The “Big 3” cloud providers—AWS, Azure, and GCP—set the standard for cloud security. If you choose one of these cloud computing leaders for your cloud environment (and understand their specific shared responsibility models), you can be sure you’re getting the best security available on the market. Does that mean they’re always perfect? No. But between them, they spend billions of dollars every year proactively securing their cloud platforms.
Leaders have often questioned whether the cloud is secure. They’re asking the wrong question. They should be asking “Are we using the cloud securely?” The biggest risk in your cloud environments isn’t whether the providers are doing their job; The biggest risk is misconfiguration of your solutions inside the cloud platforms. That said, you should still continuously vet cloud providers to ensure your needs are being met.
Review their security and privacy policies, which should both be available through their website. Do your own due diligence and find third-party reviews from industry analysts, reports, and publications. Walk through the provider’s Service-level Agreement (SLA) with a fine-tooth comb for specifics on what security responsibilities are yours and which they own.
Then ask for proof that they’re adhering to common standards like ISO-27001, ISO-27002, ISO-27017, and ISO-27018 to ensure they follow security best practices, actively strive to reduce risk, and protect personally identifiable information. If you’re in a regulated industry, ask for evidence that they meet all government and regulatory protocols like GDPR, CCPA, HIPAA, and PCI DSS.
Cloud security is a combined effort between you and whatever cloud providers you engage with. It’s not wholly their responsibility, and it’s not wholly yours. Like every other business partnership, make sure you know what you’re getting into before you sign on the dotted line. And then hold up your end of the bargain.