Understanding and implementing the 14 Cloud Security Principles – Part 5: operational security
In our series of blog posts exploring the 14 Cloud Security Principles and the National Cyber Security Centre’s (NCSC) Cloud security guidance & advice for businesses, we’ve reached principle number 5. This specific principle covers the important topic of operational security.
Whatever service you have in place, in order to detect and prevent attacks, it is imperative that the service is managed and operated securely. Contrary to popular belief, operational security needn’t require complex, time-consuming or expensive processes. In fact, there are just four specific elements that you are advised to focus on:
Configuration and change management
Ensure that any changes that you may implement are always properly tested and authorised; they should never unexpectedly alter existing security principles. You should have confidence that:
“The status, location and configuration of the service components (both hardware and software) are tracked throughout their lifetime
“Changes to the service are assessed for potential security impact. Then managed and tracked through to completion.”
Identify and mitigate security issues in every integral component. Check that your service provider has management processes in place. If they don’t your service will be highly vulnerable to attack. You should have confidence that:
“Potential new threats, vulnerabilities or exploitation techniques which could affect your service are assessed and corrective action is taken
“Relevant sources of information relating to threat, vulnerability and exploitation techniques are monitored by the service provider
“The severity of threats and vulnerabilities is considered within the context of the service and this information is used to prioritise the implementation of mitigations.
“Using a suitable change management process, known vulnerabilities are tracked until mitigations have been deployed
“You know service provider timescales for implementing mitigations and are happy with them.”
Always put measures in place to detect attacks and any unauthorised activity on the service. If your service is not able to effectively monitor for attack, misuse or malfunction, it may not be able to highlight attacks and could potentially lead to a costly compromise for your business environment and its data. You should have confidence that:
“The service generates adequate audit events to support effective identification of suspicious activity
“These events are analysed to identify potential compromises or inappropriate use of your service
“The service provider takes prompt and appropriate action to address incidents.”
Make sure that you can to respond quickly to any incidents that may occur and consistently be in a position to recover a secure, available service. Implement a pre-planned incident manage process and test it regularly to ensure it is robust and fit-for-purpose. With such a process in place, you will be able to minimise the impact to users of security, reliability and environmental problems with a service. You should have confidence that:
“Incident management processes are in place for the service and are actively deployed in response to security incidents
“Pre-defined processes are in place for responding to common types of incident and attack
“A defined process and contact route exists for reporting of security incidents by consumers and external entities
“Security incidents of relevance to you will be reported in acceptable timescales and formats.”
If you have any questions at all relating to operational security or any of the other Cloud Security Principles discussed so far, please don’t hesitate to contact any member of etiCloud – we’ll be only too pleased to help out.
Next up: Personnel security