Innovation and changeCloud ComputingThe 14 cloud security principles you need to know about

The 14 cloud security principles you need to know about

One of the big questions the public sector has when it comes to migrating to the cloud is how to secure data stored in the cloud. It’s often cited as a barrier to change as decision makers struggle to get to grips with the security of information.

So, to help guide you through the process, here are the 14 Cloud Security Principles and some handy hints about each one, as provided by the National Cyber Security Centre.

  1. Data in transit protection

    User data transiting networks should be adequately protected against tampering and eavesdropping.

  2. Asset protection and resilience

    User data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure.

  3. Separation between users

    A malicious or compromised user of the service should not be able to affect the service or data of another.

  4. Governance framework

    The service provider should have a security governance framework which coordinates and directs its management of the service and information within it. Any technical controls deployed outside of this framework will be fundamentally undermined.

  5. Operational security

    The service needs to be operated and managed securely in order to impede, detect or prevent attacks. Good operational security should not require complex, bureaucratic, time consuming or expensive processes.

  6. Personnel security

    Where service provider personnel have access to your data and systems you need a high degree of confidence in their trustworthiness. Thorough screening, supported by adequate training, reduces the likelihood of accidental or malicious compromise by service provider personnel.

  7. Secure development

    Services should be designed and developed to identify and mitigate threats to their security. Those which aren’t may be vulnerable to security issues which could compromise your data, cause loss of service or enable other malicious activity.

  8. Supply chain security

    The service provider should ensure that its supply chain satisfactorily supports all of the security principles which the service claims to implement.

  9. Secure user management

    Your provider should make the tools available for you to securely manage your use of their service. Management interfaces and procedures are a vital part of the security barrier, preventing unauthorised access and alteration of your resources, applications and data.

  10. Identity and authentication

    All access to service interfaces should be constrained to authenticated and authorised individuals.

  11. External interface protection

    All external or less trusted interfaces of the service should be identified and appropriately defended.

  12. Secure service administration

    Systems used for administration of a cloud service will have highly privileged access to that service. Their compromise would have significant impact, including the means to bypass security controls and steal or manipulate large volumes of data.

  13. Audit information for users

    You should be provided with the audit records needed to monitor access to your service and the data held within it. The type of audit information available to you will have a direct impact on your ability to detect and respond to inappropriate or malicious activity within reasonable timescales.

  14. Secure use of the service

    The security of cloud services and the data held within them can be undermined if you use the service poorly. Consequently, you will have certain responsibilities when using the service in order for your data to be adequately protected.

Related Articles

UK Police get cloud-based crime solving analytical tools

Cloud Computing UK Police get cloud-based crime solving analytical tools

3w Jay Ashar
Artificial intelligence may well be the future, but we shouldn’t put the cart before the horse

Cloud Computing Artificial intelligence may well be the future, but we shouldn’t put the cart before the horse

2m Austin Clark
Amazon strengthens government cloud influence

Cloud Computing Amazon strengthens government cloud influence

2m Austin Clark
Microsoft aims to boost public sector cloud security through new guidance

Cloud Computing Microsoft aims to boost public sector cloud security through new guidance

2m Austin Clark
Why cloud is more difficult for local authorities

Cloud Computing Why cloud is more difficult for local authorities

3m Richard Blandford
Commissioner Dyson: It’s time to chuck out the chintz

Cloud Computing Commissioner Dyson: It’s time to chuck out the chintz

3m Austin Clark
Has cloud been a mixed blessing when it comes to collaboration?

Change Management Has cloud been a mixed blessing when it comes to collaboration?

4m Gary Flood
District Council embarks on ambitious transformation project

Cloud Computing District Council embarks on ambitious transformation project

4m Austin Clark