Versions Compared

Version Old Version 3 New Version 4
Changes made by

Jane Waterfall

Jane Waterfall

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Different components of computing are available to users within an organisation remotely over the internet and payable on demand or by subscription. Cloud services is the collective name for these externally manged services. Examples are: Microsoft 365, Dropbox, Googledrive, AWS and Citrix Workspace.

...

Where is ‘the cloud’?

Most computers servers used for cloud services are owned by private organisations such as Amazon, Microsoft or Apple, they keep millions of peoples’ data that is made accessible to them via the internet. The biggest data storage servers in the world are located in China, USA and India, some are even situated at the bottom of the ocean.  The location of the computers in ‘the cloud’ that hold your data is very important.  This is the legal location of the data, and if that is ‘personal data’, you may be breaking the law if it is located outside the UK or the European Union.  It is also important to know something about the company that is hosting the cloud service and looking after the computers which hold your data.  Many data centres are kept up to date and secure, but some are not, and may put your data at risk. 

...

If workers can access organisation information over the internet from any location, so can criminals, and this has resulted in an increasing number of attacks on cloud services, using techniques to steal user's passwords to access their accounts. It For this reason, it is important that these services are set up correctly and have the essential security controls in place.

It Cloud services are not secure by default, it is crucial that organisations understand their role and responsibilities in the security of the cloud services they use. The five core controls of Cyber Essentials apply to all cloud services.

Most cloud providers attempt to create a secure cloud for customers and aim to prevent breaches and maintain public trust. Most invest a significant amount of resources to keep their services secure, however, they cannot control how their customers use the service, what data they add to it, and who has access.  It is worth bearing in mind that that said, not all cloud service providers understand or value security.  It is essential that the user organisation researches the security controls used by the cloud service provider before entrusting organisational data to that service.

...

For the purpose of this guidance, we are talking about public cloud services.

Where to start?

In order to protect your organisational data that is located in the cloud, start by creating a list of all the cloud services used within your organisation.

...

According to research by Microsoft, there are over 300 million fraudulent sign-in attempts to their cloud services every day.  Most data breaches involve weak, default or stolen passwords which highlights the requirement for comprehensive password policy and strong authentication. It is estimated that 99.9% of attacks can be blocked with Multi-Factor Authentication (MFA).

Another threat to data stored with cloud services is from the unintentional mistakes or malicious intent from employees, also known as the ‘insider threat’. A rogue employee can use their knowledge and access to company information to steal data or commit fraud.

...

As well as providing extra protection for passwords that are not protected by other technical controls, multi-factor authentication should always be used to provide additional protection to administrative accounts and user all accounts that are accessible from the internet. No matter how an attacker acquires a password, if multi factor authentication is enabled, it will act as a safeguard on the account.

...