Wednesday, 23 April 2014

Cloud security principles - updated UK government guidance - markup

The UK government just updated their (alpha) cloud security principles guidance, first issued in Dec 2013.

There's now a set of several UK government cloud security guidance documents. The new documents are as follows (all still in alpha, comments sought):

As they didn't provide a markup or redline (maybe next time?), below is a basic (text-only) comparison of the changes made to the Dec 2013 version of the UK government cloud security principles. Some of the deleted text has been moved to the implementation guidance.

 

Guidance

Cloud Service Security Principles

Published 19 December 2013

Updated 23 April 2014

Contents

Data in transit protection

Asset protection and resilience

Separation between consumers

Governance

Operational security

Personnel security

Secure development

Supply chain security

Secure consumer management

Secure on-boardingIdentity and off-boardingauthentication

ServiceExternal interface protection

Secure service administration

Audit information provision to tenantsconsumers

Secure use of the service by the consumer

Glossary

Note: CESG’s Cloud Security Guidance is currently in ALPHA. Please send any feedback to the address platform@cesg.gsi.gov.uk.

This document describes principles which should be considered when evaluating the security features of cloud services. Some cloud services will provide all of the security principles, while others only a subset. It is for the consumer of the service to decide which of the security principles are important to them in the context of how they expect to use the service.

Some serviceThe security principles are part of the Cloud Security Guidance, which also includes guidance on implementing the principles and risk managing the use of cloud services. Service providers may take different approaches in implementing the principles, which will be able to offer higher attract different levels of confidence in how they implement the different security principles.risk. Risks associated with common implementation methods are set out in the guidance. Consumers will need toshould decide how much, if any, assurance they require in the different security principles which matter to themimplementation approaches.

These principles apply equally to Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) as defined by NIST.

1. Data in transit protection

The confidentiality and integrity of Consumer data transiting networks should be adequately protected whilst in transit.

The following aspectsagainst tampering and eavesdropping (integrity and confidentiality). This should be specifically considered:

Consumer via a combination of network protection (denying your attacker access to service

Withinintercept data) and encryption (denying the service (ability to for example, betweenan attacker to read data centres)).

2. Asset protection and resilience

Data should be physically secure as it is processed by and stored within the service. This security should be based on suitable physical security controls within data processing, storage and management locations.

The business requirements for availability of the service should be an important consideration when choosing a cloud service. The consumer should ensure that a contractual agreement is in place with the service provider which adequately supports their business needs for availability of the service.

The legal jurisdiction of the service will be an important consideration for many consumers, especially if they wish to use the service to store or process personal data. This principle depends on the physical locations of processing, storage, transit and management of the service.

The following aspects should be specifically considered:

Location of data centres hosting the service

Security surrounding those data centres

Location of service management facilities

How the confidentiality and integrity of data-at-rest will be maintained

Availability of the service

Consumer data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure.

3. Separation between consumers

Separation should exist between different consumers of a service should be achieved at all points within the service, including across compute, storage and networking resources.

An important consideration will be whether the service isto prevent a public, private,malicious or community, shared cloud service; if all tenantscompromised consumer from affecting the confidentiality, integrity or availability of the service are known to be trustworthy then less confidence in the separation propertiesanother consumer of the service may be acceptable.

4. Governance

The service provider should have a security governance framework that coordinates and directs their overall approach to the management of IT systems, services and information. A clearly identified, and named, senior executive should be responsible for security of the cloud servicethe service and information within it.

5. Operational security

The service provider should have processes and procedures in place to ensure the operational security of the service.

The following aspects should be specifically considered:

Configuration and change management

Vulnerability management

Protective monitoring

Incident management

6. Personnel security

Service provider staff should be subjected to adequate personnel security screening for their role. At a minimum this should include identity, unspent criminal convictions, and right to work checks. For roles with a higher level of service access, the service provider should undertake and maintain appropriate additional personnel security checksand security education for their role.

7. Secure development

The serviceServices should be designed and developed in a secure fashion and should evolve to identify and mitigate new threats as they emergeto their security.

8. Supply chain security

Cloud services often rely upon third party services. Those third parties can have an impact on the overall security of the services. The service provider should ensure that its supply chain satisfactorily supports all of the security principles that the service claims to deliverimplement.

9. Secure consumer management

Consumers should be provided with the tools they needrequired to help them securely manage their usage of the service.

The following aspects should be specifically considered:

Authentication of consumers to management interfaces

Separation of consumers within management interfaces

Authentication of consumers within support channels

Separation of consumers within support channels

10. Secure on-boardingIdentity and off-boardingauthentication

The service should be provisioned to consumers in a known good state, and their data must be satisfactorily deleted when they leave the service. When physical storage components reach their end of life, the service provider should make appropriate arrangements to securely destroy or purge any consumer data they held.

Consumer and service provider access to all service interfaces should be constrained to authenticated and authorised individuals.

11. ServiceExternal interface protection

All external or less trusted interfaces of the service should be identified and have appropriate protections to defend against attacks through them.

The following aspects should be specifically considered:

Connections to external services on which the service depends

Dedicated connections to tenants

Remote access by service provider

Publicly exposed services

12. Secure service administration

The methods used by the service provider’s administrators to manage the operational service (monitor system health, apply patches, update configuration etc.) should be designed to mitigate any risk of exploitation which could undermine the security of the service. The security of the networks and devices used to perform this function should be specifically considered.

13. Audit information provision to tenantsconsumers

Consumers should be provided with the audit records they need in order to monitor access to their service and the data held within it.

14. Secure use of the service by the consumer

Consumers will have certain responsibilities when using thea cloud service in order for their use of it to remain secure, and for their data to be adequately protected.

Depending on the type of service, the consumer will have responsibilities relating to the following topics:

Audit and monitoring

Storage

Networking

Authentication

Development security

End user devices used to access the service

Secure configuration of the service

Patching

15. Glossary

Management interface a service exposed to consumers or service provider administrators to allow administrative tasks to be performed.

Support channel an online, or out of band (e.g. telephone), communication channel which consumers can use to obtain support from the service provider.

On-boarding the process of a consumer moving on to the service.

Off-boarding the process of migrating a consumer away from a service.

Public, private and community cloud refer to the NIST definitions of these terms.

Consumer a tenant of the cloud service.