Cloud Security Guidance – Recommended objectives and guidelines

Cloud adoption has been growing rapidly in recent years due to key benefits such as cost savings, scalability, security, ease of deployment. However, cloud adoption growth also brings about its own set of challenges like data privacy and security.

Since 2010, the International Telecommunication Union (ITU) has been undertaking many initiatives around the standardization of cloud services by developing the technology vocabulary, reference architecture, information security controls, and end-to-end resource management. A great deal of emphasis has been placed on how the data is stored on the cloud and how it is handled by the cloud service providers.

Cloud services have been subjected to rigorous data privacy laws such as the ‘CLOUD Act’ of the US government, the United Kingdom’s ”Data Protection Act,’ the European Union’s General Data Protection Regulation (GDPR), the ‘Australia Privacy Act,’ and Saudi Arabia’s NDMO National Data Governance Interim Regulation.

The UK’s National Cyber Security Center (NCSC) recently released Cloud Security Guidance that covers 14 cloud objectives, such as:

  1. Data in-transit protection. User data transiting networks should be sufficiently protected against tampering and wiretapping.
  2. Asset protection and resilience. User data, the underlined assets storing or processing it, should be protected against physical tampering, loss, or damage.
  3. Separation between users. A malicious or compromised user of a service should not affect the services or another user.
  4. Governance framework. The service provider should have a security governance framework that coordinates and directs the management of its services and information on its assets.
  5. Operational security. The service needs to be operated and managed securely to obstruct, detect or prevent attacks. Simultaneously, good operational security should not require complex, bureaucratic, time-consuming, or expensive processes.
  6. Personnel security. Wherever a service provider’s staff has access to personal data, they should be trained to treat such data with a high degree of confidence and trustworthiness. Regular screening, adequate training of sta reduces the likelihood of accidental or malicious compromise of personal data.
  7. Secure development. Services should be designed and developed to identify and mitigate security threats. The areas that may not seem obvious sources of vulnerabilities may end up creating security issues that could compromise user data, disrupt service, or even enable malicious activity.
  8. Supply chain security. The service provider should ensure that their supply chain sufficiently supports the service promises to fulfill the security principles.
  9. Secure user management. A service provider should make the necessary tools available to the users to securely avail the services. Management interfaces and procedures are an essential part of the security barrier, preventing unauthorized access and altering resources, applications, and data.
  10. Identity and authentication. Access to service interfaces should be limited to authenticated and authorized users only.
  11. External interface protection. All external or less trusted interfaces of the service should be identified and properly guarded.
  12. Secure service administration. Systems used for service administration should provide very highly privileged access as their compromise would significantly impact businesses.
  13. Audit information for users. Users should be provided with audit records needed to monitor user service access and the data held in it. The type of audit information available to users will allow them to detect and respond to inappropriate or malicious activity within a reasonable timeframe.
  14. Secure use of the service. The security of cloud services and the data held within them can be undermined if the user uses services poorly. Thus, users should have certain responsibilities when handling data to ensure it is adequately protected.

NCSC’s Cloud Security Guidance also explains the guidelines on identifying cloud services that are suitably secure for a given purpose of use and how to configure, deploy, and use cloud services securely. The following steps are suggested to help cloud users make the right decisions to identify a secure cloud environment.

  • Understand business requirements. Cloud users should understand the purpose of using cloud services. They should consider availability and connectivity and clearly identify the risks that would be unacceptable to the businesses.
  • Understand information. Users should identify the types of information that would be processed, stored, or circulated using the cloud service and understand the legal and regulatory implications. For example, if personal data is to be stored or processed, the Data Protection Act will come into play.
  • Determine relevant security principles. The previous steps give the user a clear picture of how to determine which of the Cloud Security Principles are most relevant.
  • Understand how the principles are implemented. The user should evaluate cloud service claims to implement the security principles they have identified as relevant since different approaches will result in different risks.
  • Understand the level of assurance offered. To check with the service provider, they could demonstrate the principles identified from step three have been implemented correctly. In this regard, users can have the service providers provide contracts or engage certified and independent assessors to validate their claims.
  • Identify additional mitigations that can be applied. Users should think of any additional measures their organization can apply to reduce the risk associated with applications and information.
  • Consider residual risks. Having worked through the above steps, the user will be able to decide if any remaining risks are acceptable.
  • Continue to monitor and manage the risks. Once in use, users should periodically review whether the service still meets their business and security requirements.