Engaging with Cloud Providers
In previous chapters, we have covered cloud infrastructure fundamentals and common threats in cloud environments. This chapter will cover fundamental steps before working with cloud services, such as engaging with cloud providers.
In the traditional data center, we used to control everything – from physical to logical security controls; however, with cloud service providers (CSPs), to get assurance, there are several options, such as the following:
- Conduct a risk assessment before engaging with a cloud provider – one good option is to review System and Organization Controls (SOC) 2 Type 2 reports (what controls the cloud provider has set and how effective they are). SOC reports will be reviewed later in this chapter.
- Have a good contract that sets the obligations of the cloud provider (such as a service-level agreement (SLA) for handling security incidents and an SLA to notify us as customers).
- Conduct an audit on the CSP...