/
Cloud Security Principles

Cloud Security Principles

Owned by Selvyn Wright
Aug 10, 2022
2 min read

The National Cyber Security Centre (NCSC) published 14 cloud security principles in 2016. These principles are designed to give guidance to cloud service providers in order to protect their customers.

  1. Data in transit protection

    • User data that is transitioning between networks should be protected against any interference.

  2. Asset protection and resilience

    • User data, and the assets storing or processing it, should be protected against physical tampering, loss, damage, or seizure.

  3. Separation between users

    • If a user of a service is compromised by malicious software, this should not affect the service or data of another user.

  4. Governance framework

    • A Security Governance Framework should be followed by the service provider, in order to internally coordinate its management of the service.

  5. Operational security

    • In order to prevent and detect attacks, the service must be operated securely. Adequate security shouldn’t require complex or expensive processes.

  6. Personnel security

    • Service provider personnel should be thoroughly screened, followed by in-depth training to reduce the likelihood of accidental or malicious compromise.

  7. Secure development

    • Services should be designed with security in mind. Secure by Design approaches should be followed

  8. Supply chain security

    • The service provider should ensure that their supply chain adheres to all of the same security principles

  9. Secure user management

    • Your service provider should ensure that you have the relevant tools to securely manage the use of their services. Management interfaces prevent unauthorised access to your data, making them a vital part of the security barrier.

  10. Identity and authentication

    • Access to the service interfaces should only be granted to specific individuals and should all be guarded by adequate authentication measures – two party authentication if possible.

  11. External interface protection

    • Any external or less trustworthy service interfaces must be identified and defended appropriately.

  12. Secure service administration

    • If a cloud service is compromised through its administration system, important company data could be stolen or manipulated. It is vital that these services are secure.

  13. Audit information for users

    • A service provider should supply their customers with the audit records needed to monitor the service and who is able to access your data. This is vital as it gives you the means to identify inappropriate or malicious activity.

  14. Secure use of service

    • You have a responsibility to ensure the service is used properly, to ensure your data is kept safe and protected