Cloud Service Selection

Overview

Selecting the right cloud service and provider is critical for security, compliance, and business success.

Learning Objectives

• Evaluate cloud service providers
• Assess security capabilities
• Understand compliance requirements
• Negotiate appropriate contracts
• Apply ISO 27017 selection criteria

ISO 27017 Guidance

A.15.1.1 - Information Security Policy for Supplier Relationships

CSC Due Diligence Requirements:

• Security capability assessment
• Compliance verification
• Financial stability review
• References and reputation
• Service maturity evaluation

Provider Evaluation Framework

Phase 1: Initial Screening

Phase 2: Detailed Assessment

Security Questionnaire (50+ questions):

1. Access Control (10 questions)
   - How is authentication implemented?
   - Is MFA supported/required?
   - How are privileged accounts managed?
   - What access review process exists?

2. Data Protection (10 questions)
   - What encryption is used at rest?
   - What encryption is used in transit?
   - Can customers manage encryption keys?
   - How is data segregated?

3. Incident Management (8 questions)
   - What is the incident response process?
   - What are notification timelines?
   - How are customers involved?
   - What post-incident reporting occurs?

4. Compliance (8 questions)
   - What certifications are maintained?
   - How often are audits conducted?
   - Are audit reports available?
   - What compliance support is provided?

5. Business Continuity (8 questions)
   - What is the availability SLA?
   - What redundancy exists?
   - What is the disaster recovery plan?
   - How often is BC/DR tested?

6. Monitoring and Logging (6 questions)
   - What logs are available to customers?
   - What is the log retention period?
   - Are SIEM integrations supported?
   - What monitoring tools are provided?

Service Model Selection

Decision Matrix

Selection Decision Tree

Need standard business application?
├─ YES → Consider SaaS
│         ├─ Evaluate: Salesforce, Microsoft 365, Workday
│         └─ Focus: Data governance, access control
│
└─ NO → Need development platform?
          ├─ YES → Consider PaaS
          │         ├─ Evaluate: AWS Elastic Beanstalk, Azure App Service
          │         └─ Focus: Application security, API security
          │
          └─ NO → Need infrastructure control?
                    └─ YES → Consider IaaS
                              ├─ Evaluate: AWS EC2, Azure VMs, GCP Compute
                              └─ Focus: OS security, network config

Contract Negotiation

Critical Contract Clauses

1. Service Level Agreement (SLA)

Availability: 99.95% monthly uptime
Measurement: Based on provider monitoring
Exclusions: Scheduled maintenance, customer-caused issues
Remedies: 10% credit for < 99.95%, 25% for < 99.9%

2. Data Processing Agreement (DPA)

• Data controller/processor roles
• Processing purposes
• Subprocessor disclosure
• Data location specification
• Security measures
• Data subject rights support

3. Security and Compliance

• Required certifications
• Audit rights (notice period, frequency)
• Incident notification timeline
• Vulnerability disclosure
• Penetration testing rights
• Compliance reporting

4. Data Protection and Privacy

• Data encryption requirements
• Data residency commitments
• Data retention and deletion
• Data portability provisions
• Backup and recovery SLAs

5. Exit Strategy

• Termination notice period (60-90 days)
• Data export format and process
• Transition assistance
• Data deletion verification
• Cost of exit

Compliance Alignment

Mapping Requirements

Regulation → CSP Capability → Contract Clause

GDPR
├─ Data location (EU/EEA) → Check data centers → Specify in DPA
├─ Data processing agreement → Template available → Customize and sign
├─ Data subject rights → Export/delete tools → Include in contract
└─ Breach notification (72h) → Incident process → SLA for notification

HIPAA
├─ Business Associate Agreement → Template provided → Execute BAA
├─ Encryption → AES-256 available → Enable and verify
├─ Access controls → RBAC, MFA → Configure appropriately
└─ Audit logs → Available, retention → Enable, specify retention

PCI DSS
├─ Network segmentation → VPC capabilities → Implement isolation
├─ Encryption in transit → TLS 1.2+ → Enforce HTTPS
├─ Logging and monitoring → CloudWatch, etc. → Configure alerts
└─ Quarterly scans → Scanning allowed → Schedule and conduct

Reference Checks

Questions for References

1. How long have you used the service?
2. Have you experienced security incidents?
3. How was incident response handled?
4. What challenges have you faced?
5. How is support responsiveness?
6. Would you recommend this provider?
7. What compliance requirements do you have?
8. How does the provider handle audits?

Proof of Concept

POC Evaluation Criteria

Security Testing:

• Encryption verification
• Access control testing
• Logging validation
• Backup/restore testing
• Integration testing
• Performance under load

Operational Testing:

• Deployment processes
• Monitoring capabilities
• Change management
• Support responsiveness
• Documentation quality

Key Takeaways

1. Thorough evaluation prevents future issues
2. Certifications provide baseline assurance
3. Contracts must address security requirements
4. Compliance alignment is critical
5. Reference checks validate claims
6. POC tests validate capabilities

Self-Assessment

1. What certifications should CSPs have?
2. What should be included in an SLA?
3. What is a Data Processing Agreement?
4. How should service models be selected?
5. Why are reference checks important?