What are the NCSC's 14 Cloud Security Principles?
In recent years cloud computing has become the go-to solution for organisations seeking flexible, scalable, and cost-effective IT infrastructure. However, with this increased adoption comes a growing concern for security and compliance. As companies store more and more sensitive data in the cloud, they must choose a cloud provider that adheres to the best cloud security practices and standards.
One set of guidelines featuring such practices and standards is the National Cyber Security Centre's (NCSC) 14 Cloud Security Principles. The NCSC, a UK government agency responsible for guiding cybersecurity, developed these principles to help organisations assess and manage the risks associated with cloud computing.
The 14 principles cover a range of topics, from data protection and secure development to supply chain security and incident management, aimed to ensure that cloud providers' services are secure, resilient, and compliant with relevant regulations and standards.
In this case, cloud consumers must choose a provider that adheres to the NCSC's principles. Such a decision gives business owners peace of mind and assurance that cloud vendors handle their data securely and responsibly. Furthermore, by choosing a compliant cloud-managed services provider, customers can minimise the risk of data breaches, downtime, and other security incidents that could significantly impact their business.
The Cloud Security Landscape in the UK
According to a report published in February 2023, cloud security has emerged as the top cybersecurity risk for UK senior executives. The report results from a comprehensive survey that included business leaders from around the world and the UK, which aimed to identify major cyber security trends for the coming year. The findings revealed that 39% of UK respondents anticipate significant risks associated with cloud-based security that could affect their organisation in 2023, more than other threats from other sources.
“In part, the increase in cloud-based threats is a result of some of the potential cyber risks associated with digital transformation. An overwhelming majority (90%) of UK senior executives in our survey ranked the ‘increased exposure to cyber risk due to accelerating digital transformation’ as the biggest cyber security challenge their organisation has experienced since 2020,” notes Richard Horne, cyber security chair, PwC UK.
Furthermore, the report highlights that the rapid adoption of cloud technology and the increasing complexity of cloud infrastructure have made it more challenging to manage security risks. In effect, organisations must implement comprehensive cloud security measures, including identity and access management, network security, and data encryption, to effectively protect their cloud assets.
Importance of the NCSC Principles in Cloud Security
First and foremost, the NCSC cloud security principles provide a comprehensive framework for identifying and assessing security risks and vulnerabilities associated with cloud computing. They play an important role since cloud environments can be complex and dynamic, making it challenging to understand the security landscape.
CSP cybersecurity measures should comply with the principles to systematically assess potential risks and identify areas where additional security controls are necessary to ensure customers have a secure private cloud.
In addition, the NCSC cloud security principles emphasise the importance of a holistic approach to CSP cybersecurity. In particular, they require private cloud-managed service providers to consider all cloud security aspects.
These include data protection, identity and access management, network security, and incident response. Hence, complying with the approach enables players in the IT-managed services industry to integrate security in all cloud operations, from planning and deployment to ongoing maintenance and monitoring.
Moreover, the NCSC cloud security principles highlight the need for collaboration and shared responsibility between cloud service providers and their customers. Effective cloud security requires a partnership between the two parties, each taking responsibility for different aspects of cloud security. Also, the principles guide establishing a clear understanding of roles and responsibilities and ensuring that security is integrated into service-level agreements.
Lastly, the NCSC cloud security principles emphasise the importance of ongoing monitoring and review. Cloud environments constantly change, and new security threats and vulnerabilities can emerge quickly. Reviewing and updating cloud security measures regularly can ensure that organisations stay ahead of potential risks and that their cloud environments remain secure.
The 14 NCSC Cloud Security Principles
Data in Transit Protection
The principle requires cloud providers to use secure transport protocols, such as TLS (Transport Layer Security) or SSL (Secure Sockets Layer), to ensure that data is encrypted while in transit between different cloud service components, including between the user and the cloud provider's systems.
Cloud providers must also use strong encryption algorithms and key lengths and implement proper key management and rotation practices to protect against potential data breaches or cyberattacks during data transmission.
Data in transit protection prevents unauthorised access, interception, or modification of data as it travels across networks. It is particularly important in cloud computing, where consumers frequently transmit data between multiple systems and networks, exposing it to interception attacks. Compliant cloud providers implement robust cloud server security controls to protect against potential data breaches or cyberattacks during data transmission.
Asset Protection and Resilience
The principle focuses on providing customers with a secure private cloud and ensuring cyber resiliency in the face of potential threats. In other words, businesses must ensure that their cloud provider has effective cloud server security measures to protect their data, applications, systems, and infrastructure from unauthorised access, theft, or destruction.
They must also ensure that their cloud providers implement robust measures to increase the cyber resiliency of their assets to withstand potential disruptions or disasters.
Therefore, to comply with this principle, businesses should work with cloud providers with strong security and cyber resiliency measures, including data encryption, access controls, disaster recovery planning, and regular testing and review of security measures. Also, it is essential to understand the cloud security shared responsibility model. The customer and cloud provider must know their responsibilities in protecting cloud assets.
Separation Between Customers
Businesses must consider this principle when choosing a cloud provider. It emphasises the need for a clear separation between customers' data and resources in the cloud. Multiple customers share the same underlying physical and logical infrastructure in a shared infrastructure environment.
The principle of separation between customers aims to prevent unauthorised access to one customer's data and resources by another customer by ensuring a secure private cloud.
Compliance with this principle requires cloud providers to implement measures that logically separate customer data and isolate customer resources from each other. Such measures include:
· Virtualisation: Creates multiple virtual machines that operate independently and are isolated from each other.
· Network segmentation: Separate networks for each customer to ensure that their data is not accessible to other customers.
· Access controls: Implementing strong access controls and authentication mechanisms to provide access to customer data to authorised users only.
Governance Framework
The principle underscores the importance of having a governance framework to ensure effective cloud security management. A governance framework comprises a set of policies, procedures, and guidelines for managing cloud security. It ensures that all stakeholders, including cloud providers, customers, and third-party providers, understand their roles and responsibilities in managing cloud security.
When choosing a cloud provider, assess its governance framework to ensure it includes the following:
· Risk management: Plan to identify, assess, and manage cloud security risks.
· Compliance: The cloud provider must comply with relevant cloud security laws, regulations, and industry standards.
· Information security: Information security policies and procedures for protecting data confidentiality, integrity, and availability.
· Service management: Service management processes to ensure effective delivery of cloud services.
Ensure to understand your cloud provider’s governance framework and ascertain that it aligns with your security requirements.
Operational Security
Secure operation and management of the cloud infrastructure is crucial to detecting, impeding, and preventing attacks. As a result, operational security helps cloud providers to achieve this goal by requiring them to implement a combination of effective operational security measures. These include vulnerability management, threat monitoring, configuration and change management, and incident management techniques.
Your cloud service provider must have an established vulnerability management procedure to recognise, assess, and alleviate vulnerabilities in all cloud infrastructure components they provide.
In addition, the service provider should monitor sources of threat and vulnerability information and exploitation methods relevant to their cloud services. Furthermore, the service provider needs to know the assets, configurations, and dependencies that constitute their cloud services.
As such, they can recognise and manage changes that may impact the cloud service's security and mitigate existing or new vulnerabilities.
Personnel Security
The NCSC highlights the importance of ensuring the trustworthiness of cloud service provider personnel with access to an organisation's data and systems. The essence of this principle is that the risk of accidental or malicious data compromise by the service provider employees is significantly higher than other security risks. Therefore, to mitigate this risk, it is important to have a comprehensive approach in place to screen and train personnel.
Specifically, cloud service providers should conduct thorough security screening for their employees and provide regular security training. Training should include educating employees on the security responsibilities associated with specific roles and the measures taken by the organisation to screen and manage personnel in privileged positions.
Secure Development
According to the NCSC, designing and developing cloud computing services with security threats in mind is important. Secure development is crucial to detecting and preventing potential vulnerabilities that could lead to compromised data, service loss, or other malicious activities. Cloud providers can comply with this principle by establishing a secure development policy aligned with ISO 27001 to enhance cyber resiliency.
More importantly, secure development requires keeping up-to-date with emerging threats and making necessary security adjustments to cloud services to protect customers from current and emerging threats. Additionally, implementing configuration management processes can help ensure the integrity of the solution throughout development, testing, and deployment.
Supply Chain Security
The NCSC recommends that cloud service providers ascertain that their supply chain sufficiently supports all security principles they assert to have implemented. Cloud providers that rely on third-party products and services should also comprehend how their partners gain access to and distribute their information and how it progresses through the supply chain.
They should also evaluate the service provider's procurement procedures and assess the security requirements imposed on third-party suppliers.
Therefore, it’s important to scrutinise how your service provider handles third-party security risks and how it enforces the security demands for its suppliers.
Lastly, enterprises should examine how the service provider verifies the legitimacy of the hardware and software used in the service to ensure that it hasn't been tampered with.
Secure User Management
The principle requires cloud service providers to be responsible for providing customers with the necessary tools to manage their cloud service securely. Specifically, NCSC reiterates that it is crucial to establish secure management interfaces and protocols to prevent any unauthorised access or modifications to customer resources, applications, and data.
In this case, you must consider two important factors.
First, the cloud provider must correctly authenticate users before allowing them to perform administrative tasks, submit fault reports, or request service changes. Second, the service provider must implement access restrictions based on user roles to ensure that users do not make unauthorised changes that could negatively impact the cloud service.
The provider should implement role-based access controls within administration interfaces.
Identity and Authentication
The NCSC advises that only authorised and authenticated individuals should have access to the cloud service interfaces. Therefore, when choosing a cloud provider, ensure that the provider implements various technical identity authentication solutions.
For example, you should choose a cloud service provider that has implemented multifactor authentication to strengthen the login process. Multifactor authentication protects employee cloud accounts from adversaries looking to compromise them. An attacker still needs access to the hardware or software token, even with a correct password.
Another measure to look out for is obtaining a TLS client certificate. It provides strong cryptographic protection to protect data in transit. Additionally, implementing identity federation with your existing identity provider can enable smooth user authentication and authorisation across different systems, domains, and services.
External Interface Protection
The external interface protection principle recommends that cloud providers identify and adequately protect all external and less trusted interfaces. Implementing this principle requires the provider to identify all the physical and logical interfaces through which customers access the cloud service. As a result, they can understand the potential points of attack and take appropriate measures to defend against them.
Furthermore, the provider should ensure that data transmitted through these interfaces is encrypted to prevent unauthorised interception or tampering. Choosing a cloud provider that complies with this principle ensures your cloud infrastructure is secure and resilient against potential threats
Secure Service Administration
The NCSC warns that systems used to manage cloud services have extensive access. As a result, a security breach could lead to serious consequences, including allowing malicious actors to bypass security measures, manipulate large amounts of data, or exfiltrate it to a server under their control.
Mitigating this risk requires cloud providers to identify the service administration model the customers are using. The provider should then refer to the NCSC's website to assess the risks and implement sufficient mitigation measures.
Audit Information and Alerting for Customers
It is important to have access to audit records that allow you to monitor access to cloud services and the data they contain. Audit reports help identify and respond to inappropriate activities in record time.
The NCSC principle advises customers to determine the processes through which they receive the audit information, such as determining how and when the cloud security managed service provider will avail the information, the data format, and the retention period.
Also, the principle describes three scenarios to consider when choosing a cloud security managed service provider; no audit information offered, the provider offers some information (possibly through negotiation) or provides specific information. Always request complete and specific details when requesting the audit information since failure to do so could result in compliance issues and increase the risk of security incidents.
Secure Use of the Service
Improper use of cloud services and stored data could result in security incidents leading to compromise. As a result, it is important to fulfil various responsibilities to protect the data adequately.
However, your responsibilities depend on the deployment models, service features, and usage scenarios. For instance, in the case of infrastructure- and platform-as-a-service offerings, the cloud provider bears significant responsibility for security aspects such as operating system installation and configuration, application deployment, and maintenance.
Additionally, businesses should identify security requirements governing cloud services and train employees to use and manage them securely.
A Compliant Provider is Crucial to your Security
As organisations increasingly adopt cloud computing services, it is imperative to prioritise managed cloud security.
The 14 NCSC cloud security principles serve as a comprehensive guide to help companies identify and implement necessary security measures to protect their data and systems in the cloud. However, it is important to note that simply adhering to these principles is not enough. Choosing a private cloud-managed services provider fully compliant with the principles is crucial to ensuring the security and integrity of your data in the cloud. Therefore, you should thoroughly vet and select a cloud provider who can demonstrate their adherence to the 14 NCSC cloud security principles to mitigate risks associated with cloud computing effectively.
Additionally, it is important to recognise that compliance with the 14 NCSC cloud security principles is not a one-time effort but an ongoing process that requires continuous monitoring and improvement.
As threats and vulnerabilities evolve, so must the security measures the IT-managed services provider has implemented. Organisations must remain vigilant and proactive in their approach to cloud security by regularly assessing their cloud environment, identifying and mitigating potential risks, and ensuring their cloud provider stays up-to-date with the latest security standards and best practices.