Versions Compared

Version Old Version 1 New Version 2
Changes made by

Jane Waterfall

Jane Waterfall

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The five core controls of Cyber Essentials will help protect your organisation’s data and services from the most common cyber attack approaches. The five controls also do need to be applied to all cloud services. Why is this? Surely, we can rely on Google, Microsoft, Amazon or whoever the cloud service provider is to take care of security? Many cloud providers do ensure the security controls are in place but the user often has to set up some of the controls themselves.

...

 Small businesses that have not fully or correctly configured their cloud service accounts can be easy prey for attackers and this makes them high risk for contracts within supply chains.

Do your homework

When talking about security, cloud service providers often reference a 'shared responsibility model'. This means that for some security controls, it is the cloud provider that is responsible for implementation whereas for other features, it is the user organisation (you). Who implements which controls will vary depending on the design of the cloud service being subscribed to. 

Working with a cloud provider can be unfamiliar and new for some organisations and it is helpful to outline from the start where the line is between the cloud provider's security responsibilities and those of your organisation. Each provider and each service will have different security models, different tools for ensuring security, different configuration parameters, different dashboards and different contact points. The business owner or IT manager should reference their service-level agreements (usually within the small print that you sign up to when you buy the service), and clear up any confusion with the provider when necessary to ensure a successful security strategy. Understanding and documenting your responsibility for the security controls for each of your cloud providers is important.  It is a good idea to have security in mind  when researching a cloud service product in the first place, and to document a named point of contact to help and support your charity organisation if there are difficulties. 

...

Understanding your security responsibility is essential to keeping your data safe in the cloud 

Who implements which controls will vary  

For Infrastructure as a Service, the user organisation is responsible for maintaining their operating system, data use and applications and are therefore in control of the implementation of all 5 Cyber Essentials controls.

...

For Software as a Service, the user organisation is usually only responsible for secure configuration and user access control, and the cloud service provider usually takes care of the malware protection, firewalls and security update management.
Where the cloud provider implements a control, the user organisation must satisfy themselves that this has been done to the required standard. Details of implementation of these controls can usually be found in the terms and conditions of the service. Look within contractual clauses or in documents referenced by contract, such as security statements or privacy statements. Cloud providers will often explain how they implement security in documents published in their trust centres.
The security arrangements of a cloud provider are sometimes explicitly documented; for example, Microsoft Azure and AWS document shared responsibilities and whether the provider or the customer is responsible for aspects of security operations and management. With smaller providers or SaaS products, however, these details may be less explicit, but they will still need to be accounted for.