Cloud Computing: Risk & Assurance Model and CSP Selection

icebergOne of the things that I constantly get asked about is security of Cloud. Never more so than at the moment with the global surveillance scandal still bringing new revelations each day.

I’m in the middle of writing a practical guide on how you can move services to Cloud and one of the most important aspects of that is managing your risk (and so security). This is an excerpt from that guide.

What I’ve provided here is a list of the type of questions and information you can use to select your Cloud providers. It is provided at a summary level only as each situation demands a different set of sub-questions and headings. It is aimed at the larger company, but can be used by the SMB.

A risk and assurance model is an excellent tool by which all potential Cloud service providers (CSP) can be measured. It is recommended each section be given a weighting. The sample is ordered by weight with the top components being the most important through to the latter sections being less so.

The Risk and Assurance model is not about ruling CSP’s either in, or out. The model is about understanding the risk of the CSP and its service so that the enterprise can make an informed decision about whether to take up its offerings, or not.

It is also worth looking at the Cloud Code developed by the Institute of IT Professionals.


  • Ensure the CSP complies with all relevant local law.
  • In particular, ensure compliance with tax and privacy legislation.
  • Where, physically, and within what legal jurisdiction, will the data be stored?


  • Ensure that you take all necessary steps to investigate the viability of the CSP.
  • Which legal jurisdiction is the CSP incorporated?


  • What industry standards does the CSP adhere too?
  • Consider using the Cloud Code of Conduct developed by the New Zealand Institute of IT Professionals as a de-facto standard.
  • If you happen to be in Austrasia, ask if the CSP is a signatory to the Cloud Code of Conduct.
  • Does the CSP adhere to CoBIT and ISO270001?


  • How can the enterprise extract the data from the CSP should it want too?
  • This is particularly critical with a SaaS service.
  • How is data secured within storage systems?
  • Is data within PaaS and SaaS multi-tenanted services segregated?

Workload Portability

  • Is it possible to move your virtualised workloads in and out of the CSP at will?

Virtual Machine Security

  • How is security managed in a multi-tenanted environment?
  • How are VM’s kept separate?
  • To what level are VM’s hardened at their creation?
  • How is patch management completed on the VM’s?

Connective Security

  • Is penetration testing routinely deployed against the CSP and are the result of that made transparent to customers?
  • How are vulnerabilities managed, tracked, and secured?
  • How is network security managed?
  • How are DDoS attacks managed?
  • Does the CSP use intrusion detection or similar?
  • How does this operate?

Business Resilience

  • Does the CSP have a formal business continuity plan and process?
  • How regularly is that plan exercised?
  • Following a disaster, how long would be it before your services are restored?


  • Does the CSP outsource or other sub-contract services to other providers?
  • If so, what and how?
  • Are the sub-contractors held to the same standards as the CSP and are they audited?
  • Are the sub-contractors in the same legal jurisdiction as the CSP?

Software Management

  • What standards, guidelines, or best practice are used to manage software?
  • Software includes; firmware, applications, middle-ware, databases, operating systems, and other like services.
  • How are identified vulnerabilities managed?

Identity Management

  • How is administrative access to the Cloud service managed by the CSP?
  • How will the enterprise’s users connect and authenticate with the CSP?
  • How many levels of authentication are available to the enterprise? I.e. Single, two-factor, or complex authentication.

Resource Management

  • How are resources managed to insure against exhaustion, over subscription, congestion, or other issues that cause performance issues or outages?

Incident Management

  • Can the CSP demonstrate they have a standard incident management process?
  • Does the CSP utilise the data generated by incident management for problem management and continuous service improvement?
  • If so, how?

Operations Management

  • How does the CSP manage disaster recovery?
  • Are environments separated (SaaS) into standardised areas such as staging, production, testing, sandboxes, development, and UAT?
  • Is there a formalised operations process including manual?

Data Centre Management

  • What is the process for allowing physical access to data centres?
  • Do the data centres include redundant power and telecommunications?
  • Do the data centres include backup power?
  • Are all environmental system implemented to industry standards, tested, and regularly maintained?
  • Does the CSP utilise an asset management and or configuration management database for all items inside the data centre including physical and logical?
  • How are staff security vetted for any role that supports and manages the CSP?
  • How many staff carry security clearances and to what level?


  • Does the CSP keep a copy of the enterprise’s encryption keys?
  • If yes, how are these protected?
  • Does the CSP allow for processing of tokenized data (SaaS) via crypto engines on the enterprise side?


  • How does the CSP manage breaches of security?
  • How does the CSP manage breaches of privacy?
  • How does the CSP work with law enforcement in its legal jurisdiction in the case of warrants or requests for access to data being made?
  • Does the CSP publish outage information publicly?

Service Retention

  • What guarantees can the CSP give that their services will be retained and improved over time?


  1. Nicely written and comprehensive.

    I don’t suppose you’ve got model answers – as well as answers that should serve as warning shots?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: