Data is under constant threat every day of being stolen and corrupted by hackers intent on penetrating end users’ computer systems. This has prompted the shift to cloud computing for many organisations. Knowing how to evaluate cloud service provider security before choosing one is the practical way forward.

With many vital processes shifting online, more and more companies are adopting a multi-cloud strategy for good reasons, including cost savings and data sharing capabilities. However, cloud security has also become a major concern as the number of data breaches increases around the world. Companies must take a proactive approach in understanding cloud security risks and how best to minimise them.

This guide prepares companies on what to ask before signing an agreement to work with cloud service providers. It addresses the risks and recommends ways to ensure data security when moving sensitive information to the cloud.

6 Evaluation Criteria for Cloud Service Provider Security


1. Security Measures

First and foremost, the cloud service provider’s data and system security policies must align with your company’s policies. To properly assess the security measures offered by the provider and the mechanisms they use to protect your applications and company data, you must be very clear about your security goals from the start.

Check with the cloud provider that they have all the required security certifications and that they can provide detailed incident reports and security audit reports upon request. Your preferred cloud provider should offer the kind of flexibility you need to support your security practices and your commitments to your clients.

For protection, data encryption is your strongest line of defence. When comparing the services that cloud providers offer, you should assess the different modes of encryption available for both data transit and data storage. Harmless data such as inventory information and daily logs can use cheaper storage, but for highly sensitive data, these must be stored using secure and encrypted data storage solutions.

In some cases, companies may want to look for a cloud provider that hosts private clouds. A private cloud offers all the same benefits as a public cloud, except that the resources (ex. servers, firewalls, etc.) are dedicated to a single customer. For companies that do not want to share their data center resources with other companies with poor security practices, private clouds should be considered for added security.

2. Compliance

Storing data in servers across different countries can be complicated because of the imbalance in data laws around the world. Every organization needs to be aware of the local data regulations and prevailing privacy laws.

When choosing a cloud provider, find out where their data center location is and verify its legitimacy. If there are no compliance issues, then go for the provider that offers the best server locations that fit your business needs.

3. Technology Stack

To get an edge over competitors, more companies are relying on new technology to close the gap. One of the toughest challenges is usually figuring out how smoothly new technology can be incorporated into the company’s workflows now and for the long term.

For the cloud, some vendors offer Platform-as-a-Service (PaaS) providers based on a specific technology stack. Before signing up with a cloud platform, make sure that it aligns with your application’s technology stack so that the infrastructure setup, configuration, and maintenance can be easily taken care of.

Be aware that your developers will be relying heavily on the technology offered by the cloud vendor to build and innovate, so think carefully when evaluating the provider’s suitability. For example, if you have services that are particularly vital to your organisation, you should find out whether the cloud supports third-party integrations and customisations.

4. Consistency and Reliability

High availability and reliability of the cloud are essential for both the clients and the cloud provider in preventing revenue losses during downtime. It’s best to ensure that cloud monitoring and reporting tools are on offer and can be neatly integrated into your company’s management and reporting systems.

To check for any inconsistencies, measure all past downtime occurrences for the last 6-12 months. Request to view this data from the cloud service provider if it’s not available online. Check how these occurrences have been dealt with and how long recovery times are allowed for as stated in the service level agreements (SLAs).

These are some of the key events to take note of:

  • Recorded Data Breaches: During its service lifetime, has the cloud service provider had a (publicly disclosed) data breach?
  • Recorded Malicious Use: Has the cloud service provider ever had (publicly disclosed) malware hosted on its site?
  • Penetration Testing: Is penetration testing performed on a regular basis?

5. Back-Up & Support

This criterion is very important: ensure that the cloud service provider has data backup provisions and disaster recovery processes in place. Do not overestimate the limits of your providers’ ability to support your data preservation expectations if the cloud experiences a catastrophic cyberattack.

Check your provider’s terms and conditions to see if the costs associated with disaster recovery are covered. If not, it would be wise to consider purchasing additional risk insurance.

6. Exit Strategy

Exiting the contract with a cloud service provider can be tricky because this scenario is often the least prepared for. Most organizations don’t include a detailed exit strategy in their cloud adoption roadmap.

From the beginning, it should be made very clear what the exit provisions provided by the cloud provider are and the services levels agreed upon by both parties. Stay alert for any updates which could drastically change the working model policies and technologies of the cloud product you’re using.

If not planned well, a long-drawn or hasty exit could lead to wasted effort, disrupted processes, and/or penalties incurred due to exceeding the exit duration.


Before signing up with any cloud platform, it’s critical for you to know how to evaluate cloud service provider security. This will help you create a solid analytical framework to use when determining which cloud service provider(s) you can trust with your data and applications. Knowing the 6 criteria discussed above, you will find out whether the provider can deliver the features and resources that will best support and secure your ongoing business and operational goals.

Primary Guard is a partner of Amazon Webs Services (AWS). We offer a wide range of support services to help our client with every step of cloud migration. We also provide Managed Services to make the management of your cloud much smoother. Contact us today.