cloud security strategy.jpg

 Cloud Security - Security Issues in Cloud Computing - Cloud Security - Checklist

 Despite the numerous benefits of cloud computing, only 33% of companies have a “full steam ahead” attitude toward adopting the cloud. That’s according to a survey of over 200 IT and IT security leaders , which identified 6 issues holding back cloud projects. Chief among them, companies are worried about how secure their data is once it leaves the company’s firewall. These days, there are news headlines about data breaches and software vulnerabilities every day. These regular headlines, especially mega breaches like those at Target and Sony that led to executives at both companies resigning, have made the security of data in the cloud an executive-level and board-level concern at 61% of companies. Against a backdrop of increasingly sophisticated attacks aimed at stealing corporate data, many IT leaders feel uncomfortable with a perceived loss of control over corporate data.

The organizations need to cut their own cards,i.e. have a high level of information Security assurance through comprehensive Cloud security checklist which as a minimum must address the following Security Issues in Cloud Computing:-

Security Team

  • Is the security team ready for the Cloud?

  • Is the security team aware of / knowledgeable about cloud?

  • Does the team’s structure enable cloud security?

  • Does the organization have a cloud security strategy with which its auditors would be happy Security team

  • Has the security team updated all security policies and procedures to incorporate cloud?

  • Has security governance been adapted to include cloud?


  • Is everyone aware of his or her cloud security responsibilities?

  • Is there a mechanism for managing cloud-related risks?

  • Does the compliance function understand the specific regulatory issues pertaining to the organisation’s adoption of cloud services?

  •  Is there a mechanism for assessing the security of a cloud service?

  • Does the business governance mitigate the security risks that can result from cloud-based “shadow IT”?

  • Does the organization know within which jurisdictions its data can reside?

  • Does the organization understand the data architecture needed to operate with appropriate security at all levels?

  • Can the organization be confident of end-to-end service continuity across several cloud service providers?

  • Can the provider comply with all relevant industry standards (e.g. the UK’s Data Protection Act)?


  • Are regulatory compliance reports, audit reports and reporting information available form the provider?  Is the cloud-based application maintained and disaster tolerant (i.e. would it recover from an internal or externally caused disaster)?

  • Do you know the location from which the provider will deliver support and management services?

  • Do the procurement processes contain cloud security requirements?

  • Does the provider have the right attitude to incident resolutions and configuration management, even when services involve multiple providers?

  • Does using a cloud provider give the organization an environmental advantage?

  • Does the organization know in which application or database each data entity is stored or mastered?  Are all personnel appropriately vetted, monitored and supervised?

  • Is the provider able to deliver a service within the required performance parameters?

  • Is it easy to securely integrate the cloud-based applications at runtime and contract termination?


  • Are there appropriate access controls (e.g. federated single sign-on) that give users controlled access to cloud applications?

  • Are mechanisms in place for identification, authorization and key management in a cloud environment?  

  • Is data separation maintained between the organization’s information and that of other customers of the provider, at runtime and during backup (including data disposal)

  • Has the organization considered and addressed backup, recovery, archiving and decommissioning of data stored in a cloud environment?

  • Are all cloud-based systems, infrastructure and physical locations suitably protected?

  • Are the network designs suitably secure for the organization’s cloud adoption strategy?

Selecting a Cloud Service provider- 

  • Terms of Service and Security & Privacy Policy -Read the Terms of Service and Security & Privacy Policy.

  • · how your company can use the cloud service (i.e. acceptable usage policies, licensing rights or usage restrictions);

  • · how your data is stored and protected;

  • · whether the service provider has access to your data, and if so, how that access is restricted;

  • · how to report an incident;

  • · how to terminate the service and if data is retained after service termination;

  • · whether the service provider will give advance notice of any change of terms;

  • · whether the Privacy Policy follows the data protection principles of the Personal Data (Privacy) Ordinance[1]; and

  • · the jurisdiction (Hong Kong SAR or other locations) that the Terms would apply.

  • Negotiate the Terms of Service with the service provider if not all the terms are found acceptable.

  • If you cannot find a service provider meeting your requirements, you should re-consider the use of cloud services. Understand whether there are “secondary uses” of your account information without your knowledge or consent. For example, information stored in the cloud may be used to tailor advertisements.

Data Ownership is another concern to be looked in Cloud security checklist-

  • Check whether the service provider reserves rights to use, disclose, or make public your information. Check whether the intellectual property rights of data you own remain intact.

  • Check whether the service provider retains rights to your information even if you remove your data from the cloud.

  • Understand whether you can move or transfer your data and the service to another provider when you want to, and whether export utilities are available and are easy to use.

  • Check whether data can be permanently erased from the cloud, including any backup storage, when you delete this data or when you end the service.

Additional Selection Considerations

  • Understand the acceptable range of risks associated with the use of cloud services.

  • Select a service provider with a service level agreement commensurable with the importance of your business function.

  • Select a service provider that can explain clearly what security features are available, preferably supported by an independent information security management certification (e.g. ISO/IEC 27001).

  • Select a service provider with no major security incident reported, or one that can provide transparency to previous security incidents with cause and remediation explained.

  • Select a service provider that ensures data confidentiality by –

.using encryption (e.g. Secure Sockets Layer (SSL)) to transmit data; and

·using encryption to protect stored static data. (If not, you have to use your own encryption before storing data in the cloud. In that case, remember to keep your encryption key safe.)

  • Select a service provider that provides a simple and clear reporting mechanism for service problems, security and privacy incidents.

  • Select a service provider that provides regular service management reports and incident problem reports.


Please note that physical and ennvironment security (Admin), Human resource Secuity and IT Security is not part of Cloud security Audit, since these dedicated departments have as such a huge set of controls to address. 

A well matured and fully evolved Cloud Security Audit checklist must follow RBT (risk based thinking) process approach to Cloud Management and cover elements of PDCA (plan do check & act) during the audit. Cloud security checklist covers application security audit checklist. For Cloud security audit checklist click the following-








Cloud security checklist - Cloud securit