The UK government just updated their (alpha) cloud security principles guidance, first issued in Dec 2013.
- intro to cloud security guidance - aims etc
- detailed guidance on implementing the cloud security principles.
As they didn't provide a markup or redline (maybe next time?), below is a basic (text-only) comparison of the changes made to the Dec 2013 version of the UK government cloud security principles. Some of the deleted text has been moved to the implementation guidance.
Service Security Principles Published 19 December 2013
Data in transit protection
Asset protection and resilience
Separation between consumers
Supply chain security
Secure consumer management
Secure on-boarding and off-boarding Service interface protection
Secure service administration
Audit information provision to
Secure use of the service by the consumer
This document describes principles which should be considered when evaluating the security features of cloud services. Some cloud services will provide all of the security principles, while others only a subset. It is for the consumer of the service to decide which of the security principles are important to them in the context of how they expect to use the service.
Some service providers will be able to offer higher levels of confidence in how they implement the different security principles. Consumers will need to decide how much, if any, assurance they require in the different security principles which matter to them.
These principles apply equally to Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) as defined by NIST.
1. Data in transit protection
The confidentiality and integrity of data should be adequately protected whilst in transit. The following aspects should be specifically considered: Consumer to service Within the service (for example, between data centres)
2. Asset protection and resilience
Data should be physically secure as it is processed by and stored within the service. This security should be based on suitable physical security controls within data processing, storage and management locations. The business requirements for availability of the service should be an important consideration when choosing a cloud service. The consumer should ensure that a contractual agreement is in place with the service provider which adequately supports their business needs for availability of the service. The legal jurisdiction of the service will be an important consideration for many consumers, especially if they wish to use the service to store or process personal data. This principle depends on the physical locations of processing, storage, transit and management of the service. The following aspects should be specifically considered: Location of data centres hosting the service Security surrounding those data centres Location of service management facilities How the confidentiality and integrity of data-at-rest will be maintained Availability of the service
3. Separation between consumers
Separation between different consumers of a service
should be achieved at all points within the service, including across compute, storage and networking resources. An important consideration will be whether the service is a public, private, or community, shared cloud service; if all tenants of the service are known to be trustworthy then less confidence in the separation properties of the service may be acceptable.
The service provider should have a security governance framework that coordinates and directs their overall approach to the management of
IT systems, services and information. A clearly identified, and named, senior executive should be responsible for security of the cloud service.
5. Operational security
The service provider should have processes and procedures in place to ensure the operational security of the service.
The following aspects should be specifically considered: Configuration and change management Vulnerability management Protective monitoring Incident management
6. Personnel security
Service provider staff should be subjected to adequate personnel security screening
for their role. At a minimum this should include identity, unspent criminal convictions, and right to work checks. For roles with a higher level of service access, the service provider should undertake and maintain appropriate additional personnel security checks.
7. Secure development
The service should be developed in a secure fashion and should evolve to mitigate new threats as they emerge.
8. Supply chain security
Cloud services often rely upon third party services. Those third parties can have an impact on the overall security of the services. The service provider should ensure that its supply chain satisfactorily supports all of the security principles that the service claims to deliver.
9. Secure consumer management
Consumers should be provided the tools
they need to securely manage their usage of the service. The following aspects should be specifically considered: Authentication of consumers to management interfaces Separation of consumers within management interfaces Authentication of consumers within support channels Separation of consumers within support channels
Secure on-boarding and off-boarding The service should be provisioned to consumers in a known good state, and their data must be satisfactorily deleted when they leave the service. When physical storage components reach their end of life, the service provider should make appropriate arrangements to securely destroy or purge any consumer data they held.
Service interface protection
All external or less trusted interfaces of the service should be identified and have appropriate protections to defend against attacks through them.
The following aspects should be specifically considered: Connections to external services on which the service depends Dedicated connections to tenants Remote access by service provider Publicly exposed services
12. Secure service administration
The methods used by the service provider’s administrators to manage the operational service
(monitor system health, apply patches, update configuration etc.) should be designed to mitigate any risk of exploitation which could undermine the security of the service. The security of the networks and devices used to perform this function should be specifically considered.
13. Audit information provision to
Consumers should be provided with the audit records they need
in order to monitor access to their service and the data held within it.
14. Secure use of the service by the consumer
will have certain responsibilities when using the service in order for their use of it to remain secure, and for their data to be adequately protected. Depending on the type of service, the consumer will have responsibilities relating to the following topics: Audit and monitoring Storage Networking Authentication Development security End user devices used to access the service Secure configuration of the service Patching 15. Glossary Management interface a service exposed to consumers or service provider administrators to allow administrative tasks to be performed. Support channel an online, or out of band (e.g. telephone), communication channel which consumers can use to obtain support from the service provider. On-boarding the process of a consumer moving on to the service. Off-boarding the process of migrating a consumer away from a service. Public, private and community cloud refer to the NIST definitions of these terms. Consumer a tenant of the cloud service.