Versions Compared

Version Old Version 1 New Version 2
Changes made by

Joe Checketts

Joe Checketts

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Page Properties
hiddentrue

Document number:

DOC-XXX-XXXXX

Document type:

Guidance

Responsibility for implementation & training:

Cyber Essentials Manager

CB contract doc/ schedule:

No

Scope:

Cyber Essentials

Reason for change:

Initial version

Approved by:

Approved date:

Next review:

Review and consultation process:

Reviewed Annually by Cyber Essentials Manager

Associated documentation:

Distribution:

Controlled in Confluence Quality Management System.

Refined Knowledge Hub

What are cloud services?

Different components of computing are available to users remotely over the internet and payable on demand or by subscription. Cloud services is the collective name for these externally managed services. Examples are: Microsoft 365, Dropbox, Googledrive, AWS and Citrix workspace.

...

Using cloud providers to manage these aspects can give charities cost, scalability and security benefits, however, it is important that charities do check the cloud provider’s security provision. If workers can access an organisation’s information from anywhere, then criminals can too. It is important that these services are set up correctly and have the essential security controls in place.

The three main categories of cloud computing

There are three major cloud service models. The aaS letters stand for ‘as a service’ which means organisations can rent facilities that are physically elsewhere for a range of different purposes.

...

For Infrastructure as a Service, the cloud service provider only provides the hardware. The backing up and all of the security including all 5 of the Cyber Essentials controls are the user organisation’s responsibility. With this in mind, if a charity is using cloud solutions such as virtual servers and desktops, it is their responsibility to protect the virtual environment with regular security updates.

What are the security risks with cloud services?

Most data breaches in the cloud occur when criminals are able to gain access through badly configured accounts and interfaces to locate valuable data. This is usually due to weak user access control and misconfiguration and is the responsibility of the cloud service customer.

Most data breaches involve weak, default or stolen passwords which highlights the requirement for comprehensive password policy and strong authentication. It is estimated that 99.9% of attacks can be blocked with multi-factor authentication.

Who implements the five core controls to the cloud services?

The majority of cloud providers attempt to create a secure cloud for customers and aim to prevent breaches and maintain public trust. Most invest a significant amount of resources to keep their services secure, however, they cannot control how their customers use the service, what data they add to it, and who has access.  It is worth bearing in mind that not all cloud service providers understand or value security.  It is essential that the user organisation researches the security controls used by the cloud service provider before entrusting organisational data to that service.

...

For more information, see guidance explaining the shared responsibility model

The Cyber Essentials five core controls

User access control
User access control covers the precaution of controlling who can access your devices, accounts and data and what they can do once they have access. This is essential for all cloud service accounts.

...

There needs to be an established process to change passwords promptly if a user knows or suspects the password or account has been compromised.

Enable multi-factor authentication (MFA) to all accounts on all of your cloud services.

...