Abstract
Building a security audit program for cloud services could be a complex process; there are various aspects that a security professional must consider when choosing what areas to incorporate in an in-house framework or what industry standard to use to assess particular cloud infrastructures. A cloud provider must take into account various aspects related to the core of the service, such as API security, code reviews, infrastructure, and others; on the other hand. A cloud customer must consider other areas specific to the use of the service, such as vendor lock-in, contractual agreements, and others. This article contemplates a holistic view of the various frameworks and tools available to companies and security professionals building a comprehensive audit program; it covers the cloud provider and the cloud customer perspectives and expands on what tools could be applied depending on the security audit’s angle.
DISCLOSURE STATEMENT
No potential conflict of interest was reported by the author(s).
Additional information
Notes on contributors
Gary Carrera
Gary Carrera is a Privacy Program Manager at Meta (former Facebook). He has 14 years of experience supporting large tech companies in Information Security and Privacy programs, most recently at Facebook and Apple. He holds an MS in Business Administration and Project Management and CDPSE, CISM, CISA, CCSP, HITRUST CCSFP, ISO27001 among other certifications. The postings on this site are the author’s own and don’t necessarily reflect his employer’s positions or opinions on the subject.