What does this guidance do?
This guidance collection will help you determine how confident you can be that a cloud service is secure enough to handle your data.
Taken as a whole, this collection builds a framework to help you evaluate the security of any cloud service. This framework is built around 14 Cloud Security Principles.
We've also published a guide dedicated to the essential question of Separation and Cloud Security. This will help you understand how the strength of separation between tenants varies between cloud services.
The extent of your security responsibilities as a buyer of the service will vary significantly depending on the type of service involved. Your responsibilities will be largest when using Infrastructure as a Service, so we've written a specific guide, IaaS: managing your responsibilities.
Additionally, the Cloud Security Principles give Cloud Service Providers an easily consumable format in which to present the security properties of their offerings to public sector and enterprise clients.
How does this guidance work?
Trying to get a clear picture of the risks you would be taking when adopting a particular service can be difficult. To help with this, we recommend you use the Cloud Security Principles to structure your analysis. The 'Making a decision' section (below) breaks this down into an 8-step process. Following this, you'll determine which of the Principles are most relevant to your requirements, before considering whether and how cloud service providers meet them.
Importantly, the decisions you make about the use and configuration of cloud services should be part of your regular risk management process.
Who is this guidance for?
This guidance is aimed at Public Sector and Enterprise organisations.
Your Technical Capacity
Board level readers looking for a round-up can refer to the Implementing the Cloud Security Principles. The front page of this collection summarises the principles themselves. Our recommended approach to Making a decision (see below) will also be valuable.
For technical and security professionals, all sections are relevant. However, the full content of our guide to Implementing the Cloud Security Principles will be your most useful reference.
Making a decision
Working through these steps will help you to identify cloud services which are suitably secure for your intended use.
1 Know your business requirements
Understand your intended use of the cloud service. Consider issues such as availability and connectivity. Identify those risks which would be unacceptable to your organisation should they be realised, and those that would not.
2 Understand your information
Identify the information that will be processed, stored or transported by the cloud service. Understand the legal and regulatory implications. For example, if personal data is to be stored or processed, then the Data Protection Act should be considered.
3 Determine relevant security principles
You now know your business requirements, you’ve identified the risks you are/aren’t willing to take. And you have a clear picture of the information which will be exposed to the service.
With this information you should be able to determine which of the Cloud Security Principles are most relevant to your planned use of the service.
4 Understand how the principles are implemented
Find out how the cloud service claims to implement the security principles you’ve identified as relevant. Different approaches will result in different risks for you to consider. Our detailed guide to implementing the cloud security principles will help you with this.
5 Understand the level of assurance offered
Can the service provider demonstrate that the principles you identified in step 3 have been implemented correctly?
Some suppliers offer little more than promises, others provide contracts, and some engage certified, independent assessors to validate their claims. The relative merits of these levels of assurance are explored in detail here.
6 Identify additional mitigations you can apply
Consider any additional measures your organisation (as a consumer of the cloud service) can apply to help reduce risk to your applications and information.
7 Consider residual risks
Having worked through the above steps, decide whether any remaining risks are acceptable.
8 Continue to monitor and manage the risks
Once in use, periodically review whether the service still meets your business and security needs.
Further reading on risk management
For further advice on risk management please see our guide on Risk management and risk analysis in practice.