Transparency and Continuous Monitoring
Every cloud service is run by human beings, regardless of the level of automation, and without question, humans will make mistakes. Sometimes these mistakes will violate compliance requirements and open up a vulnerability or attack vector. If your provider only audits annually for compliance, this could present a very big risk. This risk is best addressed by continuous monitoring technologies. Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. These tools will identify changes to the environment that create threats or violate compliance standards in near real time. Ask your vendor(s) what tools they use for continuous monitoring and what their policies are for notifying customers of noncompliance events and incidents. Also ask about compliance services for monitoring your VMs and data in addition to the infrastructure.