Global Cloud Operating Models - How do you assess the risk?

To what extent, if any, do you consider the global operating and support models of cloud providers (SaaS, PaaS and IaaS) to be a risk to your organisation and the data you hold? How do you assess that risk?

For sure, cloud service providers are a risk to organisations that use them. Assessing this risk is done through the third-party risk management process (or service provider management process). You should maintain an inventory of service providers, classify them according to their characteristics, ensure their contracts meet your security requirements, check their certifications and accreditations like ISO 27001 and SOC2, and reassess them annually. In terms of tools to assess them, I’m aware of the use of questionnaires, service provider management as-a-service providers like CyberGRX, and security scorecard tools like Black Kite and BitSight. In general, you’ll want to focus on the smaller cloud service providers as their security processes and outcomes will likely not be as good as the giants like AWS and GCP.