What does this guidance do?
This guidance collection will help you determine how confident you
can be that a cloud service is secure enough to handle your data.
Taken as a whole, this collection builds a framework to help you
evaluate the security of any cloud service. This framework is built
around 14 Cloud Security Principles.
We've also published a guide dedicated to the essential question of Separation and Cloud Security. This will help you understand how the strength of separation between tenants varies between cloud services.
The extent of your security responsibilities as a buyer of the
service will vary significantly depending on the type of service
involved. Your responsibilities will be largest when using
Infrastructure as a Service, so we've written a specific guide, IaaS: managing your responsibilities.
Additionally, the Cloud Security Principles give Cloud Service Providers an
easily consumable format in which to present the security properties of
their offerings to public sector and enterprise clients.
How does this guidance work?
Trying to get a clear picture of the risks you would be taking when
adopting a particular service can be difficult. To help with this, we
recommend you use the Cloud Security Principles to
structure your analysis. The 'Making a decision' section (below) breaks
this down into an 8-step process. Following this, you'll determine
which of the Principles are most relevant to your requirements, before
considering whether and how cloud service providers meet them.
Importantly, the decisions you make about the use and configuration
of cloud services should be part of your regular risk management
process.
Who is this guidance for?
This guidance is aimed at Public Sector and Enterprise organisations.
Your Technical Capacity
Board level readers looking for a round-up can refer to the Implementing the Cloud Security Principles. The front page of this collection summarises the principles themselves. Our recommended approach to Making a decision (see below) will also be valuable.
For technical and security professionals, all sections are relevant. However, the full content of our guide to Implementing the Cloud Security Principles will be your most useful reference.
Making a decision
Working through these steps will help you to identify cloud services which are suitably secure for your intended use.
1 Know your business requirements
Understand your intended use of the cloud service. Consider issues
such as availability and connectivity. Identify those risks which would
be unacceptable to your organisation should they be realised, and those
that would not.
Identify the information that will be processed, stored or
transported by the cloud service. Understand the legal and regulatory
implications. For example, if personal data is to be stored or
processed, then the Data Protection Act should be considered.
3 Determine relevant security principles
You now know your business requirements, you’ve identified the risks
you are/aren’t willing to take. And you have a clear picture of the
information which will be exposed to the service.
With this information you should be able to determine which of the Cloud Security Principles are most relevant to your planned use of the service.
4 Understand how the principles are implemented
Find out how the cloud service claims to implement the security
principles you’ve identified as relevant. Different approaches will
result in different risks for you to consider. Our detailed guide to implementing the cloud security principles will help you with this.
5 Understand the level of assurance offered
Can the service provider demonstrate that the principles you identified in step 3 have been implemented correctly?
Some suppliers offer little more than promises, others provide
contracts, and some engage certified, independent assessors to validate
their claims. The relative merits of these levels of assurance are
explored in detail here.
6 Identify additional mitigations you can apply
Consider any additional measures your organisation (as a consumer of
the cloud service) can apply to help reduce risk to your applications
and information.
7 Consider residual risks
Having worked through the above steps, decide whether any remaining risks are acceptable.
8 Continue to monitor and manage the risks
Once in use, periodically review whether the service still meets your business and security needs.
Further reading on risk management
For further advice on risk management please see our guide on Risk management and risk analysis in practice.