Cloud Provider Compliance Programs

Key on cloud ; Cloud computing security conceptAs companies leverage the cloud in various forms such as SaaS, PaaS, and IaaS, your company needs assurance that the cloud provider has strong security for its offering. Cloud provider compliance programs are your company’s first steps in evaluating the maturity of the cloud provider’s security. Security standards can be international, industry-specific, subject-specific, or country-specific. Take a moment to consider the various security standards, as each standard has different objectives.


Your company shares security responsibility with the cloud provider. The cloud provider ensures the security of their offering, while your company must ensure security inside the cloud provider offering. Each company should look at the three broad objectives of Enterprise I.T. Security:

  • Confidentiality
  • Integrity
  • Availability

First, a company should define their desired and required risk profile for each objective. Of course, the type of data to be stored and processed in the Cloud-based applications is relevant as is the type of systems that the company will be using (and their criticality to the business). Secondly, a company will  classify the data and applications that may be moved to the Cloud and assign the applicable desired/required risk profile. This will help designate the applications and data that may be more ‘Cloud ready’ and, conversely, it will classify applications and data that the company is concerned about moving or unwilling to move to Cloud Providers based on their risk profile.

Once a company has outlined their desired/required risk profile and appropriately classified their data and applications and for the target data/apps that may move to the Cloud, they have the ability to evaluate the Cloud Providers. Here are four questions to evaluate the cloud provider’s security compliance program:

  • Which compliance certification has the cloud provider achieved?
  • Which compliance certification certificates can be provided for evaluation?
  • Which security controls are in-scope for the cloud provider’s compliance program?
  • Which security controls are the responsibility of the customer, versus the provider?

Some examples of cloud provider compliance programs are as follows:

Moving securely to the cloud can be daunting without a disciplined approach. We have outlined a pragmatic and successful process that helps to assure an orderly transition:

  • Define your risk profile
  • Evaluate your applications and data for suitability for cloud
  • Select the cloud provider appropriate to your risk profile requirements

Sounds simple on paper and works well when done properly.  CMI will work with you through each step to help assure you achieve the business outcomes desired from perspectives of cost-to-serve, agility, and security. You can be living the dream.

Michael Giraldo is a Security Architect at CMI.  You can follow him on Twitter @michaelgiraldo.