How to evaluate a Cloud Service Provider: creating a compliance checklist for security & resilience

Businesses across sectors, from banks and hospitals to logistics providers and e-commerce platforms, run on cloud infrastructure. Selecting the right Cloud Service Provider (CSP) is now much more than evaluating cost or features. It is about assessing the CSPs ability to ensure resilience, security, and operation sustainment during unexpected disruptions without compromising data or uptime.

The Infocomm Media Development Authority (IMDA) of Singapore issued the Advisory Guidelines for Resilience and Security of Cloud Services. Though voluntary, these guidelines provide a robust framework for CSPs. Businesses can rely on the critical areas mentioned in the IMDA guidelines to evaluate CSPs and develop internal compliance processes before selection. In this post, we highlight a selection of checklist questions drawn from the comprehensive IMDA framework.

1. Robust Cloud Governance

Effective cloud governance goes beyond IT. It is a company-wide commitment to data security and risk management. Businesses should prioritise CSPs that demonstrate the following:

• An Information Security Management System (ISMS) with clearly defined roles.
• A risk register and quarterly risk assessments including cloud-specific risks.
• A due diligence process to fully understand risks prior to sub-contracting services to the third-party service provider(s).
• Annual security training and checks for staff and third-party contractors.
• Background checks prior to hiring employees.
• An up-to-date, regularly tested incident response plan.
• Processes governing data access and handling with proper classification, encryption and retention policies.

While selecting a cloud service provider, a business should look for a mature governance framework with board-level accountability and regular audits. They should also look for supply-chain transparency vis-a vis the CSPs sub-contractors.

2. Secure and Resilient Cloud Infrastructure

Infrastructure is the bedrock of cloud services. Any misconfiguration can lead to catastrophic failures. Your CSPs should:

• Maintain audit logs and monitor all activities across systems and networks.
• Enforce secure configurations and conduct periodic compliance checks.
• Conduct vulnerability and penetration tests, especially after significant infrastructure changes like major upgrades or new deployments or at regular intervals.
• Encrypt sensitive data and manage cryptographic keys securely. This is to prevent unauthorised use or disclosure of sensitive information.
• Apply security throughout their system acquisition and development cycles.

Businesses should look for a secure design architecture and rigorous operational hygiene.

3. Strong Cloud Operations Management

Smooth day-to-day operations are essential for service continuity. Ensure your CSP:

• Maintains detailed documentation for system operations.
• Keeps development, test and production environments separately with strict change controls.
• Clearly defines the service expectations and documents any changes in the contractual agreements with clients.
• Allows ethical hackers to report flaws responsibly.
• Has a back-up process to recover systems supporting critical information.

Since operations management is the base of cloud services, businesses should primarily ensure that CSPs have documented operations, change control and recovery processes.

4. Rigorous Cloud Administration

Privileged accounts used for managing cloud services and supporting networks pose a high risk and requires critical administration. Businesses can check that their CSPs do the following:

• Use role-based access controls for administrative users.
• Set up multi-level approvals for significant configuration changes.
• Regularly review who has elevated rights and remove access swiftly if needed.
• Encrypt all transmitting credentials for non-console administrative access.
• Maintain detailed logs of all administrative actions.

While choosing a CSP, businesses should always look for least privilege models and access protocols.

For example, some CSPs control the access and permissions of different services and real-world users. It creates a sense of isolation among the different services.

5. Secure Customer Access Management

Client access must be tightly regulated to prevent data leakage. CSPs should:

• Implement formal user registration and password policies.
• Enforce inactivity session timeouts and password reset processes.
• Ensure secure self-service portals for account management.
• Use strong encryption for authentication tokens while granting access to users.
• Implement procedures to detect and terminate unauthorised access promptly.

Business entities subscribing to cloud services should always evaluate based on whether the provider adheres to these requirements to prevent data leakage.

6. Safeguards for Tenancy and Customer Isolation

As data privacy is a serious concern, it is expedient to implement strict isolation of users. Check if the CSP:

• Segregates Virtual Machine’s and data between customers at the network and application levels.
• Uses secure network architecture that isolates CSP’s internal services from customer-facing infrastructure (e.g. separate virtual networks, appropriate access controls between network domains, blocking unauthorised traffic.)
• Limits sharing of physical and virtual infrastructure components.
• Prevents data co-mingling by segregating customer access.

Businesses subscribing to a cloud service should always look for an infrastructure that keeps each customer’s data and traffic completely separate.

7. Resilience and Continuity

Maintaining continuous service availability is critical to business operations. Resilience must be designed from day one. A good CSP will have:

• Asset tracking processes including safeguards for moving equipment offsite.
• Secure data processing centres with surveillance systems and security personnel.
• Establish procedures (including providing training) for staff response to power disruptions or environmental hazards.
• Develop, implement and test business continuity and disaster recovery plans.
• Conduct failover tests across all Availability Zones (AZs) and global services.

Businesses should inquire about CSPs strategies for handling power failures, network outages and disasters. A reliable CSP should have a robust backup plan, disaster recovery drills and data centre protections in place.

Currently, some CSPs have a model which outlines the division of security responsibilities between the CSP and the customer. The CSP manages the security of the cloud (infrastructure, hardware, and software), while customers are responsible for security in the cloud (data, applications, and access controls). This model ensures clarity and accountability in cloud security.

8. Accountable Security Leadership

Enhancing the resilience and security of digital infrastructure is not an easy task. It requires collective effort under the leadership of senior management. A provider serious about resilience appoints a designated security officer to lead and coordinate all initiatives. Ensure that a CSP you appoint has a senior representative driving the cloud security and resilience agenda.

Conclusion

Cloud service disruptions can be caused by a range of factors, including data upgrades, power surges, network failures, or cooling system malfunctions. Such incidents can lead to widespread outages affecting multiple organizations across the world, particularly when fault isolation mechanisms and automated failover processes are insufficient. For example, past incidents in major cloud platforms have shown how a localised hardware or power issue can cascade across regions, disrupting critical public and private services. This underscores a crucial truth that resilience is not theoretical but operational.

Cloud services is not just a product but the backbone of most businesses in today’s world. Businesses should not settle for a provider who merely hosts services. They should opt for one who prioritize resilience and security, as the wrong choice can expose a business to data loss, compliance failures and reputational harm. Having a compliance checklist when choosing a CSP can help with governance, business continuity and consumer trust. While this post outlines a selection of key questions, the insights derived from the IMDA guidelines may be leveraged to formulate comprehensive internal compliance checklists, ensuring thorough due diligence in the assessment and selection of CSPs.

Komrisk, our compliance management solution, not only assists organizations in adhering to mandatory regulations but also offers the flexibility to upload their internal compliance checklists on to Komrisk. This addition ensures a unified approach to compliance, allowing businesses to monitor and manage both external obligations and internal standards seamlessly.

By leveraging Komrisk, organizations can proactively identify potential vulnerabilities, streamline compliance processes, and foster a culture of continuous improvement. Incorporating tools like Komrisk into your compliance strategy is not just about meeting regulatory requirements, it’s about building a resilient, secure, and trustworthy digital ecosystem for your business.

Get in touch with us for a demo.

Authored by: Debashis Banerjee

Co-Authored by: Swapna Umakanth

Disclaimer

The information provided on this blog is for general informational purposes only and is not a substitute for professional legal advice. We are not a law firm and are not authorized to practice law in your jurisdiction. Laws and regulations are complex and constantly changing, and information that may be true in one jurisdiction may not apply in another. Before acting on any information you read here, you should consult with a qualified lawyer practicing in the relevant jurisdiction for your specific legal issues or concerns. While we strive to provide accurate and up-to-date information, we make no guarantees that the information on this blog is completely current or error-free. We disclaim any liability for any actions taken or not taken based on the information on this blog.