How to Choose a Cloud Provider

This is the final part of the cloud security series, my idea with this article “how to choose a cloud provider” is to offer everyone some useful advice to help pick the right cloud provider for your business.

Cloud assurance framework

Let’s start with the cloud’s assurance framework from which the questions in this article are derived. It’s self explanatory so I’ll say no more.

Cloud Assurance Framework


The three main principles of information security is easy to remember because of the well-known acronym CIA.

In the world of information security, CIA means:

Confidentiality – hiding information from those not authorised to see it.

Integrity – the ability to ensure the information is accurate and unchanged from the most recently published version.

Availability – ensuring the information is available for those authorised to view it.

I believe CIA is even more important when using the cloud, simply because you have lost control of your information. Reassurance is needed from the cloud provider that the risks associated with the CIA of your data are applied to the relevant security controls and the risks are mitigated to an acceptable level for your business.

Ask Questions

A questionnaire is a great way of assessing whether a cloud provider is right for your business, the questions which follow are only a sample but should help smaller companies to make a calculated decision. If your data is hyper sensitive or if you are part of a larger organisation and need support please contact me to find out more.

If you are a cloud provider it will be well worth investing in Cyber Essentials Plus to reassure your customers that some important security controls have been certified, contact me and I can arrange to get your infrastructure Cyber Essentials hardened and certified.

Legal and Regulatory

These key questions are also useful for individuals or very small companies wishing to use cloud services.

  • In which country is the cloud provider’s registered office?
  • In which countries is the cloud provider’s infrastructure physically located?
  • Are any of the cloud provider’s services subcontracted or outsourced?
  • In which countries is the cloud provider’s subcontractors’ and outsourcers’ infrastructure located?
  • Where will our data be physically located?
  • Which country or countries will the contractual jurisdiction lie?
  • How is our data and our customers’ data collected, processed and transferred?
  • How is our data managed when the contract terminates?

It is also an important consideration that data exported to countries outside the EU could fall under export regulations.

Data and service portability. Customer lock-in

These are also key questions for companies of all sizes, it is important to get this right from the start to ensure you have control of your data and you are able to change provider at any time within the terms of your contract.

  • Does the cloud provider have documented procedures and database structures or APIs to be able to export data from the cloud?
  • Does the cloud provider have documented procedures and database structures or APIs to be able to import data to the cloud?
  • Do these procedures allow for the data export to be transferred in encrypted form and then deleted from the cloud provider’s infrastructure?
  • Is the exported data in a relational format where it can be migrated to another cloud provider?
  • Can the client perform their own import and export of the data?
  • Can user created applications be exported in a ready to deploy format?

Personnel security

  • What pre-employment policies and procedures do you have in place?
  • What recruitment policies and procedures do you have in place?
  • What leaving policies and procedures do you have in place?
  • Are there different policies in place for staff who manage sensitive and confidential data?
  • Is there a security awareness training programme in place for all staff?

Operational security

  • What is your remote access policy?
  • What controls do you have in place do prevent malicious code?
  • What are your data backup and recovery procedures?
  • What audit logs are available to be used in the event of a security incident?
  • Do you carry out penetration tests pending a new release of your software?

Identity and access management

For this article there are too many questions which need to be asked, it is better to contact me for further advice on how to manage identity and access management.

The questions are related to account authorisation, account de-provisioning, checking the identity of accounts at registration, protecting the user account directories, key management, encryption, authentication and security monitoring.

Cloud Provider supply-chain assurance

  • What services are outsourced or subcontracted that are key to the security of your operations?
  • What are your procedures for your third party suppliers to access your infrastructure?
  • Do you perform supplier audits?
  • Are there any SLAs in place with your providers which offer less then you offer your customers?
  • Does your security policy apply to third party providers?

Lots more questions!

There are many questions to be asked in these areas of the framework, for small companies I recommend you ask one question:

  • Are you ISO27001 certified? If yes, please send me a copy of your certificate.

You need to ask for the certificate because the certificate includes the scope of the certification and the cloud provider may have limited scope which is not applicable to the service they provide to you.

ISO27001 control references for these parts of the framework.

  • Physical and environmental security – ISO27001 A.11
  • Asset management – ISO27001 A.8
  • Business Continuity Management – ISO27001 A.17

If you are a cloud provider of any size without ISO27001 certification please contact me to arrange an appointment to discuss the scope of the project and how our ISO team can help.