We've recently worked with a variety of teams across the public sector to help them decide whether to move the functions of their older IT systems into the cloud, or to upgrade the software and servers they're using.
It's a question being asked in organisations of all sorts of sizes - from Whitehall to individual Police Forces. The cloud option is appealing as there are often modern, user-friendly Software as a Service (SaaS) products similar to the more archaic ones that need replacing. So with the government 'Cloud First' philosophy in mind, those SaaS services are the obvious first port of call.
Security at scale
From a security perspective, using a public cloud service may offer several advantages. These are a result of a common service being provided to many customers, as is often the case with SaaS providers. If the cloud provider has made the right security investments, these advantages can include:
- All customers start with the same known-good configuration. This is determined by the service provider's security experts, who will have specialised knowledge in that particular technology (rather than each customer needing to figure it out for themselves).
- Security patches are applied really quickly and reliably by the service provider. As they’re responsible for running a well-tested set of software, they can test it once and roll it out for all of their customers at the same time. Legacy services that we run ourselves can take weeks, months or even years to patch.
- Protective monitoring that watches an entire cloud service will be tuned for that service and has the potential to spot anomalies across all the supplier's customers. These techniques augment the traditional approach of looking for general signatures of malicious activity.
- Customers' own security teams can concentrate on focused alerts provided by the cloud provider’s security team, rather than having to investigate everything themselves.
Coping with uncertainty
In the past, we have used assurance standards and schemes to formally assess products that make security claims. We describe them in the Marketplace on our website. However, certifying the security properties of a cloud service is more difficult, as the cloud regularly changes. Cloud services can also have a different set of risks to consider (compared with the old-fashioned way of building IT).
We therefore recommend you read our Cloud Security Guidance to help manage the risks. Our guidance describes some different ways you can get confidence in a supplier; the relevance of each will depend on what your cloud provider offers. The approaches we’ve tried include reviewing and understanding the following:
- Self-assessments by cloud providers (such as those from Amazon Web Services, Microsoft and Google), who have used the NCSC Cloud Security Principles as a framework to present evidence of key security controls. We’ve found that these papers helped our partners across the public sector because they focus on the most common security questions relevant to protecting government data. As we don’t independently assess products against the principles, we expect that service providers will be able to provide evidence of how they implement the principles (if they are making such a claim).
- White papers published by the cloud provider which have allowed us to work out if they go far enough to meet a project's security needs. Service providers such as Atlassian keep a portfolio of policies and white papers that that can be used to assess against the Cloud Security Principles.
- Independent audits against relevant public standards can give confidence that a cloud provider is actually doing what they claim. These are most useful when they apply to specific tangible controls (such as personnel screening and governance frameworks, rather than attempting to certify the generic concept of a cloud service 'being secure').
- Self-assessed claims made against other frameworks (such as G Cloud 9 on the Digital Marketplace) give high-level answers to the security topics we care about. We’ve found that such answers are useful to answer some due diligence questions, and that the frameworks are most useful when supplemented with evidence backing up the answers.
- Privacy statements made by the cloud provider describing what they will do with users' data, and how they will protect it. One example is Slack describing how they handle the data in your account (including what they do to secure their service, and the cases where they might disclose data to third parties).
- Minimum expectations defined in terms and conditions can give a feel for what security characteristics to expect from a cloud provider. Note that unlike a time-bounded service contract, terms and conditions can change from time to time, and so we prefer to not entirely rely on them.
The amount of confidence you want for a particular service will depend on what data you're looking to store and process, and what you’re using the service for. Some services (such as those that process large amounts personal data) will likely need a thorough assessment using the Cloud Principles as a framework, whereas other services can take a more lightweight, repeatable approach.
Less confidence required?
I’d also like to mention that there are cases where you might not need to get much confidence in the security of a service before using it. One of my favourite examples is where a password manager might sync passwords between a few of your devices. If a product can demonstrate that it’s encrypting your passwords well before they leave your devices (and that they don’t hold a copy of your decryption key in the cloud) then it doesn’t matter (as much) how secure the cloud part of the product is.
I’ll be following up this blog with some thoughts about how the NCSC have gone about assessing and choosing cloud providers. These will just be our ideas; in the meantime we’d love to hear in the comments below about how you’ve decided that a cloud provider is secure enough for your business data.