The 14 Cloud Security Principles released by the National Cyber Security Center (NCSC) provides guidance to organizations in the UK when evaluating cloud providers. This article focuses on the main five security principles to consider from a compliance perspective to help your business choose a suitable cloud vendor.
Principle 1: Protecting Data in Transit
Modern business IT infrastructures are complex, and data regularly moves between different across the network. It’s critical to protect sensitive data belonging to your customers and employees as it traverses between business applications/devices and the cloud. It’s also imperative that your cloud vendor protects data in transit inside the cloud such as when data is replicated to a different region to ensure high availability.
Some crucial things to look out for and ensure compliance in the context of data in transit are:
- Your cloud vendor enforces encryption, which prevents third parties from reading confidential data.
- Your cloud vendor uses fiber optic connections to connect data centers privately.
- The vendor uses a recent version of TLS to provide authentication, integrity, and encryption for data in transit.
Principle 2: Asset Protection and Resilience
This principle states that cloud service providers should protect your company’s data against physical tampering, loss, or damage. In the context of compliance, an important aspect of this principle is the need to know where your data is stored, processed, and managed.
Different regulations have different requirements about where protected data can be stored. For example, some regulations stipulate that data can only be transferred to companies with sufficient levels of protection in processing personal data. If your business opts for a cloud provider that doesn’t provide transparency over the location of data, you could end up unknowingly in breach of regulations.
Principle 3: Separation Between Customers
The last thing your business wants is to use a public cloud service only to find that a malicious hacker accessed your sensitive data by compromising another customer first. This type of concerning non-compliance scenario can happen when there is insufficient separation between different customers of a cloud service.
Another plausible situation is where a competitor actively seeks to exploit your data. The competitor may know that you use the same cloud service and that the vendor doesn’t adequately separate different customers.
Before choosing a service provider, due diligence is critical in terms of having confidence that your data is separated from others customers’ data. This confidence can come from a vendor that can show the results of an independent penetration test on its services. For additional confidence, it might be worth opting for one of the big names instead of choosing a new and unproven cloud service provider.
Principle 10: Identity and Authentication
Verifying users are who they say they are is essential for compliance purposes. When anyone in your business with cloud access attempts to use the cloud, there should be strong authentication and access controls in place. Look out for the following authentication features at a minimum:
- Multifactor authentication so that users of the service can’t simply log in with a username-password pair.
- The option to use private network connections to access the cloud service.
- The ability to limit the lifetime of login sessions.
- The use of locking or limiting accounts where brute force login attempts are detected.
Principle 14: Secure Use of the Service by the Customer
This principle is less about the vendor and more about how your business uses any cloud service. Your chosen service provider might have a strong information security posture, but misuse of the cloud service by an employee can easily lead to data breaches and non-compliance penalties.
Human error remains a staggeringly prevalent cause of data breaches. One report found that 88 percent of data breach incidents arose from employee mistakes. To combat these risks and ensure compliance, the following practices should help:
- Shift the company culture to a security-first one with ongoing cybersecurity awareness.
- Communicate to employees that they have a responsibility to securely use cloud services.
- Educate everyone about how to safely use cloud services in a way that doesn’t compromise compliance.
- Detect cloud misconfigurations using a configuration management solution such as Tripwire’s Configuration Manager. Misconfigurations are a common cause of data breaches in the cloud.
Businesses of all sizes need to comply with a growing number of regulations implemented to protect sensitive digital information. If you’re planning on a cloud move, carefully consider the NCSC cloud security principles to ensure protection against the high penalties associated with compliance breaches.
The original post "Top 5 NCSC Cloud Security Principles for Compliance" was written by Ronan Mahony for Tripwire.