CESG claims organisation need to actively seek ‘adequate assurances’ over cloud information security

Is your business comfortable with the concept of the cloud? Do you have few, if any, concerns about security compliance and feel you can trust your cloud service provider implicitly? If you do you may want to heed the latest advice issued by the information arm of the UK intelligence agency, GCHQ, which is encouraging organisations to seek “adequate assurances” about data protection and compliance with information security principles from cloud providers before subscribing to their services.

CESG, the National Technical Authority on Information Assurance arm of GCHQ, has included this recommendation in new guidance on cloud security risk management. The guidance, Cloud Security Guidance: Risk Management outlines a recommended step-by-step risk management strategy for cloud security, and urges organisations to actively seek assurances about security compliance, rather than simply accepting information security guarantees provided by cloud providers at face value. The CESG guidance states:

“Considering the organisation’s business requirements, risk appetite and the information which will be exposed to the service provider, determine which cloud security principles are necessary to manage risks to the organisation’s information. [Then] identify which principles the cloud service under consideration claims to implement and the approach taken to implement them.”

The organisation should then “determine whether the service provider can offer adequate assurance that the principles have been implemented correctly and understand any risks which remain. Varying levels of assurance could be available. These may range from no assurance other than a supplier’s assertion, through to formal assurance provided by an independent and qualified third party.”

So what are these cloud security principles that CESG’s guidance is referring to? Well, they are guidelines it has developed jointly with Cabinet Office. The updated list of 14 principles issued in April, 2014, outlines the broad security requirements which it considers are crucial for adequate and robust security risk management. The principles cover a range of different aspects of information security from: data in transit protection, asset protection and resilience, separation between consumers, governance, operational security, personnel security and secure development, to supply chain security, secure consumer management, identity and authentication, external interface protection, secure service administration, audit information provision to consumers and secure use of the service by the consumer.

CESG and the Cabinet Office have both made it clear that these principles are not set in stone. Organisations may wish to use the guidance when they are evaluating the security features of cloud services: however, it is the responsibility of individual organisations to determine “which of the security principles are [most] important to them in the context of how they expect to use the [cloud] service”. Moreover CESG is also advising that organisations should also consider whether there are any additional security compliance measures they can adopt, over and above those adopted by cloud providers, to offer greater protection to both the business and its consumers and further reduce information risk.

If your organisation is concerned about the security challenges it is facing, then why not speak to Krypsys? Krypsys’ services are focused on helping you assess your security posture against current and evolving security threats and educating you on the risks to which you are exposed. We have a wealth of experience in security projects in both the public and private sectors and have worked with organisations to protect high value information assets such as trading platforms, e-commerce systems, data-centres and cloud services.We also work with leading IT security vendors and specialist consultancies to close the gaps in your own IT security strategy and to assist in streamlining and prioritising your risk management spending.

Whether you’re looking for help with penetration testing and security reviews, or are looking for advice on security compliance and web security solutions, Krypsys can help you. For more information on web security solutions, please contact Krypsys on 01273 044072 or [email protected].