Confidentiality of the information
Questions 40 to 72 — as with other information technology systems, see how secure information is in a public cloud service.
Authentication and access control
Questions 40 to 45 — use a strong approach for identity management — see if the provider audits user accounts and has access controls and passwords for authentication that meet your security needs.
Multi-tenancy — multiple customers sharing a pool of computing resources
Questions 46 to 48 — check if the provider has security controls for virtualisation and separating customer data, and will allow you to test its access controls.
Standard operating environments
Questions 49 to 52 — properly configure and manage components of the public cloud service — identify who is responsible for the components in the service model you’re using.
Patch and vulnerability management
Questions 53 to 59 — identify who is responsible for patching each component and make sure patches for vulnerabilities happen quickly.
Questions 60 to 63 — check your requirements for encryption — the why, how, who, where and when of the information you need to encrypt.
Insider threat from the cloud service provider
Questions 64 to 68 — check if the service provider has security controls to prevent unauthorised access to your information by the people working there.
Data persistence — are you able to delete information?
Questions 69 and 70 — when the provider scales down or ends services, or reuses or throws away equipment, see if you can delete information to keep it secure.
Questions 71 and 72 — see if physical security controls are in place to protect your information.