Trust

Using a cloud technology implies a level of trust in its provider and the abilities of the provider. But, as Ronald Reagan once put it:

Trust, but verify

Verification of trust of a cloud provider is not an easy task. Trust comes with experience, but how to gain trust before you have experience? In that case you can rely on a statement of a reliable party that has either measured or expience the trustworthyness of a party. This is called assurance.

Resources

Frameworks/standards

The following list is a list of globally recognized frameworks/standards/reports that can help you in obtaining assurance on a cloud provider.

• Cloud Security Alliance - CSA Security, Trust & Assurance Registry (START)
• ISO9001 - Global Quality Standard
• ISO22301 - Business Continuity Management
• ISO27001 - Security Management Controls
• ISO27017 - Cloud Specific Controls
• ISO27018 - Personal Data Protection
• PCI DSS - Payment Card Data Security Standards
• AICPA System and Organsation Controls
  • SOC 1 - Audit Controls
  • SOC 2 - Security, Availability and Confidentiality
  • SOC 3 - General Controls

There are many more local, regional and industry frameworks, standards, reports, laws and regulations. Listing them all would go way beyond the scope of this article.

Provider reports

Many cloud providers have created dedicated websites that will list the various standards etc they comply with. Below is a (non exclusive/incomplete) list:

• Amazon AWS
  • https://aws.amazon.com/compliance/
  • https://aws.amazon.com/security/
• Microsoft Azure
  • https://www.microsoft.com/en-us/trustcenter/compliance/default.aspx
  • https://azure.microsoft.com/en-us/services/security-center/
• Google
  • https://cloud.google.com/security/
• Akamai
  • https://www.akamai.com/uk/en/about/compliance/

---

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

---