Host audit: How to check security configurations & compliance with your hosting provider

Hoster Audit shows me how to check the security configurations, compliance and availability of my hosting provider in a targeted manner. I define clear test criteria, request evidence and technically validate promises so that my setup runs securely, efficiently and legally compliant.

Key points

The following key points guide me through the audit in a structured way and provide clear decision-making aids.

• Security basisEncryption, DDoS, Backups, Isolation
• Compliance: GDPR/DSGVO, SOC 2, ISO 27001
• AvailabilityUptime, SLAs, scaling
• SupportResponse time, expertise, transparency
• CostsFees, contracts, exit plan

I consistently activate Zero TrustI check automated patches and demand documented processes. Clear SLAs with compensation if targets are not met give me reliability in my day-to-day work. I pay attention to traceable data center locations in order to correctly map data protection obligations. A repeatable audit cycle keeps my hosting landscape secure in the long term.

How to start the hoster audit step by step

I start with a complete Inventory of my systems: Services, regions, accesses, logs and protection mechanisms. I then define test targets, such as "AES-256 at rest", "TLS 1.3 in transit" and "Recovery time < 1 hour". I collect evidence such as certificates, pentest reports, change logs and architecture diagrams. I carry out load and failover tests to practically verify promises. Finally, I document gaps, assess risks and derive specific measures with deadlines.

Check security infrastructure: Encryption, DDoS and backups

I check whether dormant data with AES-256 are encrypted and all connections use at least TLS 1.2, ideally TLS 1.3. I ask about DDoS protection layers, scrubbing centers and rate limiting at network and application level. I check whether backups are automated, versioned, encrypted and geographically separated. I have RTO/RPO targets set and test a recovery during operation. Container isolation, kernel hardening and restrictive IAM policies noticeably increase security.

Clearly assess compliance: GDPR/DSGVO, SOC 2, ISO 27001

I check the validity of certificates including scope, time period, auditor and deviations identified. I ensure that GDPR obligations such as data processing agreements, TOMs, deletion periods and data subject rights are implemented in a practicable manner. I pay attention to data localization, subcontractor chains and reporting channels in the event of incidents. For industry requirements such as PCI-DSS or HIPAA, I ask for technical implementation details. If I have questions about data protection, a clear Data protection compliance-documentation of the provider.

Read SLAs and availability correctly

I differentiate between hard Guarantees of non-binding target values and check measurement methods for uptime. For 99.99 % uptime, I demand defined maintenance windows, clear exclusions and concrete compensation in euros. I require response and resolution times per priority and a documented escalation path. I check multi-AZ or multi-region options and test how quickly resources grow horizontally. I don't trust any figures without transparent status pages, post-mortems and planned maintenance announcements.

Audit checklist and evidence

A structured checklist prevents blind spots and speeds up my work. Review. I assign a test question and expected evidence to each point so that discussions remain focused. I set minimum requirements that must not be undercut. This way, I don't make decisions based on gut feeling, but on the basis of reliable criteria. The following table shows a compact extract to get you started.

Criterion	Test question	Expected proof
Encryption	Which algorithms at rest/in transit?	Technical documentation, TLS scan, KMS policy
DDoS protection	Which network and app layers?	Architecture diagram, runbooks, drill report
Backups	Frequency, retention, restore duration?	Backup plan, restore protocol, RTO/RPO
Compliance	Valid certificates and scope of application?	SOC 2/ISO 27001, AVV, TOMs
SLAs	Measurement, exclusions, compensation?	Contract, service catalog, status page
Incident Handling	Who reports what, when, how?	IR plan, on-call, post-mortems
Scaling	Auto-scaling, burst limits, quotas?	Quota documentation, tests, load reports

Zero Trust and network segmentation in hosting

I rely on minimalist Rights and strictly separate networks so that a compromised service does not jeopardize the entire environment. Every request must be authenticated and authorized, without blanket trust zones. I require microsegmentation, MFA for admin access and just-in-time privileges. IDS/IPS on several levels significantly increases attack detection. I summarize concrete tools and procedures via Zero trust strategies together and try them out in staging.

Proactive protection: patches, pentests and detection

I demand automated Patching for hypervisor, control plane, firmware and guests, including maintenance windows. The vulnerability CVE-2025-38743 in Dell iDRAC shows how quickly firmware gaps become critical (source [2]). I ask about the time it takes to apply critical fixes and how the provider proactively informs customers. Regular external pentests and continuous vulnerability scans keep the risk low. Ongoing monitoring with IDS/IPS and audited playbooks ensures rapid countermeasures in the event of an emergency.

Costs, contracts and scaling without traps

I calculate total cost of ownership in Euro through: Basic costs, storage, traffic, backups, DDoS, support. I look for overrun fees, expensive egress costs and less transparent "options". I am assured of exit clauses, data return and a deletion concept. Scaling must be predictable: horizontal growth in minutes, no hidden quotas at peak times. I demand price protection for 12-24 months and check whether credits are automatically credited if the SLA is not met.

Business continuity and emergency management

I call for a tested DR-concept with geographically separated copies, regular restore exercises and documented RTO/RPO targets. I check redundancy across power, network, storage and control plane. I demand clear reporting chains, priorities, communication modules and responsibilities. I have real post-mortems shown to me to assess the learning culture and transparency. I don't trust resilience without drill protocols and defined escalation levels.

Practical implementation: Request tests and documents

I call for technical Evidence one: Architecture diagrams, certificates, policies, change logs, pentest reports. I simulate load peaks, quota limits, failover and restore to confirm statements. I perform a support test and measure response and resolution time at high priority. I review admin access, MFA and SSH/API rules against best practices. For the hardening concept I use suitable Server hardening tips and consistently document deviations.

Identity and access management, key management and secrets

I check whether roles are modeled strictly according to the least privilege principle and whether privileged actions are logged in an audit-proof manner. Service accounts must not have permanent keys; I require short-lived tokens with a determined duration and automated rotation. For human-to-machine and machine-to-machine access, I require MFA or binding conditions (e.g. device trust, IP binding, time window).

At Key management I insist on customer-managed keys (KMS) with a separate authorization model. Optionally, I require HSM-supported root keys and documented processes for key rollover, backup and destruction. Secrets do not belong in images, repos or variable files; I require a central secret store with access audits, namespaces and dynamic credentials.

• Test questions: Who is allowed to create/rotate keys? How are lost keys handled?
• Evidence: KMS policies, rotation logs, audit reports on Secrets access.

Logging, observability, SLOs and error budgets

I call for central log aggregation with retention periods according to risk and law. Metrics (CPU, RAM, IOPS, latency) and traces must be correlatable so that root cause analyses can be carried out quickly. I define service level objectives (e.g. 99.9 % success rate at 95th percentile latency < 200 ms) and an error budget that controls changes. Without traceable metrics sources and alarms with dedicated runbooks, observability is incomplete.

• Test questions: Which logs are mandatory? How is personal data minimized in logs?
• Evidence: Dashboard screenshots, alarm definitions, sample post-mortems.

Data residency, Schrems II and transfer impact assessments

I document where data is stored primarily, secondarily and in backups. For international transfers, I require legal and technical protection measures with a robust transfer impact assessment. I check whether encryption with key sovereignty on the customer side is implemented in such a way that the provider cannot decrypt operational access without my consent. I scrutinize how support access is logged and how quickly data can be migrated or deleted in defined regions.

• Test questions: How are sub-processors integrated and audited?
• Evidence: Data flow diagrams, deletion logs, support access logs.

Mastering the supply chain and platform dependencies

I analyze the Supply ChainImages, package sources, CI/CD runners, plugins and marketplace components. I require signatures for container images and one SBOM per release. I assess whether third-party providers (CDN, DNS, monitoring) represent single points of failure and whether there are fallback strategies. I critically evaluate dependencies on proprietary managed services and plan alternatives.

• Test questions: How are external artifacts verified? Is there quarantine for IOC finds?
• Evidence: SBOMs, signature policies, decision logs on managed services.

FinOps: cost controls, budgets and anomaly detection

I link resources to tags (team, project, environment) and set up budget alerts per cost center. I check whether rightsizing recommendations and reserved/committed options are used. I require daily cost reports, anomaly detection and quotas that prevent costly outliers. I evaluate pricing models for storage classes, egress and support levels and simulate worst-case scenarios.

• Audit questions: How quickly are budget overruns reported? What throttling mechanisms exist?
• Evidence: Cost dashboards, tagging standards, quota/limit documents.

Performance and architecture validation

I measure real end-to-end latencies and IOPS under load, not just synthetic benchmarks. I observe CPU steal, NUMA effects, network jitter and storage latency spikes. I verify caching strategies, connection pools and timeouts. I demand isolated performance guarantees (e.g. dedicated IOPS) for critical workloads and check how "noisy neighbors" are detected and limited.

• Test questions: What guarantees apply to network and storage performance?
• Evidence: Load test protocols, QoS policies, architecture diagrams with bottleneck analysis.

Change and release management, IaC and policy-as-code

I check whether all infrastructure changes are made via IaC and whether there are code reviews, static analyses and drift detection. I demand "guardrails": policies that prevent risky configurations (e.g. public S3 buckets, open security groups). Blue/green or canary deployments reduce failure risks; I have rollback processes demonstrated to me. I do not accept changes without a change window, tests and approvals.

• Test questions: How is configuration drift detected? Which gates stop risky releases?
• Evidence: Pipeline definitions, policy reports, change advisory protocols.

Onboarding, offboarding and operational readiness

I require a documented onboarding process: access, roles, training, emergency contacts. Offboarding must revoke access within hours, rotate keys and decouple devices. Runbooks, RACI matrices and knowledge databases increase operational maturity. I test whether new team members can work productively and securely within a day.

• Test questions: How quickly can authorizations be revoked?
• Evidence: Access lists, offboarding checklist, training plans.

Multi-cloud, portability and exit strategy

I evaluate portability: container standards, open protocols, no proprietary lock-ins for core data. I plan data extraction, format, duration and costs. For critical systems, I check standby options in a second region or cloud as well as DNS, certificate and secret failover. I request exit tests on a small scale: Export data set, import into staging of an alternative provider and check function.

• Test questions: Which data formats and tools are available for exports?
• Evidence: Migration runbooks, test logs, guaranteed deletion and return deadlines.

Recognize and consistently address red flags

I pay attention to warning signs that I don't ignore: vague answers to specific questions, missing proof, constantly postponed deadlines or "secret" runbooks. Non-transparent price components, escalating exceptions in SLAs, missing root cause analyses and creeping extensions of authorizations are stop signals for me. I adhere to escalation paths, document deviations and link contract components to measurable improvements.

• Typical red flags: unprotected management interfaces, missing restore tests, blanket "99.999 %" statements without a measurement method.
• Countermeasures: Immediate tests, additional checks, prepare a change of provider if necessary.

Brief summary: Using the audit successfully

I make well-founded Decisionsbecause I soberly check security standards, compliance and performance commitments. An annual audit cycle with clear minimum criteria keeps my hosting reliable and legally compliant. Premium providers with 99.99 % uptime, automated patches and 24/7 expert support significantly reduce my risk. I weight criteria according to business needs and plan a clean migration with test windows and rollback. This is how I secure projects, data and budget - without any nasty surprises.