The 14 Cloud Security Principles explained – IT Governance UK Blog

Cloud security is an essential part of today’s cyber security landscape. With hybrid working now the norm, many organisations are relying on Cloud services to access data from home or the office.

But whenever organisations adopt technological solutions such as this, they must acknowledge the risks that come with it. Indeed, Cloud computing can increase the risk of data breaches and regulatory non-compliance, as well as introducing other vulnerabilities.

To mitigate these risks, the NCSC (National Cyber Security Centre) created the Cloud Security Principles, which outline 14 guidelines for protecting information stored online.

In this blog, we look at those principles and explain the steps you can take to meet them.

1. Data in transit protection

What the NCSC says: User data transiting networks should be adequately protected against tampering and eavesdropping.

How you can achieve it: There are many ways you can bolster your network security, such as auditing and mapping your infrastructure to look for vulnerabilities. This might include spotting misconfigured firewalls or physical security threats.

You should also make sure firmware and software are up to date, check that default passwords have been changed and secure your physical premises.

Additionally, you should consider encrypting data or using VPNs where possible. Encryption can greatly reduce the risk of data being compromised in transit, but it will also make sharing data more complex and will require significant resources.

Meanwhile, VPNs protect remote users by extending your organisation’s private network across a public network. This enables employees to send and receive data as if their computer was directly connected to your organisation’s network.

2. Asset protection and resilience

What the NCSC says: User data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure.

How you can achieve it: The NCSC breaks down this principle into six parts: physical location and legal jurisdiction, data centre security, data at rest protection, data sanitisation, equipment disposal, and physical resilience and availability.

Physical location and legal jurisdiction is relevant if you are subject to laws such as the GDPR (General Data Protection Regulation), which contain strict rules on data depending on its location.

To determine this, you must identify the locations at which your data is stored, processed and managed, and consider how this affects your compliance with relevant legislation.

Similarly, you should consider whether the legal jurisdiction within which the Cloud service provider operates applies to you.

Data centre security refers to the controls you have implemented to protect the physical locations in which data is stored. This should cover the threat of unauthorised access, tampering, theft and reconfiguration of systems.

Data at rest protection refers to the security of information stored in the Cloud, and data sanitation refers to the process of supplying resources, transferring them and having users return them when no longer needed.

Equipment disposal requires organisations to securely delete or discard information at the end of its lifecycle. Physical records should be shredded, while digital documents and other relevant information – such as credentials and configuring information – should be wiped from hard drives.

Finally, physical resilience and availability refers to an organisation’s ability to function in the event of failures, security incidents and cyber attacks.

3. Separation between users

What the NCSC says: A malicious or compromised user of the service should not be able to affect the service or data of another.

How you can achieve it: Factors that affect user separation include where the separation controls are implemented, who the organisation shares the service with and the level of assurance available in the implementation of separation controls.

As such, organisations must understand the types of user that they share the Cloud service with and implement appropriate tools. This might include virtualisation technologies or other software that can separate users.

Whenever organisations use such tools, they must also conduct regular penetration tests on their infrastructure and web applications to look for vulnerabilities.

4. Governance framework

What the NCSC says: The service provider should have a security governance framework which coordinates and directs its management of the service and information within it. Any technical controls deployed outside of this framework will be fundamentally undermined.

How you can achieve it: Organisations should begin by appointing a board representative (or a person with the direct delegated authority) to take responsibility for the security of the Cloud service. This will typically be the chief information officer, chief security officer or someone with a similar title.

Next, they should document a framework for security governance containing policies addressing key aspects of information security.

The organisation must also implement processes to identify and ensure compliance with relevant legal and regulatory requirements.

5. Operational security

What the NCSC says: The service needs to be operated and managed securely in order to impede, detect or prevent attacks. Good operational security should not require complex, bureaucratic, time consuming or expensive processes.

How you can achieve it: There are four things to consider here, the first of which is configuration and change management. This means ensuring that changes to the system have been properly tested and authorised.

The second thing to consider is vulnerability management, which involves identifying and mitigating security issues in constituent components.

Third, you must implement protective monitoring, which enables you to detect cyber attacks and unauthorised activity on the service.

Finally, you must create an incident management system to ensure that you can respond to incidents and recover a secure, available service.

6. Personnel security

What the NCSC says: Where service provider personnel have access to your data and systems you need a high degree of confidence in their trustworthiness. Thorough screening, supported by adequate training, reduces the likelihood of accidental or malicious compromise by service provider personnel.

How you can achieve it: Service providers must conduct security screening for employees and provide regular security training.

This should include explanations of the security responsibilities associated with specific roles and the ways in which the organisation screens and manages personnel within privileged roles.

BS7858 outlines a basic standard for personnel screening, and organisations are advised to follow its guidelines.

7. Secure development

What the NCSC says: Services should be designed and developed to identify and mitigate threats to their security. Those that aren’t may be vulnerable to security issues which could compromise your data, cause loss of service or enable other malicious activity.

How you can achieve it: Organisations must create an ISO 27001 secure development policy to ensure that development is carried out in line with industry good practice.

They should also regularly monitor new and evolving threats, taking appropriate steps to adjust their service accordingly.

Additionally, organisations should implement configuration management processes to guarantee the integrity of the solution through development, testing and deployment.

8. Supply chain security

What the NCSC says: The service provider should ensure that its supply chain satisfactorily supports all of the security principles which the service claims to implement.

How you can achieve it: If your organisation relies on third-party products and services, you must understand how your information is shared with and accessible to those partners and how it flows through their supply chain.

You must also review the service provider’s procurement processes, looking at the security requirements it places on third-party suppliers. Similarly, you must understand how the service provider manages third-party security risks and the ways it enforces the security requirements of its suppliers.

Finally, you should review how the service provider verifies that hardware and software used in the service is genuine and has not been tampered with.

9. Secure user management

What the NCSC says: Your provider should make the tools available for you to securely manage your use of their service. Management interfaces and procedures are a vital part of the security barrier, preventing unauthorised access and alteration of your resources, applications and data.

How you can achieve it: There are two things you must address here. First, users must be properly authenticated before they are allowed to perform management activities, report faults or request changes to the service.

These changes can be performed through a service management web portal or by telephone/email.

Second, you must implement role-based access controls within management interfaces to prevent users from making unauthorised changes that could affect the service.

This step also protects management interfaces in the event that an employee’s account is compromised by criminal hackers.

10. Identity and authentication

What the NCSC says: All access to service interfaces should be constrained to authenticated and authorised individuals.

How you can achieve it: This principle requires a series of technical solutions. First, you should implement two-factor authentication to strengthen the login process.

By doing this, you protect employees’ accounts in the event that their password is compromised, because an attacker will still need the hardware or software token.

You should also obtain a TLS client certificate, which will provide strong cryptographic protection, and implement identity federation with your existing identity provider.

11. External interface protection

What the NCSC says: All external or less trusted interfaces of the service should be identified and appropriately defended.

How you can achieve it: You must first understand the physical and logical interfaces from which your information is available and how access to your data is controlled.

Once you have this information, you must implement measures to ensure that the service identifies and authenticates users to an appropriate level over those interfaces. This includes the Internet, community networks and private networks.

12. Secure service administration

What the NCSC says: Systems used for administration of a cloud service will have highly privileged access to that service. Their compromise would have significant impact, including the means to bypass security controls and steal or manipulate large volumes of data.

How you can achieve it: To begin, you must understand which service administration model is being used by.

Next, you should assess the risks associated with that administration model. The NCSC outlines those risks on its website. If you cannot determine which service administration model is used, you should refer to the risks associated with the Direct service administration approach.

13. Audit information for users

What the NCSC says: You should be provided with the audit records needed to monitor access to your service and the data held within it. The type of audit information available to you will have a direct impact on your ability to detect and respond to inappropriate or malicious activity within reasonable timescales.

How you can achieve it: This principle refers to the way in which you will receive audit information rather than what you will do with it.

As such, your requirements relate to the processes related to receiving the information. This means establishing how and when audit information will be provided, including the format of the data, and the data retention period associated with it.

The NCSC splits this into three potential scenarios: the service provider might not offer any audit information, it might provide some information (perhaps as a result of negotiation) or it might make specific information available.

For the audit information to be useful, you must insist on receiving complete, specific details. If you don’t, you will face regulatory compliance issues and could be at greater risk of security incidents.

14. Secure use of the service

What the NCSC says: The security of Cloud services and the data held within them can be undermined if you use the service poorly. Consequently, you will have certain responsibilities when using the service in order for your data to be adequately protected.

How you can achieve it: Your responsibilities here are subject to the deployment models you use, the features of those services and the scenario in which you intend to use the service.

For example, with infrastructure- and platform-as-a-service offerings, the organisation is responsible for significant aspects of their security, including the installation and configuration of an operating system, the deployment of applications and their maintenance.

The NCSC provides a guide for organisations configuring infrastructure-as-a-service securely.

Separately, it recommends that organisations identify the security requirements related to its use of service and educate staff on how to use and manage that service securely.

Secure your Cloud services

You can find more tips like the ones in this blog by reading Securing Cloud Services: A pragmatic guide.

This book, written by security architect Lee Newcombe, explains everything you need to know about Cloud security. It covers the key concepts of Cloud computing and the its security architectures, and then looks at the security considerations you must acknowledge.

It’s ideal for anyone looking at implementing Cloud services, whether that’s infrastructure-, platform-, software- or function-as-a-service.