The 14 cloud security principles – what do they mean for you?
The NCSC (National Cyber Security Centre) published 14 cloud security principles in 2016. These principles are designed to give guidance to cloud service providers in order to protect their customers.
In addition, all 14 principles have been made to align with ISO 27017, an internationally recognised cloud security accreditation. In addition, many cloud service providers also adhere to the Cloud Security Alliance’s Cloud Controls Matrix (CCM), which is also consistent with the principles. For cloud service solutions operating in the UK, it is considered
The 14 cloud security principles
- Data in transit protection
- Asset protection and resilience
- Separation between users
- Governance framework
- Operational security
- Personnel security
- Secure development
- Supply chain security
- Secure user management
- Identity and authentication
- External interface protection
- Secure service administration
- Audit information for users
- Secure use of service
The responsibility of cloud users
While the 14 principles are primarily guidelines for cloud service providers, they do not completely ignore the role of the user. Indeed, the 14th principle is a reminder that a fully secure system requires the active efforts of its users as well as its provider.
Here is a more complete description of the 14th principle, as taken from the NCSC website:
“The security of cloud services and the data held within them can be undermined if you use the service poorly. Consequently, you will have certain responsibilities when using the service in order for your data to be adequately protected.”
The 13th principle indicates one of the ways that users can maintain the security of their cloud solution: regularly auditing who is using the service and how. However, this is not the extent of what customers can do to protect themselves.
Security will be strengthened by keeping to three guidelines:
- Choose a secure, trusted cloud service provider.
- Audit and regulate access to the cloud within your organisation or business.
- Ensure that the cloud solution is fully integrated with any existing information architectures.
Choosing a secure provider
The existing principles and accreditations can help you keep to the first guideline. You should always check that a cloud service provider is fully-compliant with the NCSC’s principles and has an accreditation like ISO 27017 before you use their services.
There are a number of well-regarded cloud service providers out there, including Amazon Web Services (AWS) and Microsoft Azure. When Nexor is looking to recommend a trustworthy solution, we consider how open a provider is about its security measures and whether or not it submits itself to third-party audits.
Auditing and regulating user access
Any service provider that is aligned with the NCSC’s principles must be able to provide you “with the audit records needed to monitor access to your service and the data held within it.” This principle carries the implicit recommendation that users be active in monitoring their use of a cloud service.
Using data given by the provider, you can monitor your organisation’s use of the cloud and spot any issues. By taking ownership of the response to any potential threats, an organisation can uphold the 14th principle and ensure that their use of the solution promotes and supports its security. Regular monitoring will also allow you to respond quickly to any activity that warrants further investigation or action.
Robust integration with existing information architecture
This final point is most pertinent for larger organisations that have not yet switched to a cloud service provider. Larger organisations need to ensure that their information exchange remains secure throughout and after the implementation of cloud-based solutions.
Nexor’s cross-domain cloud service is one way of ensuring a smooth transition. Our approach includes deploying the cloud solution robustly, layering additional security controls as needed, strong access controls, selecting a trusted provider and ongoing close monitoring of the system’s use. Find out more on our service page.
For a more in-depth look at cloud security and Nexor’s services, download our whitepaper on the topic. If you have any further questions or concerns, get in touch. We can advise you on your situation and suggest the next steps that you should take.
Be the first to know about developments in secure information exchange