Let the community know what you think. Share your opinions now!
This is a loaded question.
I am answering the question from the evaluation of the physical security of the center and or cloud. Both are pretty much the same, the data center you can look at as “Private Cloud” and then the other as “Public Cloud”
Before one looks at the security controls you must first calculate your risk and the required level of defense. Therefor the primary security concern will be based directly on the type of business you run and its level of visibility or market prominence. Those are some of the factors that draw the attention of the malicious external forces which in turn will drive your level of security requirements or level.
For “Public Cloud” getting a physical security audit done might be problematic given the location of the data center or data centers and in some cases, they just don’t allow you to access / audit the site. Here you must place reliance on the contract and their honesty.
For “Private Cloud” they would mostly allow you verify their security because you are either placing your tin in their site or renting their tin (Not multi-tenant). You will also require access to manage your tin, well contract dependent. Also, again from my experience, the center managers LOVE to show clients what their center looks like and the benefits of utilizing their center also they benefit from every audit as they can use that for new prospective clients.
Having said all the previous, for me the contracting is your most important aspect to consider. Very few IT people actually read or understand those contracts and (Generalizing) very few lawyers understand the IT aspects / risks. You must ensure that your concerns are covered in the contract and that you and your legal counsel agree on the wording and the implied meaning of the relevant clauses. One section I found that gets brushed over or not looked at is that you are covered for breach, loss of data etc. and that the limitations on liability will cover your potential quantifiable loss. Also the requirements for Notification of Breach, it would be embarrassing if they notify the regulator and media before you get to notify your clients of the issue and actions you are taking.
There are several aspects need to be considered.
1. Compliance level check
a. Solution should be able to identify the compliance level of each workload against various regulators e.g. HIPPA
2. Automatic remediation
a. Upon finding the security gaps, solution should be able to close the most of the gaps automatically without impacting production
3. Support for server-less
a. Solution must support security for Lambda, kubernetes & containers.
4. CVE-ID based security with threat score
5. Integration with AWS/Azure inspector
Among various security measures that are important to place an enterprise workload in the cloud I choose to point out on the measure which will be your last barrier between data breach and information leak and assurance that no matter what happens your organization data is safe. I mean the data encryption and the most important part is the keys used to encrypt the data. As long you keep the encryption keys under IT control and at your trusted digital vault outside the cloud your security strategy is aligned.
Identity info security.