Cloud security

Advice to organisations considering the use of cloud-based applications and services.
Showing 1 - 25 of 34 results
Sort by: A-Z|Date
  • Becoming a CHECK provider

    Information15 Jan 2018TopicsRisk management, Network security, Cloud security
  • Using a CHECK provider

    Information15 Jan 2018TopicsRisk management, Network security, Cloud security

    Information for organisations considering using a CHECK service provider.

  • Composition of a CHECK team

    Information15 Jan 2018TopicsRisk management, Network security, Cloud security
  • CHECK provider application - company methodology

    Information15 Jan 2018TopicsRisk management, Network security, Cloud security
  • Cloud services

    NCSC IT: how the NCSC chose its cloud services

    Blog post12 Jan 2018AuthorAndrew ATopicsCloud security

    Why the NCSC spends more effort getting confidence in the security of some cloud services than in others.

  • Managing the risk of cloud-enabled products

    Guidance01 Dec 2017TopicsCloud security

    Guidance outlining the risks of locally installed products interacting with cloud services, and suggestions to help organisations manage this risk.

  • Antivirus

    Managing supply chain risk in cloud-enabled products

    Blog post01 Dec 2017AuthorIan LevyTopicsCloud security

    NCSC Technical Director Ian Levy explains why new guidance on cloud-enabled products (including AV) requires a nuanced approach.

  • Letter to permanent secretaries regarding the issue of supply chain risk in cloud-based products

    Information01 Dec 2017TopicsCloud security, The NCSC

    NCSC CEO Ciaran Martin writes to permanent secretaries regarding the issue of supply chain risk in cloud-based products, including antivirus (AV) software.

  • CHECK Reports

    Information13 Nov 2017TopicsRisk management, Network security, Cloud security

    Details on the reports that must be submitted by CHECK service providers to the NCSC

  • CHECK provider feedback

    Information13 Nov 2017TopicsRisk management, Network security, Cloud security

    Giving customer feedback on work carried out by a CHECK service provider

  • Cloudy with a chance

    Cloudy with a chance of transparency

    Blog post23 Oct 2017AuthorAndrew ATopicsCloud security, SaaS offerings

    In part 2 of his Cloud Blog Trilogy, Andrew explains why it's better for everyone if cloud providers are willing to be open about how they run their services.

  • Cloudy tower

    Brightening the outlook for security in the cloud

    Blog post26 Sep 2017AuthorAndrew ATopicsCloud security, SaaS offerings

    The NCSC's Cloud Security Research Lead suggests some approaches to help you get confidence in cloud services.

  • Technology Leaders Network

    Debunking cloud security myths

    Blog post08 Feb 2017AuthorJon LTopicsCloud security

    What Jon got up to at the Technology Leaders Network.

  • Cloud Security Principle 7: Secure development

    Guidance22 Sep 2016TopicsCloud security

    Services should be designed and developed to identify and mitigate threats to their security. Those which aren’t may be vulnerable to security issues which could compromise your data, cause loss of service or enable other malicious activity.

  • Cloud Security Principle 8: Supply chain security

    Guidance22 Sep 2016TopicsCloud security

    The service provider should ensure that its supply chain satisfactorily supports all of the security principles which the service claims to implement.

  • Cloud Security Principle 9: Secure user management

    Guidance22 Sep 2016TopicsCloud security

    Your provider should make the tools available for you to securely manage your use of their service. Management interfaces and procedures are a vital part of the security barrier, preventing unauthorised access and alteration of your resources, applications and data.

  • Cloud Security Principle 10: Identity and authentication

    Guidance22 Sep 2016TopicsCloud security

    All access to service interfaces should be constrained to authenticated and authorised individuals.

  • Cloud Security Principle 11: External interface protection

    Guidance22 Sep 2016TopicsCloud security

    All external or less trusted interfaces of the service should be identified and appropriately defended.

  • Cloud Security Principle 12: Secure service administration

    Guidance22 Sep 2016TopicsCloud security

    Systems used for administration of a cloud service will have highly privileged access to that service. Their compromise would have significant impact, including the means to bypass security controls and steal or manipulate large volumes of data.

  • Cloud Security Principle 13: Audit information for users

    Guidance22 Sep 2016TopicsCloud security

    You should be provided with the audit records needed to monitor access to your service and the data held within it. The type of audit information available to you will have a direct impact on your ability to detect and respond to inappropriate or malicious activity within reasonable timescales.

  • Cloud Security Principle 14: Secure use of the service

    Guidance22 Sep 2016TopicsCloud security

    The security of cloud services and the data held within them can be undermined if you use the service poorly. Consequently, you will have certain responsibilities when using the service in order for your data to be adequately protected.

  • Cloud Security Principle 1: Data in transit protection

    Guidance21 Sep 2016TopicsCloud security

    User data transiting networks should be adequately protected against tampering and eavesdropping. 

  • Implementing the Cloud Security Principles

    Guidance21 Sep 2016TopicsCloud security

    Details and context for the 14 Cloud Security Principles, including their goals and technical implementation

  • Cloud Security Principle 3: Separation between users

    Guidance21 Sep 2016TopicsCloud security

    A malicious or compromised user of the service should not be able to affect the service or data of another.

  • Cloud Security Principle 4: Governance framework

    Guidance21 Sep 2016TopicsCloud security

    The service provider should have a security governance framework which coordinates and directs its management of the service and information within it. Any technical controls deployed outside of this framework will be fundamentally undermined.