Executive Summary
- With the way we work forever changed, remote and cloud-based services are being used by more UK businesses every day – meaning cloud security is a much bigger concern for everyone.
- To give businesses the confidence to trust their data to cloud-based services, the government’s National Cyber Security Centre (NCSC) has put together a detailed list of guidelines for using cloud systems.
- To save you time, we’ve summarised the NCSC’s 14 Cloud Security Principles – and what they mean for businesses – in one quick-reference article.
Introduction
How many cloud services is your business using right now?
Whether it’s file storage via an app like Microsoft OneDrive, or even something more everyday like Google’s Gmail, all of these services rely on cloud-based solutions.
That means you’re essentially trusting your business data to a third-party – so how can you (and your IT support team) be sure it’s secure?
This is the rationale behind the National Cyber Security Centre’s 14 Cloud Security Principles.
While you can dig into the technical information on the NCSC website, we wanted to simplify things a bit with a high-level overview of each of the principles to help you better understand this cyber security framework.
#1: Data in transit protection
Through a combination of encryption, network protection, or both, any data which a user sends via a cloud service should be protected against potential breaches as it travels from one place to another.
#2: Asset protection and resilience
This principle is all about keeping data safe when it’s actually being stored on remote servers by the cloud service. It includes issues such as data protection at rest, local jurisdiction rules, physical protections, and more.
#3: Separation between users
Because cloud services often have thousands of users all accessing data on remote servers at the same time, this principle aims to ensure what one user does cannot affect another. For example, if a cyber attacker were to access the system, they should not be able to access or tamper with anyone else’s files.
#4: Governance framework
This principle essentially refers to the way in which the cloud service is run on a technical and logistical level. For example, the cloud service should have documented policies explaining the people responsible for managing the service and ensuring both security and compliance.
#5: Operational security
Just like any computer system, a cloud-based service should be managed in a way which actively prevents cyber security breaches and attacks – or at least protects against them. Processes should be in place to tackle, isolate, and resolve potential breaches at every level.
#6: Personnel security
The implication of cloud-based apps and services is that your data is hosted in a physically different location to your own. That means you must be sure that whoever is on-location and monitoring the servers hosting that data is vetted, trusted, and trained to a degree that they can reasonably prevent the data being compromised.
#7: Secure development
When providers are building cloud services, they should do so in a way which aligns with cyber security best practices. Ideally, the systems should be able to identify and, where possible, eliminate any potential breaches to data security.
#8: Supply chain security
Many cloud-based services today are in fact a complex daisy chain of third-party services which provide functions such as identity authentication, disaster recovery, and more. This principle aims to ensure this supply chain also abides by cyber security best practices.
#9: Secure user management
Cloud services should deliver users the ability to manage their own access to the system, including full user permissions and access management where possible. This is yet another way to protect sensitive data from prying eyes.
#10: Identity and authentication
Something of an extension of the previous principle, in addition to being able to manage users within the cloud system, the provider should also ensure that access is limited only to those who are authorised to have it.
#11: External interface protection
Depending on the cloud app or service in question, users might access it in different ways. This could include one interface for standard users and another for admins, for example. This principle aims to ensure adequate protection for each tier of access, so that highly sensitive areas are more rigorously defended.
#12: Secure service administration
Beyond the actual user interface of a cloud service is the system administration layer. It’s here where the nuts and bolts of the service reside, and, if it were compromised, a cyber attacker would be able to get around almost all of the other controls we’ve mentioned. For this reason, this principle governs the adequate security of the lowest level system administration.
#13: Audit information for users
As an end user of a cloud service, you should be able to request and view the records of access to your data at any time. A cloud product which abides by the NCSC’s principles must ensure this level of audit trail is always available.
#14: Secure use of the service
Finally, this principle covers the ‘human element’. In short, it recognises that, even with the best security in the world, it can all be defeated with a tiny bit of human error. This principle therefore recommends that all users be willing to accept the responsibility of using the cloud service safely and securely.
Need an IT support company that understands cyber security?
At Get Support, we’ve helped countless businesses make the move to a more dynamic, cloud-based working arrangement over the last few years. Plus, because our IT support experts know the true value of cyber security, we always ensure compliance to security policy best practices.
So, if you’ve been looking to toughen up your company’s defences as you move to a more cloud-based way of operating, we’d love to talk to you about how we can help. To discuss your cloud security needs today, call our IT support experts on 01865 594 000 or just fill in the form below and our team will be in touch.