There are a number of ways to assess the security of a cloud service provider, ranging from inspecting their premises to asking if the provider has any third-party certification or accreditation to back up the service contract, so here are a few things that are vital to do:
Identify what type of cloud-based services you want:-
Really nail down the personal or business requirements – you do not want to end up getting the wrong service or paying for functionality you do not need;
Identify who your data controller is:-
Organisations or businesses that are processing personal data must identify who their data controller is. Like it or not, this is the individual who will be legally held to account for the data, even if is in the cloud – yes, a problem shared is still your problem!
Decide what level of information assurance your data requires:-
You need to assess the impact that the loss of that data will have on your business/individuals. That will determine the level of service required in terms of confidentiality (how much protection does the data need in transit and storage, for instance does it always need to be encrypted?); integrity (the more integrity a cloud service has, the more confident you can be that data will not be interfered with); and availability (how available do you want your data to be, e.g. instant access always?) These levels should all be stipulated very clearly in a written contract with a service level agreement.
Check where your data is being stored:-
The Data Protection Act 1998 lists trusted areas as the European Economic Area (EEA), US companies party to the Safe Harbor agreement, and countries of “Adequacy” . For some of the larger cloud service suppliers who have 24/7 “follow-the-sun” operations, it could very well mean that the data is supported and thus processed from countries not falling into the three categories of trust outlined above, potentially putting your personal data at risk.