We’re here to help you determine how confident you can be that a cloud service is secure enough to handle your data. It will help you evaluate the security of any cloud service and is built around 8 Security Principles.
Fair warning, the extent of your security responsibilities as a buyer of the service will vary significantly depending on the type of service involved.
1 Know your business requirements
Understand your intended use of the cloud service. Consider issues such as availability and connectivity. Identify those risks which would be unacceptable to your organisation should they be realised, and those that would not.
2 Understand your information
Identify the information that will be processed, stored or transported by the cloud service. Understand the legal and regulatory implications. For example, if personal data is to be stored or processed, then the General Data Protection Regulation should be considered.
3 Determine relevant security principles
You now know your business requirements, you’ve identified the risks you are/aren’t willing to take. And you have a clear picture of the information which will be exposed to the service.
With this information you should be able to determine which of the Cloud Security Principles are most relevant to your planned use of the service.
4 Understand how the principles are implemented
Find out how the cloud service claims to implement the security principles you’ve identified as relevant. Different approaches will result in different risks for you to consider. Our detailed guide to implementing the cloud security principles will help you with this.
5 Understand the level of assurance offered
Can the service provider demonstrate that the principles you identified in step 3 have been implemented correctly?
Some suppliers offer little more than promises, others provide contracts, and some engage certified, independent assessors to validate their claims. The relative merits of these levels of assurance are explored in detail here.
6 Identify additional mitigations you can apply
Consider any additional measures your organisation (as a consumer of the cloud service) can apply to help reduce risk to your applications and information.
7 Consider residual risks
Having worked through the above steps, decide whether any remaining risks are acceptable.
8 Continue to monitor and manage the risks
Once in use, periodically review whether the service still meets your business and security needs.