Guidance for conducting your due diligence when outsourcing to a Cloud service provider
With flexible working now the norm – including remote working – many organisations rely on Cloud services to access confidential data.
But whenever organisations adopt such technological solutions, they must acknowledge the risks that come with it.
To name but one challenge: the Cloud inherently permits access from anywhere in the world. So, how do you restrict that access to authorised users only?
To mitigate such security risks, the NCSC (National Cyber Security Centre) established 14 Cloud security principles. These can help guide your due diligence checks when vetting your Cloud service provider.
This blog looks at those principles and explains how you can meet or check for them.
The 14 Cloud security principles
- Data in transit protection
- Asset protection and resilience
- Separation between customers
- Governance framework
- Operational security
- Personnel security
- Secure development
- Supply chain security
- Secure user management
- Identity and authentication
- External interface protection
- Secure service administration
- Audit information and alerting for customers
- Secure use of the service
1. Data in transit protection
What the NCSC says:
User data transiting networks should be adequately protected against tampering and eavesdropping.
How you can achieve it:
Encryption is a good place to start. Most Cloud service providers can support the upload of data via TLS (Transport Layer Security)-encrypted communications.
Plus, large providers all support dedicated links between a consumer’s on-premises data centre and their Cloud environments. By using on-premises encryption, using your own encryption keys, you can store sensitive data in the Cloud without needing to trust your Cloud provider.
However, this approach is only suitable for use cases like archiving and off-site storage – not for scenarios where you want to process the data once it’s in the Cloud.
Also use a VPN (virtual private network) where possible, particularly when accessing your networks remotely. By routing traffic through your VPN, you prevent monitoring.
2. Asset protection and resilience
What the NCSC says:
Your data (and the assets storing or processing it) should be adequately protected.
How you can achieve it:
First, be clear on who can access your data and where your Cloud provider is physically storing it. If outside the UK, what safeguard have you put in place such that the GDPR (General Data Protection Regulation) permits you to transfer personal data to this third country?
What technical and organisational measures has your provider put in place to make sure your data is adequately protected? You need to conduct your due diligence to check that suppliers’ measures aren’t just in place, but also working effectively.
A key thing to remember with outsourcing is that although you’ve made your service provider responsible for the activity, the risks remain your problem.
3. Separation between customers
What the NCSC says:
Separation techniques ensure a customer’s service can’t access or affect the service (or data) of another.
How you can achieve it:
This principle also largely comes down to conducting your due diligence. Request or look for evidence – preferably from an external, independent assessor – that your service provider’s separation controls are effective.
This can include regular vulnerability scan and penetration test reports, an external audit report, and evidence of PCI DSS (Payment Card Industry Data Security Standard) compliance. Certifications like ISO 27001 can also add assurance.
4. Governance framework
What the NCSC says:
A governance framework is vital to coordinate and direct the management of the service.
How you can achieve it:
Start by appointing a board representative (or a person with the direct delegated authority) to take responsibility for the security of the Cloud service. This will typically be the CIO (chief information officer), CSO (chief security officer) or someone with a similar job title.
Next, they should document a framework for security governance containing policies addressing key aspects of information security.
The organisation must also implement processes to identify and ensure compliance with relevant legal and regulatory requirements.
5. Operational security
What the NCSC says:
Services must be operated and managed in a way to impede, detect or prevent attacks.
How you can achieve it:
You must consider four aspects:
- Protective monitoring – does your provider monitor its systems (that affect the service you’re using) for suspicious behaviour that can signify a cyber attack?
- Incident management – what incident response processes/measures does your provider have to ensure it can react quickly to a cyber security incident?
- Vulnerability management – does your provider apply security updates within reasonable timescales?
- Configuration and change management – are changes to the service properly tested before they’re deployed, and will your provider give you reasonable notice of changes that affect how you use its service? (Don’t end up in a CrowdStrike-like situation!)
6. Personnel security
What the NCSC says:
Audit and constrain the actions of service provider personnel.
How you can achieve it:
Again, exactly who has access to your data – not just in terms of organisations, but individuals inside those organisations?
Staff working for your service provider should have a business need for accessing your data, and the provider must control access and conduct background checks on its staff. This is also a control (6.1 – ‘screening’) in ISO 27001.
7. Secure development
What the NCSC says:
Cloud services should be designed, developed and deployed in a way that minimises and mitigates threats to their security.
How you can achieve it:
An ISO 27001 secure development policy helps ensure development is carried out in line with industry good practice. Certifications like ISO 27034, ISO 30111 and the CSA CCM (Cloud Controls Matrix) all help give assurance, too.
Ideally, you also want to see your Cloud service provider produce an audit trail, proving that it securely develops and tests its software and infrastructure.
Finding this blog useful? To get notified of future
resources like this, subscribe to our free weekly
newsletter: the Security Spotlight.
8. Supply chain security
What the NCSC says:
Third-party supply chains should support all the security principles that the service claims to implement.
How you can achieve it:
Today’s supply chains are complex. They’re so interconnected, they’re more like supply loops than supply chains.
Your Cloud service provider will likely rely on its own suppliers – third-party products and services. Where are those third parties based and, if outside the UK, what safeguards are in place to permit those international transfers under the GDPR?
Furthermore, do those third parties offer adequate guarantees of maintaining the level of security offered by your direct service provider?
9. Secure user management
What the NCSC says:
Providers should make tools available to securely manage your use of their service.
How you can achieve it:
Make sure your Cloud service allows for you to manage your user accounts in terms of identity and access control, and in a way that adheres to the principles of need-to-know and least privilege.
It should also be easy for you to remove permissions when no longer required.
10. Identity and authentication
What the NCSC says:
Access to service interfaces should be constrained to authenticated and authorised individuals.
How you can achieve it:
Again, this principle relates to access control. Your provider’s password policy should be up to date and technically enforced (where possible), and MFA (multifactor authentication) must be available.
Note: Even the Cyber Essentials scheme, which outlines just baseline security controls, requires MFA to be enabled for Cloud services.
11. External interface protection
What the NCSC says:
All external or less trusted interfaces to the service should be identified and defended.
How you can achieve it:
Internet/public-facing interfaces are inherently more susceptible to attack, so these must be robustly secured.
They should include defences against:
12. Secure service administration
What the NCSC says:
Cloud providers should recognise the high value of administration systems.
How you can achieve it:
This principle, again, comes down to access control. By ensuring secure service administration, you make the compromise of admin interfaces less likely, and make it harder for an attacker to move laterally through the provider’s systems.
Privileged and highly privileged access should be carefully managed, and detailed privileged access logs (suitable for an audit later) should be kept.
13. Audit information and alerting for customers
What the NCSC says:
Providers should supply logs needed to monitor access to your service, and the data held within it.
How you can achieve it:
If you need to investigate a (potential) incident related to the service you’re using, or the data you store on it, your provider should supply you with the audit data you’d need to properly conduct such an investigation.
Check that you can indeed request such data, how and when it’d be made available, the format of the data, and its associated retention period.
14. Secure use of the service
What the NCSC says:
Providers should make it easy for you to adequately protect your data.
How you can achieve it:
Is the Cloud service you want to use secure by design and by default? (This has links with the GDPR’s requirements for data protection by design and by default.)
This means asking questions like:
- Are the first 13 principles ‘baked’ into your Cloud service provider’s systems?
- Does your provider enable security-enhancing as the default?
- Is the default to refuse access?
If your provider is making you jump through hoops to secure the data you’re storing and/or processing on its Cloud service, you may be better off finding an alternative service.
Again, outsourcing doesn’t mean you’re no longer responsible for the data, or the risks associated with processing it. It simply means you’re sharing that risk.
Whether in a general information security, GDPR or PCI DSS context, this principle remains.
Learn more about cyber security for Cloud-based services and platforms
Taking the ISO 27017 and ISO 27018 standards as your reference makes it easier to slot Cloud security into your organisation.
Since Cloud computing is technically designed and operated differently to other computing resources, ISO 27017 provides a code of practice for information security controls for Cloud services.
ISO 27018 is also a code of practice, but for protecting PII (personally identifiable information) in the Cloud as a data processor.
We first published a version of this blog in December 2021.