This week we have launched the updated NCSC’s cloud security guidance. It’s more evolution than revolution, as it collates and refreshes all of the NCSC’s existing cloud guidance (and blogs) into a single collection.
The cloud collection includes a new section on choosing the right cloud provider to suit your security needs. There are two approaches to doing this.
- Applying the 14 Cloud Security Principles. This will help you build confidence in the cloud service, the company that runs it, the way that it’s operated, and whether it gives you an effective set of security features. We recommend this approach when you are hosting ‘sensitive’ data in the cloud (such as personally identifiable, commercially sensitive and government OFFICIAL data).
- Using the Lightweight Approach to Cloud Security, which helps you identify whether a service has the most important security features that will help you defend against common attacks. This approach is suitable for smaller organisations looking to do some due diligence in their online services, as well as larger organisations that are not processing sensitive data.
Many of the cloud services used in government have produced a written response to our 14 cloud principles. These older responses are still useful, although there are some additional goals in the updated principles that are not covered. We’d expect vendors to review their responses at least every couple of years to best reflect how their evolving services address these additional goals. And of course, any new or updated responses from now on should use the latest version of the principles.
The cloud has evolved since the launch of the UK government Cloud First Policy in 2013 (which we supported in the first version of principles). The new collection reflects these changes, whether it’s the language we use, how a service could meet our expectations, or even what we now think of as the cloud.
However, we also know that some of you use our guidance as part of your own standards or contracts. You can be reassured that we haven’t changed the structure or intent behind the 14 cloud security principles. It’s still a goal-based framework to help you determine whether a cloud service meets your security needs, with tweaks and additions through all of the principles.
Original Source: ncsc[.]gov[.]uk
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon using the button below
To keep up to date follow us on the below channels.