Making Cloud SLAs readily usable in the EU private sector

Cloud Service: 17 criteria to evaluate security

Cloud computing is fast becoming a business imperative but also a challenging move for many businesses, irrespective of their size, as it requires them to rethink processes and define strategies for business growth and remain competitive in the marketplace.

Special attention should also be paid to security to ensure business assets are not at risk, bearing in mind the different levels of control and security in cloud services, such as infrastructure as a service and software as a service, as well as related service level agreements (Cloud SLAs).

One of our partners, the Cloud Security Alliance (CSA) has conducted an extensive survey to identify the most important factors that businesses are considering when assessing a cloud service provider (CSP), including the existence of internal processes. The survey of IT professionals revealed that 71.2% of companies have a formal process for employees to request new cloud services but only 65.5% of those companies actually follow it.

To help companies in their evaluation of cloud service attributes, Skyhigh networks has come up with a list of 17 evaluation criteria that companies with a formal process use as part of their assessment.


Authentication and Identity

  1. Multi-Factor Authentication: Does the cloud service support authentication factors in addition to passwords such as an SMS code or phone token? 

  2. Anonymous Use: Does the cloud service provider allow for anonymous access to the service? 

  3. Identity Federation Method: What single sign-on methods does the cloud service provider support? 

  4. Enterprise Identity: Does the cloud service provider support integration with enterprise directories or authentication providers?


Protection for Customer Data

  1. Encryption of Data at Rest: Does the service encrypt data at-rest in its databases, file systems or at the virtual machine layer? 

  2. Encryption of Data in Transit: What mode of SSL or TLS does the vendor support for protecting data in motion? 

  3. Data Multi-tenancy: Does the cloud service provider support a multi- tenant offering? 


Internal Controls

  1. Certifications: Which compliance certifications does the cloud service provider have (e.g. SSAE16, ISO 27001, SOC2, PCI, HIPAA, etc.)? 

  2. Data centre protections: Does it have data centre protections? 

  3. User Activity Logging: Does the cloud service provider logend-user activities? 


Legal Terms

  1. IP Ownership: What are the specified definitions of intellectual property ownership in the terms of use for the cloud service provider? 

  2. Account Termination: What are the grounds for account termination with the cloud service provider?
  3. Data Retention: How long does the service store customer data after account termination? 

  4. Data Sharing Policy: Does the service reserve the right to share customer data with third parties, and if so under what circumstances? 


Past Performance

  1. Known Breaches: Has the cloud service provider had a (publicly disclosed) breach in its service? 

  2. Known Malicious Use: Is the cloud service provider known to have (publicly disclosed) malware hosted on its site or known to be a drop zone for malicious code? 

  3. Penetration Testing: Does the vendor perform penetration testing on a regular basis?






Source: 17 Security Criteria to Look at When Evaluating a Cloud Service, Suhaas Kodagali