The UK government just updated their (alpha) cloud security principles guidance, first issued in Dec 2013.
There's now a set of several UK government cloud security guidance documents. The new documents are as follows (all still in alpha, comments sought):
- intro to cloud security guidance - aims etc
- detailed guidance on implementing the cloud security principles.
As they didn't provide a markup or redline (maybe next time?), below is a basic (text-only) comparison of the changes made to the Dec 2013 version of the UK government cloud security principles. Some of the deleted text has been moved to the implementation guidance.
Guidance
Cloud Service Security Principles
Published 19 December 2013
Updated 23 April 2014
Contents
Data in transit protection
Asset protection and resilience
Separation between consumers
Governance
Operational security
Personnel security
Secure development
Supply chain security
Secure consumer management
Secure on-boardingIdentity and off-boardingauthentication
ServiceExternal interface protection
Secure service administration
Audit information provision to tenantsconsumers
Secure use of the service by the consumer
Glossary
Note: CESG’s Cloud Security Guidance is currently in ALPHA. Please send any feedback to the address [email protected].
This document describes principles which should be considered when evaluating the security features of cloud services. Some cloud services will provide all of the security principles, while others only a subset. It is for the consumer of the service to decide which of the security principles are important to them in the context of how they expect to use the service.
Some serviceThe security principles are part of the Cloud Security Guidance, which also includes guidance on implementing the principles and risk managing the use of cloud services. Service providers may take different approaches in implementing the principles, which will be able to offer higher attract different levels of confidence in how they implement the different security principles.risk. Risks associated with common implementation methods are set out in the guidance. Consumers will need toshould decide how much, if any, assurance they require in the different security principles which matter to themimplementation approaches.
These principles apply equally to Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) as defined by NIST.
1. Data in transit protection
The confidentiality and integrity of Consumer data transiting networks should be adequately protected whilst in transit.
The following aspectsagainst tampering and eavesdropping (integrity and confidentiality). This should be specifically considered:
Consumer via a combination of network protection (denying your attacker access to service
Withinintercept data) and encryption (denying the service (ability to for example, betweenan attacker to read data centres)).
2. Asset protection and resilience
Data should be physically secure as it is processed by and stored within the service. This security should be based on suitable physical security controls within data processing, storage and management locations.
The business requirements for availability of the service should be an important consideration when choosing a cloud service. The consumer should ensure that a contractual agreement is in place with the service provider which adequately supports their business needs for availability of the service.
The legal jurisdiction of the service will be an important consideration for many consumers, especially if they wish to use the service to store or process personal data. This principle depends on the physical locations of processing, storage, transit and management of the service.
The following aspects should be specifically considered:
Location of data centres hosting the service
Security surrounding those data centres
Location of service management facilities
How the confidentiality and integrity of data-at-rest will be maintained
Availability of the service
Consumer data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure.
3. Separation between consumers
Separation should exist between different consumers of a service should be achieved at all points within the service, including across compute, storage and networking resources.
An important consideration will be whether the service isto prevent a public, private,malicious or community, shared cloud service; if all tenantscompromised consumer from affecting the confidentiality, integrity or availability of the service are known to be trustworthy then less confidence in the separation propertiesanother consumer of the service may be acceptable.
4. Governance
The service provider should have a security governance framework that coordinates and directs their overall approach to the management of IT systems, services and information. A clearly identified, and named, senior executive should be responsible for security of the cloud servicethe service and information within it.
5. Operational security
The service provider should have processes and procedures in place to ensure the operational security of the service.
The following aspects should be specifically considered:
Configuration and change management
Vulnerability management
Protective monitoring
Incident management
6. Personnel security
Service provider staff should be subjected to adequate personnel security screening for their role. At a minimum this should include identity, unspent criminal convictions, and right to work checks. For roles with a higher level of service access, the service provider should undertake and maintain appropriate additional personnel security checksand security education for their role.
7. Secure development
The serviceServices should be designed and developed in a secure fashion and should evolve to identify and mitigate new threats as they emergeto their security.
8. Supply chain security
Cloud services often rely upon third party services. Those third parties can have an impact on the overall security of the services. The service provider should ensure that its supply chain satisfactorily supports all of the security principles that the service claims to deliverimplement.
9. Secure consumer management
Consumers should be provided with the tools they needrequired to help them securely manage their usage of the service.
The following aspects should be specifically considered:
Authentication of consumers to management interfaces
Separation of consumers within management interfaces
Authentication of consumers within support channels
Separation of consumers within support channels
10. Secure on-boardingIdentity and off-boardingauthentication
The service should be provisioned to consumers in a known good state, and their data must be satisfactorily deleted when they leave the service. When physical storage components reach their end of life, the service provider should make appropriate arrangements to securely destroy or purge any consumer data they held.
Consumer and service provider access to all service interfaces should be constrained to authenticated and authorised individuals.
11. ServiceExternal interface protection
All external or less trusted interfaces of the service should be identified and have appropriate protections to defend against attacks through them.
The following aspects should be specifically considered:
Connections to external services on which the service depends
Dedicated connections to tenants
Remote access by service provider
Publicly exposed services
12. Secure service administration
The methods used by the service provider’s administrators to manage the operational service (monitor system health, apply patches, update configuration etc.) should be designed to mitigate any risk of exploitation which could undermine the security of the service. The security of the networks and devices used to perform this function should be specifically considered.
13. Audit information provision to tenantsconsumers
Consumers should be provided with the audit records they need in order to monitor access to their service and the data held within it.
14. Secure use of the service by the consumer
Consumers will have certain responsibilities when using thea cloud service in order for their use of it to remain secure, and for their data to be adequately protected.
Depending on the type of service, the consumer will have responsibilities relating to the following topics:
Audit and monitoring
Storage
Networking
Authentication
Development security
End user devices used to access the service
Secure configuration of the service
Patching
15. Glossary
Management interface a service exposed to consumers or service provider administrators to allow administrative tasks to be performed.
Support channel an online, or out of band (e.g. telephone), communication channel which consumers can use to obtain support from the service provider.
On-boarding the process of a consumer moving on to the service.
Off-boarding the process of migrating a consumer away from a service.
Public, private and community cloud refer to the NIST definitions of these terms.
Consumer a tenant of the cloud service.