Many cloud providers are cautious about how much detail they share about their internal security controls. They have concerns that their customers, competition and attackers may use that information against them. This may limit enterprise customers, allowing them to review only cloud security certifications, third-party assessments or self-assessments to evaluate cloud service provider data security qualifications.
What security-relevant information an individual cloud service decides to share is dependent on many factors. Some mature cloud services have extensive information security programs. Less mature services may still be developing their security program. Some may have an SSAE 16 (Statement on Standards for Attestation Engagements 16) — since replaced by SSAE 18 — or ISO 27018 report that was performed by a third party to audit the security controls in use.
To read the entire article, please click on https://searchcloudsecurity.techtarget.com/answer/What-are-the-best-criteria-to-use-to-evaluate-cloud-service-providers