ARTICLE
29 May 2025

How To Evaluate A Cloud Service Provider: Creating A Compliance Checklist For Security & Resilience

L
Lexplosion Solutions Private Limited

Contributor

Headquartered in Kolkata, Lexplosion was founded by a team of four ex-GE lawyers with a view to help the corporate legal & compliance fraternity reduce their effort and cost overhead. From its inception in December 2007, Lexplosion has focused on creating new markets by identifying the needs of corporate counsels and compliance officers and re-defining solutions. We have helped a number of Indian organizations lower the total cost of legal and compliance operations by making their processes more efficient and benchmarking them to global best practices. A number of our pioneering initiatives have been borne out of our endeavor to bridge the gap between the long term needs of the customer and the existing solutions in the market.

Businesses across sectors, from banks and hospitals to logistics providers and e-commerce platforms, run on cloud infrastructure.
Singapore Media, Telecoms, IT, Entertainment

Businesses across sectors, from banks and hospitals to logistics providers and e-commerce platforms, run on cloud infrastructure. Selecting the right Cloud Service Provider (CSP) is now much more than evaluating cost or features. It is about assessing the CSPs ability to ensure resilience, security, and operation sustainment during unexpected disruptions without compromising data or uptime.

The Infocomm Media Development Authority (IMDA) of Singapore issued the Advisory Guidelines for Resilience and Security of Cloud Services. Though voluntary, these guidelines provide a robust framework for CSPs. Businesses can rely on the critical areas mentioned in the IMDA guidelines to evaluate CSPs and develop internal compliance processes before selection. In this post, we highlight a selection of checklist questions drawn from the comprehensive IMDA framework.

1. Robust Cloud Governance

Effective cloud governance goes beyond IT. It is a company-wide commitment to data security and risk management. Businesses should prioritise CSPs that demonstrate the following:

  • An Information Security Management System (ISMS) with clearly defined roles.
  • A risk register and quarterly risk assessments including cloud-specific risks.
  • A due diligence process to fully understand risks prior to sub-contracting services to the third-party service provider(s).
  • Annual security training and checks for staff and third-party contractors.
  • Background checks prior to hiring employees.
  • An up-to-date, regularly tested incident response plan.
  • Processes governing data access and handling with proper classification, encryption and retention policies.

While selecting a cloud service provider, a business should look for a mature governance framework with board-level accountability and regular audits. They should also look for supply-chain transparency vis-a vis the CSPs sub-contractors.

2. Secure and Resilient Cloud Infrastructure

Infrastructure is the bedrock of cloud services. Any misconfiguration can lead to catastrophic failures. Your CSPs should:

  • Maintain audit logs and monitor all activities across systems and networks.
  • Enforce secure configurations and conduct periodic compliance checks.
  • Conduct vulnerability and penetration tests, especially after significant infrastructure changes like major upgrades or new deployments or at regular intervals.
  • Encrypt sensitive data and manage cryptographic keys securely. This is to prevent unauthorised use or disclosure of sensitive information.
  • Apply security throughout their system acquisition and development cycles.

Businesses should look for a secure design architecture and rigorous operational hygiene.

3. Strong Cloud Operations Management

Smooth day-to-day operations are essential for service continuity. Ensure your CSP:

  • Maintains detailed documentation for system operations.
  • Keeps development, test and production environments separately with strict change controls.
  • Clearly defines the service expectations and documents any changes in the contractual agreements with clients.
  • Allows ethical hackers to report flaws responsibly.
  • Has a back-up process to recover systems supporting critical information.

Since operations management is the base of cloud services, businesses should primarily ensure that CSPs have documented operations, change control and recovery processes.

4. Rigorous Cloud Administration

Privileged accounts used for managing cloud services and supporting networks pose a high risk and requires critical administration. Businesses can check that their CSPs do the following:

  • Use role-based access controls for administrative users.
  • Set up multi-level approvals for significant configuration changes.
  • Regularly review who has elevated rights and remove access swiftly if needed.
  • Encrypt all transmitting credentials for non-console administrative access.
  • Maintain detailed logs of all administrative actions.

While choosing a CSP, businesses should always look for least privilege models and access protocols.

For example, some CSPs control the access and permissions of different services and real-world users. It creates a sense of isolation among the different services.

5. Secure Customer Access Management

Client access must be tightly regulated to prevent data leakage. CSPs should:

  • Implement formal user registration and password policies.
  • Enforce inactivity session timeouts and password reset processes.
  • Ensure secure self-service portals for account management.
  • Use strong encryption for authentication tokens while granting access to users.
  • Implement procedures to detect and terminate unauthorised access promptly.

Business entities subscribing to cloud services should always evaluate based on whether the provider adheres to these requirements to prevent data leakage.

6. Safeguards for Tenancy and Customer Isolation

As data privacy is a serious concern, it is expedient to implement strict isolation of users. Check if the CSP:

  • Segregates Virtual Machine's and data between customers at the network and application levels.
  • Uses secure network architecture that isolates CSP's internal services from customer-facing infrastructure (e.g. separate virtual networks, appropriate access controls between network domains, blocking unauthorised traffic.)
  • Limits sharing of physical and virtual infrastructure components.
  • Prevents data co-mingling by segregating customer access.

Businesses subscribing to a cloud service should always look for an infrastructure that keeps each customer's data and traffic completely separate.

7. Resilience and Continuity

Maintaining continuous service availability is critical to business operations. Resilience must be designed from day one. A good CSP will have:

  • Asset tracking processes including safeguards for moving equipment offsite.
  • Secure data processing centres with surveillance systems and security personnel.
  • Establish procedures (including providing training) for staff response to power disruptions or environmental hazards.
  • Develop, implement and test business continuity and disaster recovery plans.
  • Conduct failover tests across all Availability Zones (AZs) and global services.

Businesses should inquire about CSPs strategies for handling power failures, network outages and disasters. A reliable CSP should have a robust backup plan, disaster recovery drills and data centre protections in place.

Currently, some CSPs have a model which outlines the division of security responsibilities between the CSP and the customer. The CSP manages the security of the cloud (infrastructure, hardware, and software), while customers are responsible for security in the cloud (data, applications, and access controls). This model ensures clarity and accountability in cloud security.

8. Accountable Security Leadership

Enhancing the resilience and security of digital infrastructure is not an easy task. It requires collective effort under the leadership of senior management. A provider serious about resilience appoints a designated security officer to lead and coordinate all initiatives. Ensure that a CSP you appoint has a senior representative driving the cloud security and resilience agenda.

Conclusion

Cloud service disruptions can be caused by a range of factors, including data upgrades, power surges, network failures, or cooling system malfunctions. Such incidents can lead to widespread outages affecting multiple organizations across the world, particularly when fault isolation mechanisms and automated failover processes are insufficient. For example, past incidents in major cloud platforms have shown how a localised hardware or power issue can cascade across regions, disrupting critical public and private services. This underscores a crucial truth that resilience is not theoretical but operational.

Cloud services is not just a product but the backbone of most businesses in today's world. Businesses should not settle for a provider who merely hosts services. They should opt for one who prioritize resilience and security, as the wrong choice can expose a business to data loss, compliance failures and reputational harm. Having a compliance checklist when choosing a CSP can help with governance, business continuity and consumer trust. While this post outlines a selection of key questions, the insights derived from the IMDA guidelines may be leveraged to formulate comprehensive internal compliance checklists, ensuring thorough due diligence in the assessment and selection of CSPs.

Komrisk, our compliance management solution, not only assists organizations in adhering to mandatory regulations but also offers the flexibility to upload their internal compliance checklists on to Komrisk. This addition ensures a unified approach to compliance, allowing businesses to monitor and manage both external obligations and internal standards seamlessly.

By leveraging Komrisk, organizations can proactively identify potential vulnerabilities, streamline compliance processes, and foster a culture of continuous improvement. Incorporating tools like Komrisk into your compliance strategy is not just about meeting regulatory requirements, it's about building a resilient, secure, and trustworthy digital ecosystem for your business.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More