Cloud service providers offer on-demand, scalable computing resources like storage services, applications, and cloud-based compute. AWS, GCP, Azure, and Oracle Cloud Infrastructure (OCI) are all leaders in this field, offering digital infrastructure to make your workloads highly available, secure, and scalable.
Despite CSPs’ commitment to solid security measures, the threat landscape continues to expand. Take the Toyota Motor Corporation data breach in 2023, where a cloud misconfiguration by Toyota impacted over 260,000 customers in Japan, Asia, and Oceania.
And these mistakes aren’t cheap. Public cloud data breaches incurred the highest average breach cost in 2024, to the tune of $5.17 million.
The bottom line? Choosing a CSP with strong security to minimize cloud-related risks is more important than ever.
Shared responsibility
In the shared responsibility model, CSPs handle security tasks related to the cloud itself, i.e., the underlying infrastructure, whereas the customer handles security-related chores for components within the cloud, i.e., configuring security for cloud-hosted applications and data.
How CSP and customer responsibilities are split up across different layers of the cloud stack varies according to the cloud service model:
Infrastructure as a service (IaaS) ➡️ CSP secures the infra, e.g., storage, networks, and virtual machines (VMs). Customers handle everything they install and build on the cloud infrastructure, e.g., OSes, workloads, code, containers, data, and apps. Examples: Amazon EC2, Microsoft Azure VMs, and Google Cloud Storage.
Platform as a service (PaaS) ➡️ CSP manages and secures both the infrastructure and runtime. Customers handle application-level security. Examples: AWS Elastic Beanstalk, Heroku, and OpenShift.
Software as a service (SaaS) ➡️ Here, the customer has the least responsibility. CSP handles infrastructure, network, and application security. Customers are typically responsible for managing user access, enforcing strong authentication, and ensuring data governance settings (like sharing permissions and retention policies) are configured correctly. Examples: Salesforce, Snowflake, Dropbox, and HubSpot.
Knowing what you as the customer are expected to cover helps evaluate what you need from a cloud security solution.
Next up? A thorough evaluation to choose a cloud security provider that helps you avoid misconfigurations, reduce your attack surface, and make sure you have all your compliance bases covered.
Here’s what we’ll cover:
Data center security
Compliance and certifications
Identity and access controls
API security
Data encryption
Network segmentation
Supply chain risks
Incident response
Transparency and data lifecycle
Free Cloud Security Risk Assessment
Connect with a Wiz expert for a personal walkthrough of the critical risks in each layer of your environment.
Request My Assessment
9 key areas to evaluate: CSP security checklist
We’ve prepared nine items to check off when determining which CSP may offer up the best security for your needs. Using AWS as an example, we briefly assess it for each area.
1. Physical security and data location
Data security isn’t just about digital access controls and encryption—physical security matters too.
Depending on where you do business—where your customers’ data resides—data centers need to be strategically located and kept under surveillance in a stable environment. This guarantees safety, quick recovery, and confidentiality.
Does the CSP have physical data security mechanisms and infra in place?
Access controls: 24/7 surveillance of data centers (CCTV/security guards), biometric authentication. multi-layer security zones
Environmental controls: Fire suppression systems, humidity and temperature control mechanisms, and flood-resistant infrastructure
Redundancy and backup systems: Redundant power supplies (UPS, generators) and low-latency backup locations; the distance between primary and backup data locations can impact RPOs and RTOs
Geographically dispersed storage: For quick recovery and backup
To assess the physical security protocols of a CSP, check out their documentation. AWS gives details about the physical and environmental controls at its data centers (see above).
2. Certifications and compliance
Any CSP that wants to show they’re following best practices should be ready to demonstrate compliance and exhibit any relevant certifications.
Compliance is not a one-time thing. So check to see if the CSP performs regular compliance audits and adapts to new laws and regulations over time.
Depending on your industry and location, a CSP will have to prove adherence to specific regulations and standards:
International information security standards: ISO 27001, ISO 27002, and ISO 27017 certifications
Protection of personally identifiable information (PII): ISO 27018 certification
Security, availability, processing integrity, confidentiality, and privacy: SOC2 certification
Government laws and regulations: EU’s GDPR, California Consumer Privacy Act (CCPA)
Industry-specific regulations: HIPAA for healthcare, PCI DSS for credit card data, NIST 800-53 for federal information systems
A CSP’s website and documentation should provide a list of their certifications and compliance offerings. AWS offers support for 143 compliance certifications and security standards.
3. Identity and access management (IAM) controls
Cloud-based systems are built for global availability: anytime, anywhere access. Unfortunately, the risks of unauthorized access, credential theft, and privilege misuse are high.
Evaluating a CSP’s IAM controls tells you how much support it offers to help you securely manage users, machine identities, and applications.
Does the CSP provide the following?
Multi-factor authentication (MFA): Risk control to cut the risk of privileged accounts falling victim to credential theft
Role-based access control (RBAC): Create users and roles with only the permissions necessary for their given tasks
Real-time identity monitoring and logging: Support for continuous audit logs, real-time session tracking, and anomaly detection to detect unauthorized activity or privilege escalation
Support for cloud infrastructure entitlement management (CIEM) tools: For better visibility on identities, accounts, and machines with access to your cloud resources, especially in multi-cloud environments
You should be able to easily determine a CSP’s IAM capabilities via the documentation and tooling provided. AWS has a whitepaper user guide detailing how they handle identity governance, enforce principles like least privilege, and simplify access auditing.
4. API architecture
APIs are at the center of cloud services, helping manage and provision cloud resources and enabling apps to interact. Insecure APIs are an entry point for threat actors to gain unauthorized access, exfiltrate data, and attack the system.
In other words, a CSP better have API security controls to counter exploit attempts.
These API security measures are a must:
Secure API gateway: Enforcement of authentication, rate limiting, and traffic inspections to prevent unauthorized access
API logging and monitoring: Real-time monitoring and logging of API activity for threat and anomaly detection
Data encryption: Data encryption in transit (as data travels to and from the API gateway) and at rest (in cloud storage)
Authentication and authorization: Support for API keys, token-based authentication, and frameworks like OAuth 2.0 for managing access
A good starting point is to review how the CSP handles authentication, controls API traffic, and logs all related activity. AWS has a fully managed API gateway service that lets you create, publish, secure, and monitor APIs at any scale.
5. Data security and encryption practices
The ability of a CSP to encrypt, control, and monitor data access directly affects your ability to prevent data breaches, insider threats, and compliance violations.
Even when hit by a security incident, strong data protection practices will always stand in the way of attackers and protect sensitive information.
How well will the CSP protect your data?
Encryption in transit: Using mechanisms like TLS 1.2 or higher to encrypt data being transferred from one node in a network to another
Encryption at rest: Enforcing encryption standards like AES-256 to protect data from data exfiltration or system compromise while the data is in storage and check whether encryption keys are customer-managed (CMK), provider-managed (PMK), or support bring-your-own-key (BYOK) setups
End-to-end encryption: Encrypting data before transferring and keeping it in encrypted format until it’s decrypted by the recipient
Data loss prevention (DLP): Discovering and monitoring sensitive data, protecting it from unwanted (unauthorized) access or use
How do you best evaluate a CSP’s data protection practices? Take a look at how it enforces encryption at rest, in transit, and at the application level, as seen in figure 5 above.
6. Network security and segmentation in cloud environments
Strong network security protocols serve as that key line of defense against unauthorized access, lateral movement, and external threats. A CSP should be capable of providing defense in depth to protect user workloads and data integrity.
The following features are non-negotiable:
Firewall protection: Next-generation firewalls (NGFWs) capable of packet filtering, VPN awareness, and intrusion prevention
Segmentation: Support for virtual private clouds (VPC) and private subnets, as well as isolation policies to contain threats
Intrusion detection/prevention systems (IDS/IPS): Real-time threat detection within the CSP’s network and ability to actively block identified threats
Traffic segmentation across environments (e.g., production, staging, dev) and between services (e.g., microservices, data tiers) to limit lateral movement in case of breach
AWS VPC solutions create logically isolated network environments where you can configure subnets, routing policies, IP addresses, and gateways. They also support traffic mirroring to duplicate packets from network interfaces and forward them for deep-packet inspection.
AWS also offers next-generation firewall capabilities like centralized configuration, management, and auditing of firewall rules across resources and accounts.
7. Third-party risk and supply chain
Increased reliance on external vendors, open-source components, and integrated services introduces vulnerabilities into the supply chain. Given the damage caused by incidents like the SolarWinds and Codecov supply chain attacks, evaluating the CSP’s third-party risk management policies is essential.
Can the CSP demonstrate the following?
Third-party vendor assessments: Regular security audits and evaluations of the security certificates and breach history for all third-party vendors
Access controls for external vendors: Least privilege principles, granular access control, and role-based permissions for third-party tools/systems
Incident response plans for vendor breaches: Clear protocols for mitigating third-party security incidents, handling disclosure, and remediating issues
Any CSP should be transparent about its vendor assessment policies and how it governs its own supply chain ecosystem. AWS Marketplace recently introduced a vendor insights program, with security and compliance information in a dedicated dashboard, making third-party risk assessment a cinch.
8. Incident response/threat detection
Data breaches, prolonged downtimes, and heavy financial losses are inevitable results of delayed and inadequate responses to security incidents. So make sure to evaluate the threat detection and rapid incident response capabilities of a CSP to minimize potential damage.
How well will they have you covered?
Real-time monitoring: Automated anomaly detection to get ahead of any potential security threats
Threat intelligence feeds: To proactively detect cyber threats
Security information and event management (SIEM) solutions: To gather and analyze security logs for threat detection
Response time service level agreements (SLAs): A CSP’s promised response and resolution times in the event of a security incident
For total awareness of a CSP’s incident response and threat detection capabilities, check out how they monitor, log, and act on security events (figure 6).
9. Transparency/communication/data deletion process
A CSP should effectively communicate about security incidents, data handling policies, and compliance status with customers. Transparency regarding its security track record is a must to build trust.
A CSP’s trustworthiness is everything:
Security update communication: Clear communication of patches, system updates, and security advisories
Transparency portals: Real-time security dashboards with compliance status, detected threats, and response actions
Breach notification policies: Clear documented process for notifying customers about security breaches and response timelines
Data deletion policies: Data lifecycle management and secure data disposal practices to guarantee permanently deleted data is completely removed and not recoverable
CSPs provide documentation and reports on how they communicate updates, alert to security incidents, and manage the data life cycle. AWS maintains a high level of transparency about security incidents, availability, and known issues through the AWS bulletin page and service health dashboard. AWS also offers detailed data retention and deletion documentation when it comes to data lifecycle policies.
How Wiz CNAPP strengthens CSP security evaluation
Evaluating a CSP on paper is just the first step. Real-world risk emerges from how your environment is configured—and misconfigured. Wiz’s CNAPP provides agentless, full-stack visibility across identities, data, workloads, and configurations, helping teams continuously validate their CSP setup and adapt to evolving risk.
This is where Wiz CNAPP comes in. It combines posture management, data security, runtime protection, and workload protection to provide end-to-end cloud-native security, whether you’re onboarding AWS, GCP, OCI, or Microsoft Azure.
How does Wiz fit into the CSP evaluation and operational lifecycle?
Internal and external testing: Continuous, automated scanning across all cloud resources to identify misconfigurations, overly permissive identities, exposed secrets, and security threats. Eliminate blind spots and gain 100% visibility across networks, data, and cloud providers.
Audit and compliance reporting: Continuous automated compliance assessments against industry standard regulations like HIPAA, GDPR, SOC2, and PCI. You can even generate compliance posture reports, periodically or on-demand.
Incident detection and reporting: Real-time monitoring, context-aware risk prioritization, and actionable alerts so security teams can identify critical attack paths and remediate them before they’re exploited.
Security doesn’t stop at picking a provider. Wiz helps you stay secure long after you’ve chosen a CSP—with real-time insight into risks, misconfigurations, and compliance gaps across every cloud.
👉 Get a demo and take control of your cloud security posture.
See for yourself...
Learn what makes Wiz the platform to enable your cloud security operation
