UK CESG, the definitive voice on the technical aspects of Information Security in UK Government, has published draft versions of guidance for “public sector organizations who are considering using cloud services for handling OFFICIAL information”. (Note that the guidelines are still at a draft stage (BETA) and the CESG is requesting comments).  There are already many standards that exist or are being been developed around the security of cloud services (see: Executive View: Cloud Standards Cross Reference – 71124) so why is this interesting?

Firstly there is an implied prerequisite that the information being held or processed has being classified as OFFICIAL. KuppingerCole advice is very clear; the first step to cloud security is to understand the risk by considering the business impact of loss or compromise of data.  CESG publishes a clear definition for OFFICIAL which is the lowest level of classification and covers “ALL routine public sector business, operations and services”.  So to translate this into business terms the guidelines are meant for cloud services handling the day to day operational services and data.

Secondly the guidelines are simple, clear and concise, and simple is more likely to be successful that complex. There are 14 principles that apply to any organization using cloud services.  The principles are summarized as follows:

  1. Protect data in transit
  2. Protect data stored against tampering, loss, damage or seizure. This includes consideration of legal jurisdiction as well as sanitization of deleted data.
  3. A cloud consumer’s service and data should be protected against the actions of others.
  4. The CSP (service provider) should have and implement a security governance framework.
  5. The CSP should have processes and procedures to ensure the operational security of the service.
  6. CSP staff should be security screened and trained in the security aspects of their role.
  7. Services should be designed and developed in a way that identifies and mitigates security threats.
  8. The service supply chain should support the principles.
  9. Service consumers should be provided with secure management tools for the service.
  10. Access to the service should be limited to authenticated and authorized individuals.
  11. External interfaces should be protected
  12. CSP administration processes should be designed to mitigate risk of privilege abuse.
  13. Consumers of the service should be provided with the audit records they need to monitor their access and the data.
  14. Consumers have responsibilities to ensure the security of the service and their data.
Thirdly there is detailed implementation advice for each of these principles.  As well as providing technical details for each principle it describes six ways in which the customer can obtain assurance.  These assurance approaches can be used in combination to increase confidence.   The approaches are:
  1. Service provider assertions – this relies upon the honesty, accuracy and completeness of the information from the service provider.
  2. Contractual commitment by the service provider.
  3. Review by an independent third party to confirm the service provider’s assertions.
  4. Independent testing to demonstrate that controls are correctly implemented and objectives are met in practice. Ideally this and 3 above should be carried out to a recognised standard. (Note that there are specific UK government standards here but for most commercial organizations these standards would include ISO/IEC 27001, SOC attestations to AICPA SSAE No. 16/ ISAE No. 3402 and the emerging CSA Open Certification Framework)
  5. Assurance in the service design - A qualified security architect is involved in the design or review of the service architecture.
  6. Independent assurance in the components of a service (such as the products, services, and individuals which a service uses).
These guidelines provide a useful addition to the advice that is available around the security of cloud services.  They provide a set of simple principles that are easy to understand.  These principles are backed up with detailed technical advice on their implementation and assurance.  Finally they take a risk based approach where the consumer needs to classify the data and services in terms of their business impact.

KuppingerCole has helped major European organizations to successfully understand and manage the real risks associated with cloud computing. We offer research and services to help cloud service providers, cloud security tool vendors, and end user organizations.  To learn more about how we can help your organization, just contact