Under current law, the data owner is responsible for any breaches that result in unauthorized disclosure of PII; this includes breaches caused by contracted parties and outsources services. The data owner is the cloud customer.

Redundancy has nothing to do with abuse of high privilege roles. All others can lead to risk of risk of
"abuse of high privilege roles" or "Cloud provider malicious insider"

OWASP is an open project and is leading industry standard for designing web applications and its security.

The key techniques to create a cloud are abstraction and orchestration. We abstract the resources from the underlying physical infrastructure to create our pools, and use orchestration (and automation) to coordinate carving out and delivering a set of resources from the pools to the consumers. As you will see, these two techniques create all the essential characteristics we use to define something as a
"cloud."
Ref: CSA Security Guidelines V4.0

IS0 27017 provides Code of practice for information security controls based on ISO/IEC27002 for cloud services.