The UK’s cyber security body, the National Cyber Security Centre (NCSC) has released a new version of their cloud guidance for British business and organisations planning to migrate to the cloud.
The refreshed cloud guidance has been brought right up to date and is designed to provide relevant information for decision makers planning to move to the cloud.
The NCSC released the update on day 1 of the CyberUK22 conference in Wales.
The guidance is 10 years old now. While it has been regularly updated in that time, it has been refined even further in this version.
Rather than sticking to the 14 principles approach of the old version, this new guidance offers two approaches. The 14 principle method like before and the ‘Lightweight Approach to Cloud Security’.
The intent is to open up the guidance to businesses of all shapes and sizes to inform as many as possible.
“The cloud plays an increasingly vital role in the functioning of online services across the UK, and this trend will continue into the future,” said Paul Maddinson, director of national resilience and strategy at the NCSC.
“Our refreshed Cloud Security Guidance has the philosophy of security by design at its heart, meaning that organisations can have confidence when choosing a provider. I’d strongly encourage network defenders at organisations of all sizes to make use of the actionable advice set out in our refreshed Cloud Security Guidance.”
NCSC cloud security guidance
At its core, the cloud security guidance is designed to help decision makers understand the technology available and the various models they use to operate.
The guidance includes:
- Information on examining the security risks in different types of cloud models, like SaaS, IaaS and others.
- Recommending vendors known to offer the assistance business needs to make informed decisions and transition safely.
- Highlighting the secure nature of cloud services when provided by responsible vendors.
- Encouraging users to delegate as much as possible to vendor as experts in their field.
The original 14 principles are still in effect and are still very relevant. They provide an accessible treatise on managing cloud migration and understanding the various elements that do into it.
The principles include:
- Principle 1: Data in transit protection
- Principle 2: Asset protection and resilience
- Principle 3: Separation between customers
- Principle 4: Governance framework
- Principle 5: Operational security
- Principle 6: Personnel security
- Principle 7: Secure development
- Principle 8: Supply chain security
- Principle 9. Secure user management
- Principle 10: Identity and authentication
- Principle 11: External interface protection
- Principle 12: Secure service administration
- Principle 13: Audit information and alerting for customers
- Principle 14: Secure use of the service
We won’t bore you with everything here, but we do recommend anyone thinking of moving to the cloud to read each of these principles on the NCSC website. They are actually very good!
One update was an increased awareness of supply chain security. Given the times we’re living in right now, ensuring the entire supply chain is secure is essential.
This guide now emphasises the importance of due diligence when it comes to supply chains and how secure each link in that chain is.
Lightweight approach to cloud security
The Lightweight approach to cloud security was a new addition to the guidance and provides a similar approach but streamlined for faster integration and assessment.
It uses just four principles:
- Data encryption
- Authentication and access control
- Security logging and incident management
There is extra reading, but this lighter approach is designed for smaller businesses who want to move to the cloud but don’t need the whole project approach to the process.
That’s also worth a read even if you’re a medium to enterprise organisation!