9. Approved Cloud Vendors
Cloud vendors should be approved by category, Thompson said. Not all cloud vendors are created equal, and if there was ever a time when organizations could simply say no to all of them, it's long since passed, he said. Identifying those cloud vendors that enable the business but maintain sufficient security controls is a task that involves both the security operations team and management alike. Then, it's on the SOC to implement controls to block unapproved cloud vendors.