The 14 cloud security principles – what do they mean for you?

September 2018

The NCSC (National Cyber Security Centre) published 14 cloud security principles in 2016. These principles are designed to give guidance to cloud service providers in order to protect their customers.

In addition, all 14 principles have been made to align with ISO 27017, an internationally recognised cloud security accreditation. In addition, many cloud service providers also adhere to the Cloud Security Alliance’s Cloud Controls Matrix (CCM), which is also consistent with the principles. For cloud service solutions operating in the UK, it is considered good practice to adhere with these principles and the relevant accreditations. We have listed the principles below, as outlined by the NCSC. For more information, visit their website.

The 14 NCSC cloud security principles

  1. Data in transit protection
  2. Asset protection and resilience
  3. Separation between users
  4. Governance framework
  5. Operational security
  6. Personnel security
  7. Secure development
  8. Supply chain security
  9. Secure user management
  10. Identity and authentication
  11. External interface protection
  12. Secure service administration
  13. Audit information for users
  14. Secure use of service

The responsibility of cloud users

While the 14 principles are primarily guidelines for cloud service providers, they do not completely ignore the role of the user. Indeed, the 14th principle is a reminder that a fully secure system requires the active efforts of its users as well as its provider.

Here is a more complete description of the 14th principle, as taken from the NCSC website:

“The security of cloud services and the data held within them can be undermined if you use the service poorly. Consequently, you will have certain responsibilities when using the service in order for your data to be adequately protected.”

The 13th principle indicates one of the ways that users can maintain the security of their cloud solution: regularly auditing who is using the service and how. However, this is not the extent of what customers can do to protect themselves.

Security will be strengthened by keeping to three guidelines:

  1. Choose a secure, trusted cloud service provider.
  2. Audit and regulate access to the cloud within your organisation or business.
  3. Ensure that the cloud solution is fully integrated with any existing information architectures.

Choosing a secure provider

The existing principles and accreditations can help you keep to the first guideline. You should always check that a cloud service provider is fully-compliant with the NCSC’s principles and has an accreditation like ISO 27017 before you use their services.

There are a number of well-regarded cloud service providers out there, including Amazon Web Services (AWS) and Microsoft Azure. When Nexor is looking to recommend a trustworthy solution, we consider how open a provider is about its security measures and whether or not it submits itself to third-party audits.

Auditing and regulating user access

Any service provider that is aligned with the NCSC’s principles must be able to provide you “with the audit records needed to monitor access to your service and the data held within it.” This principle carries the implicit recommendation that users be active in monitoring their use of a cloud service.

Using data given by the provider, you can monitor your organisation’s use of the cloud and spot any issues. By taking ownership of the response to any potential threats, an organisation can uphold the 14th principle and ensure that their use of the solution promotes and supports its security. Regular monitoring will also allow you to respond quickly to any activity that warrants further investigation or action.

Robust integration with existing information architecture

This final point is most pertinent for larger organisations that have not yet switched to a cloud service provider. Larger organisations need to ensure that their information exchange remains secure throughout and after the implementation of cloud-based solutions.

Nexor’s cross-domain cloud service is one way of ensuring a smooth transition. Our approach includes deploying the cloud solution robustly, layering additional security controls as needed, strong access controls, selecting a trusted provider and ongoing close monitoring of the system’s use. Find out more on our service page.

For a more in-depth look at cloud security and Nexor’s services, download our whitepaper on the topic. If you have any further questions or concerns, get in touch. We can advise you on your situation and suggest the next steps that you should take.


Subscribe to our RSS feeds


Be the first to know about developments in secure information exchange