, is to prepare and choose one’s cloud service provider wisely. Take a proactive approach -- learn about the security risks and how best to minimize them -- before proceeding.

This guide focuses on how to work securely with cloud services providers. It considers the risks, reviews ways to evaluate and choose a CSP, and offers a thorough overview about assistance available from the Cloud Security Alliance. Reading this guide is a vital first step in moving any company information or services to the cloud.

1How to evaluate cloud providers

It's imperative that infosec pros consider the security angle of every step to the cloud -- from identifying potential CPSs, to evaluating the contenders, to signing a contract and managing the relationship.

Know upfront how the CSPs you're considering guarantee the safety of company information; never forget that CSPs don't typically keep security at top of mind, which makes it essential that you do. Are CSP guarantees sufficient as presented or must they be adjusted? How will you ensure promised measures are actually implemented?

2The realities of working with a cloud provider

Identifying viable CSPs and selecting the best one for your company is tough, but even after the contract ink is dry there are issues to deal with and hurdles to surmount.

Many CSPs fail to clearly explain how they'll get your confidential company info up on their cloud and keep it there safe and secure. Enter a CSP relationship with eyes open and toolkit packed. There are some ways to determine how secure a cloud service really is, and this segment of our guide explains them.

3Cloud provider metrics and controls

Figuring out which CSP is best for your company is difficult but you're not alone: The nonprofit Cloud Security Alliance (CSA) promotes best practices for cloud computing, with a focus on security. It has an education program and also disseminates guidelines to aid both cloud vendors and companies moving to the cloud.

CSA programs like the Cloud Control Matrix and Cloud Trust Protocol provide potential cloud customers parameters by which to judge and compare cloud offerings. Read on to learn how CSA programs can make the tough chore of choosing a CSP a bit easier.

4Expert advice for potential CSP customers

There's nothing like the voice of experience. Here are two videos featuring senior executives with a wide range of advice about working with cloud service providers. They cover everything from how to assess the security controls a CSP offers to what cloud standards are emerging in the industry.