Cloud Service Security Checklist



As more and more organisations migrate their services, infrastructure and platforms to a Cloud environment, security is an ever increasing consideration that needs to be made. This article looks at the security of Cloud services and presents a Cloud service security checklist that can be used as a starting point for organisations to consider risks of a service. What are the security risks of cloud services? What security considerations need to be made when procuring a cloud service? How can I measure cloud service security controls and how do I know if this falls within my risk appetite? We aim to answer all these questions and more in this article.

Organisations initially need to understand and define their security posture and risk appetite. In basic terms, what data will be put in to the cloud? Does this need high levels of protection? What would happen if this data or the service was compromised? Is there a need to maintain uptime? All these questions and more will differ dependent on what is put into the cloud environment – for example, if organisations wish to utilise a cloud service to process their publicly accessible data then there will be less of a need to request strict security controls to that of a payroll processing system hosted in the cloud. While this may seem obvious, it is important for organisations to ensure that they consider this before anything else – proportionate controls need to be applied according to the environment.

Security controls can be applied equally to Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) offerings. Organisations procuring cloud services need to gain assurance from consumers that appropriate security controls have been implemented before deciding to utilise the service. It is imperative that organisations perform due diligence when purchasing a cloud service, failure to do so may result in a loss of data, loss of uptime and therefore loss of business. So, what controls should you consider and gain assurance from when consider a cloud service? We look at the best Cloud service security controls below.

Cloud Service Security Checklist – Control #1: Protection for Data in Transit and at rest

The first control that is pretty self explanatory is protection for your data both in transit and at rest within the service. This is particularly important in protecting your data from snooping inside and outside the service. As cloud services operate in a multi-tenancy environment, multiple consumer data will exist in a virtualised environment. It is imperative that your data is secured from these other consumers, both inside the service (for example, between data centres) and from your own site through to the service.

It is highly recommended that strong encryption algorithms are implemented by the consumer to ensure customer data is adequately protected. As a consumer of the cloud service, you should seek assurance from the cloud service provider that encryption is implemented by default for the service. For example, you may wish to check that your data is encrypted by default both between your end point and the service as well as within the service itself. You could request from the consumer that they provide sufficient evidence to prove that your data is adequately protected – this could be in the form of security testing or audits.

Cloud Service Security Checklist – Control #2: Physical security controls

Secondly, you may wish to consider the physical security of the assets that process and store your data. This includes identifying the location of these assets and the physical security controls that protect these. Although you may feel that this is not your concern and you are not entitled to request this, you are more than entitled to request evidence from the supplier that the assets and infrastructure that store and process your data are adequately protected. Many cloud suppliers will consider this by default and go through multiple audits to ensure that their data centres are secured.

Assurance for this control can be achieved in a number of ways, you may request that the supplier obtains external physical security auditing to check access controls and locations. You may also wish to request that cloud service providers undertake certification, such as ISO27001, that checks and confirms the presence of physical security controls. Either way, it is imperative that the assets used to process and store your data are secured from unauthorised physical access.

data centre security

Consumers should gain assurance from suppliers that physical security controls are in place, especially at the data centre where assets reside.

Cloud Service Security Checklist – Control #3: Separation between customers

As previously stated, cloud service providers often virtualise their assets to allow multiple customers to exist within the same physical infrastructure. While this provides cost reductions and environmental advantages, this adds to security concerns from the customer perspective. For example, attackers may wish to purchase a service located within the same physical box as other customers. They may then wish to break out of the service they have purchased to access all other data contained within the virtualised environment. With this in mind, it is imperative that appropriate separation controls have been implemented by the cloud service provider.

Separation can be achieved via a number of different means. In the ideal scenario, consumers will be presented with their own physical box, however, this is only possible in a private cloud environment. More often than not, cloud providers will separate consumers through strongly configured VPN’s. It is worth requesting evidence from the provider that the cloud service is segregated appropriately and that this has been thoroughly tested from a security perspective, especially if you have sensitive data residing in the cloud environment.

Cloud Service Security Checklist – Control #4: Personnel Security

As well as technical controls, when purchasing a cloud service you may need to understand the non-technical controls in place to prevent attacks from the insiders. Personnel that are in charge of monitoring, maintaining and securing the cloud service represent a significant security vulnerability if they are rogue. For example, if staff members at the cloud service provider are in charge of configuring and maintaining the cloud service and infrastructure, they may be able to compromise the service and the data residing on that service.

Personnel security checks should be carried out by the service provider and as a customer you should request evidence that this has been carried out. Any member of staff with access to the service is a potential attacker and therefore, the provider and you should have confidence that this individual is not going to tamper with the service or compromise data.

Cloud Service Security Checklist – Control #5: Operational Security

Evidence should be sought that the day to day running of the service is adequately protected. For example, the cloud service provider should be monitoring the service for indications of misuse and they should be able to notify you as a customer that the service, and potentially your data, is at risk. This is particularly important in managing your assets appropriately. Additionally, other controls such as regular testing, auditing and compliance with relevant standards should be achieved by the provider.

Evidence can be sought from the supplier that appropriate controls are in place. This could be achieved via external auditing or compliance with relevant control frameworks. You should consider gaining assurance in these areas to make sure that your data is relevantly protected while sitting in the cloud service.


Cloud service security is a complicated process and there are a multitude of considerations that need to be made before purchasing a cloud service. You will need to consider both technical and non-technical controls to ensure that your data is processed and handled appropriately, in accordance with your risk appetite. You should look at your data, understand the impact that losing this data would have on your organisation and decide what security controls matter to you and your business. It is then worth considering these security controls as well as the many other controls that are available.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *