Due Diligence and Ongoing Monitoring

Going through vendor SOC reports, I often see the same data service providers noted as subservice organizations. These include but are not limited to Amazon Web Services, Microsoft Azure, Rackspace and Google Cloud Platform. Due to the frequency of these 4th party relationships, I was planning to obtain these SOC reports independently and perform reviews on each one for our file. I'm not quite sure that I would be able to follow up on any concerns noted, but I thought a documented review may prove useful. Is anyone else doing something similar with these large data service providers, or are there any other recommendations?

Thank you,
Matt Mauldin ARM, CRVPM II

It has been our experience that if we do not have a direct relationship with the subservice orgs you mentioned, they won't provide anything other than a SOC 3, and it's not very helpful. If you can actually get a SOC 1 or 2, go for it, but that has not been our experience. 

You can find certifications for cloud provider products in the Star Program / Registry at the Cloud Security Alliance (CSA).  The cloud providers share self assessments including controls under  STAR Level 1 and under Star Level 2 document their ISO27001:2013  certification dates and Cloud Controls Matrix verification.
https://cloudsecurityalliance.org/
  
Even if you are not a federal agency or using a federal cloud, you can also find cloud products that have been authorized at FedRAMP.gov.