Evaluating cloud provider security, privacy, and compliance

February 19, 2024 | 3 minute read
David B. Cross
SVP SaaS Security
Text Size 100%:

This blog was written with contributing guest author Nancy Kramer, senior director in the Oracle Information Security and Regulatory Compliance organization, a key partner to the SaaS Cloud Security team.

To help organizations evaluate the security, privacy, and compliance of cloud service providers, we have consolidated the most common concerns and challenges into a case study and checklist reflecting our customers’ feedback. It describes a fictional company called 123 Bank Corp, a composite representation of customers in industries, such as financial services, health care, and other regulated sectors from around the world. We hope that you recognize similarities and opportunities for your organization.

Case study: 123 Bank Corp

123 Bank Corp is a global financial services company subject to a broad range of regulations because of its industry and global footprint. Their board of directors and senior executives mandated that robust information security controls are required to protect the bank’s data as part of their financial services operations.  

The bank made a strategic decision to favor cloud applications for their IT systems to enable innovation and modernize their business processes. They needed cost-effective cloud solutions that could improve efficiency, performance, and resilience, while achieving security and compliance objectives. Business and IT teams determined that they needed the following cloud services:

  • Software-as-a-service (SaaS) applications that integrate financials and personnel management
  • Infrastructure as a service (IaaS), such as compute, database, and artificial intelligence (AI)

Cloud evaluation checklist

123 Bank Corp used a five-step checklist to guide its selection of cloud services from a security, privacy, and compliance perspective, and more. They defined multiple categories of requirements, evaluated cloud providers as companies, and then compared specific cloud services to the bank’s prerequisites.

Solution overview

Follow 123 Bank Corp through their cloud evaluation journey with this case study to learn how they used this five-step checklist for evaluating cloud providers and specific cloud services:

Short on time? Watch the How to Evaluate Cloud Providers webinar about this case study and checklist.    

Checklist breakdown

As noted in the overview, 123 Bank Corp introduced in the first blog post how the global financial services organization sought the right cloud applications and cloud infrastructure to modernize their computing workloads. The second post discussed steps 1 and 2 for identifying security, privacy, compliance, and functional requirements. The third post described how stakeholders identified and researched their top potential suppliers.  The last post details how 123 Bank Corp evaluated the specific cloud services.

More specifically, 123 Bank Corp chose to utilize the following five-step checklist for selecting cloud services:

  1. Identify security, privacy, and compliance requirements for these specific solutions
  2. Define features and functional requirements, including resilience
  3. Generate a short list of suppliers offering relevant cloud solutions 
  4. Research a short list of cloud provider companies for financials, global cloud data centers, and support
  5. Evaluate cloud services against detailed requirements for each cloud service

Lessons learned: 123 Bank Corp’s procurement journey

123 Bank Corp’s approach helped them purchase the best cloud services for their requirements. The formal process used for the evaluation of the vendors and the early identification of security and regulatory requirements also allowed the bank to effectively manage the selection process, while obtaining agreement and alignment from key stakeholders. Performing a comprehensive needs analysis in the first two steps of the checklist made supplier selection more effective because they had defined clear criteria for success.

Get started today

Your organization might find this checklist (and other supporting Oracle resources) helpful for choosing cloud services that align to your requirements for security, privacy, and compliance, as well as other factors, such as resilience, feature sets, and cost management.

For more information on how to apply this checklist to your cloud service procurement process, see the following resources:

David B. Cross

SVP SaaS Security

David is the Senior Vice President for the Oracle SaaS Cloud Security engineering and operations organization.  Previously, David was the public Cloud Security Engineering Director in the Google Security and Privacy organization and his preceding 18 years were spent with Microsoft in numerous security cloud, product and engineering leadership roles.  David holds a B.S. in Computer Information Systems as well as an MBA with a Management Information Systems concentration and is a longtime advocate of security application and technology stemming back to his US military service.

Nancy Kramer

With over 20 years of experience in managing risk, security, privacy and compliance audits relating to complex business processes and IT systems, Nancy Kramer helps define corporate information security policies and manages compliance and obligation management programs which oversee Oracle’s on-premises and cloud offerings. Nancy also provides thought leadership via engagement with industry organization such as Payment Card Industry Security Standards Council (PCI SSC).


Previous Post

How network cores deployed on OCI with F5 deliver on the promise of 5G

Himanshu Shukla | 4 min read

Next Post


Seven times in a row: Oracle named a Leader in 2024 Gartner Magic Quadrant for Integration Platform as a Service

Deepak Arora | 4 min read