The National Cyber Security Centre (NCSC) recently issued Cloud security guidance in relation to the 14 Cloud Security Principles.

 

The 14 Cloud Security Principles make up a framework that highlights essential considerations relating to key cloud security topics such as supply chain security, protection of data in transit and identity & authentication. 

 

As a business owner, it’s important to understand each of these principles and how they affect your company when it comes to implementing a robust Cloud and data security policy.

 

This week we look at Principle 2: asset protection and resilience

 

Asset protection and resilience 

Almost every company will generate user data and rely on that data for a wide variety of business operations from HR and marketing, to accounts and business development. Data is, therefore, crucial to business success so making sure your data and the assets that store or process that data are resilient and protected against any damage, loss, seizure or tampering is imperative.

 

Asset protection and resilience is understandably an expansive topic. As such the NCSC has segmented it into six aspects that need to be considered in detail. We’ll take a look at each aspect:

 

• Physical location and legal jurisdiction

 

There are myriad legal circumstances in which your data might be accessed without your approval. In order to fully understand these circumstances, you must first know the locations at which your data is stored, processed and managed. To put it simply, one country’s laws on data and data protection will be very different to another!

You’ll also need to learn about how data handling controls within the service you use are enforced in relation to UK legislation. If you don’t have the correct protection in place for your user data you could be at risk of legal and regulatory sanction, not to mention the potential damage that could be inflicted on your corporate reputation.

Goals

For this consideration, the NCSC states that “you should understand:

• In which countries your data will be stored, processed and managed. You should also consider how this affects your compliance with relevant legislation e.g. the Data Protection Act (DPA)
• Whether the legal jurisdiction(s) within which the service provider operates are acceptable to you”

The NCSC then outlines three different approaches to implementation for ‘unknown’ and ‘known’ locations and offers a description and specific guidance for each approach. It also provides further notes on legal jurisdiction, the DPA and use of your data. 

• Data centre security

Irrespective of which location your user data is stored in, your cloud services provider must be physically protected against unauthorised access, theft, tampering or reconfiguration of its systems. If the service isn’t adequately protected, your valuable user data could be disclosed to a third party, altered in some way or even lost.

Goals

For this consideration, the NCSC states that: “you should be confident that the physical security measures employed by the provider are sufficient for your intended use of the service.” 

The Centre then offers three implementation approaches for data centre security split into ‘unknown’, ‘known’ controls and ‘conforms to a recognised standard’, providing a description and guidance for all three approaches. 

• Data at rest protection

The opposite to ‘data in transit’, ‘data at rest’ refers to inactive data that is stored physically in any digital format. To make sure that data held within the service cannot be accessed by unauthorised parties with access to infrastructure, it must be protected no matter the storage media used. Specific measures must be in place to protect that media since if it were to be discarded, stolen or lost, the data held on it would be highly vulnerable to attack and misuse.

Goals

For this consideration, the NCSC says that: “you should have sufficient confidence that storage media containing your data are protected from unauthorised access.” Encryption and/or physical security controls are two of the methods that service providers use to protect data at rest. Ask and understand what measures your provider has in place so you can assess the risk and inform your cyber security policy correctly.

• Data sanitisation

Whenever you sanitise your user data, such as migrating or re-provisioning it elsewhere, this activity should not result in authorised access to that data. If you don’t sanitise your data adequately it could be retained by your service provider for many years, it could be reused by other users of the service or it could be lost or disclosed on discarded, lost or stolen storage media.

Goals

For this consideration, the NCSC says that: “you should be sufficiently confident that:

 

• Your data is erased when resources are moved or re-provisioned when they leave the service or when you request it to be erased
• Storage media which has held your data is sanitised or securely destroyed at the end of its life

Speak to your service provider and ask them about their approach to data sanitisation. What assurances, if any, can they provide? The NCSC provides further details and information on three different approaches to data sanitisation and guidance for each.

• Equipment disposal

The equipment that is used to deliver cloud services will have a finite life and will, inevitably, become redundant and need to be replaced over time. When its life cycle is complete, that equipment must be disposed of in such a way that it doesn’t compromise the continued security of the service or user data stored in the service.

Goals

For this consideration, the NCSC says that: “you should be sufficiently confident that:

• All equipment potentially containing your data, credentials, or configuration information for the service is identified at the end of its life (or prior to being recycled)
• Any components containing sensitive data are sanitised, removed or destroyed as appropriate
• Accounts or credentials specific to redundant equipment are revoked to reduce their value to an attacker

 

• Physical resilience and availability

Each cloud service will have differing levels of resilience. In the event of a failure, incident or attack, the ability of the service to operate normally will rely on its unique level of resilience. It’s important to find out what guarantees in relation to resilience, if any, your service provider has in place. If there is no specific guarantee of availability from your service provider, this could very likely impact your business if the service is unavailable for a prolonged period of time.

 

Goals

For this consideration, the NCSC explains that: “you should be sufficiently confident that the availability commitments of the service, including their ability to recover from outages, meets your business needs.”

You can read the NCSC’s complete set of guidance notes on asset protection and resilience here. As always, if you have any questions relating to how best to provide asset and protection resilience in your company, feel free to contact any of the team here at etiCloud.