Cloud Security in the Public Sector - What You Should Know, What You Need to Do.

2 minute read

This post has been archived

In August of this year CESG published guidance on the principles for securing Public Sector information and data within an outsourced cloud storage environment. But what are they and how could they impact the selection of cloud service providers? This is the first article in a series across which I will discuss the guidance published by CESG and the identified security principles, their importance to service consumers, and aim to provide some advice on what to do to address them. Before I begin there are a couple of housekeeping points to be considered. First up is the selection of a service provider, but where to begin?

When assessing providers, explore all evidence provided which details:

  • Information assurance and security maturity;
  • The existence of an in-house security team, including a Chief Information Officer or Chief Information Security Officer;
  • A fully documented functional, non-functional, security implementation and verification testing; and
  • A documented and tested security incident response policy.

And by explore I mean prod, probe and ask the difficult questions, by contacting the organisations identified in use cases, and any references. Also conduct visits to potential supplier premises. What better way to determine the importance placed on the security, than seeing the physical security controls in place, and observing a potential supplier’s day-to-day procedures and processes? OK so evidence thoroughly checked, sites visited, and suppliers down-selected; but what next? I’d suggest the seemingly complex and onerous task of independent verification and testing. However there are a number of ways to conduct testing, and the results will aid the identification of a preferred supplier. Here are a few suggestions:

  • An independent 3rd party reviews and confirms the Service Provider’s assertions;
  • The Service Provider holds certificate of compliance with a recognised standard; or
  • The certification of control implementation by qualified individuals, such as a CLAS Consultants.

Whilst there is any number of standards which potential suppliers can showcase, but in terms of HMG information, there is now a requirement that all ICT suppliers hold Cyber-Essentials Scheme (CES) and/or Cyber-Essentials Scheme Plus (CES+) certification. For higher risk procurements these certifications should also be supplemented by ISO 27001:2005 or later. This can therefore make things even easier, if the supplier doesn’t hold CES/CES+ look for one that does. Finally ensure that your organisation’s requirements with regards the security principles are clearly written into the contract. You should make provision to ensure that those principles which are a greatest importance to your organisation, also form part of the acceptance of the service. The contract should also include the provision of regular independent verification and audit, to provide assurance that the Service Provider is maintaining the expected and required security standards. Well that’s the foundation sorted, now to discuss the security principles …to be continued…