Trust
Using a cloud technology implies a level of trust in its provider and the abilities of the provider. But, as Ronald Reagan once put it:
Trust, but verify
Verification of trust of a cloud provider is not an easy task. Trust comes with experience, but how to gain trust before you have experience? In that case you can rely on a statement of a reliable party that has either measured or expience the trustworthyness of a party. This is called assurance.
Resources
Frameworks/standards
The following list is a list of globally recognized frameworks/standards/reports that can help you in obtaining assurance on a cloud provider.
- Cloud Security Alliance - CSA Security, Trust & Assurance Registry (START)
- ISO9001 - Global Quality Standard
- ISO22301 - Business Continuity Management
- ISO27001 - Security Management Controls
- ISO27017 - Cloud Specific Controls
- ISO27018 - Personal Data Protection
- PCI DSS - Payment Card Data Security Standards
- AICPA System and Organsation Controls
There are many more local, regional and industry frameworks, standards, reports, laws and regulations. Listing them all would go way beyond the scope of this article.
Provider reports
Many cloud providers have created dedicated websites that will list the various standards etc they comply with. Below is a (non exclusive/incomplete) list:
- Amazon AWS
- Microsoft Azure
- Akamai