Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Current »

Download PDF

Cloud services are not secure by default 

The five core controls of Cyber Essentials will help protect your organisation’s data and services from the most common cyber attack approaches. This includes all the cloud services that your organisation uses. Why is this? Surely, Google, Microsoft, Amazon or whoever is the cloud service provider can take care of security? Many cloud providers do ensure the security controls are in place but the user often has to set up some of the controls themselves.

Think of it this way, when you sign up for a social media account, it is possible to log in and immediately start posting ‘whatever is on your mind’. Most social media sites are designed to optimise openness to encourage social networking and will automatically have maximum sharing as a default setting. This means that before you post any information or images, it would be wise to look up the way the settings work in order to decide the appropriate level of privacy for you. 

In a similar way, when you sign up to a cloud service, you have responsibility for the technical setup including the security settings of the service. It is not all down to the provider. If you do not do this, you may have little to no security.

Did you know the first account that is set up on Microsoft 365  by default is a global admin? These accounts will have full power to configure and change the settings and controls of everything in your organisation’s account. If this account is set up without the necessary security controls and then hacked, an attacker could access your whole system and possibly take all the data out of the organisation.

The huge control panels within the admin centre for a cloud service in Microsoft or Google can be a daunting prospect, and anyone setting up accounts will need to set role assignments, groups and permissions to each account as well as passwords and multi-factor authentication.  This is the same whether you are a large enterprise or a micro business and therefore expert guidance in configuring these settings may be necessary.

 Small businesses that have not fully or correctly configured their cloud service accounts can be easy prey for attackers and this makes them high risk for contracts within supply chains.

Do your homework

When talking about security, cloud service providers often reference a 'shared responsibility model'. This means that for some security controls, it is the cloud provider that is responsible for implementation whereas for other features, it is the user organisation (you). Who implements which controls will vary depending on the design of the cloud service being subscribed to. 

Working with a cloud provider can be unfamiliar and new for some organisations and it is helpful to outline from the start where the line is between the cloud provider's security responsibilities and those of your organisation. Each provider and each service will have different security models, different tools for ensuring security, different configuration parameters, different dashboards and different contact points. The business owner or IT manager should reference their service-level agreements (usually within the small print that you sign up to when you buy the service), and clear up any confusion with the provider when necessary to ensure a successful security strategy. Understanding and documenting your responsibility for the security controls for each of your cloud providers is important.  It is a good idea to have security in mind  when researching a cloud service product in the first place, and to document a named point of contact to help and support your organisation if there are difficulties. 

You do not have physical control over the servers owned by your cloud service provider, so how do you know if they are secure?

With 24/7 onsite security, advanced encryption, secure backups, and firewall protected servers, most cloud service providers have invested in security features that you could never match if you used your own servers. However, it is worth bearing in mind that not all cloud service providers understand or value security.  It is essential that you research the security controls used by the cloud service provider before entrusting organisational data to that service. Have you checked the security features of the platform you’re using?

What to look for

  • The location of the servers in ‘the cloud’ that hold your data is very important.  This is the legal location of the data, and if that is ‘personal data’, you may be breaking GDPR law if it is located outside the UK or the European Union.  

  • Look for a cloud service provider that has the option to enable multi-factor authentication to access all accounts.

  • The data centres that holds your organisational data should hold an internationally recognised security standard such as ISO 27001.

 

In the Cyber Essentials requirements, it specifies that where the cloud provider implements a control, it is your responsibility to satisfy yourself that this has been done to the required standard. Details of implementation of these controls can usually be found in the terms and conditions of the service. Look within contractual clauses or in documents referenced by contract, such as security statements or privacy statements. Cloud providers will often explain how they implement security in documents published in their trust centres.

The security arrangements of a cloud provider are sometimes explicitly documented; for example, Microsoft Azure and AWS document shared responsibilities and whether the provider or the customer is responsible for aspects of security operations and management. With smaller providers or Software as a Service products, however, these details may be less explicit, but they will still need to be accounted for. 

Understanding your security responsibility is essential to keeping your data safe in the cloud 

Who implements which controls will vary  

For Infrastructure as a Service, the user organisation is responsible for maintaining their operating system, data use and applications and are therefore in control of the implementation of all 5 Cyber Essentials controls.

With Platform as a Service, the cloud service provider manages the security of the underlying infrastructure and operating system and the user manages their data use and applications, this would mean the user needs to control the secure configuration, user access control and security update management.

For Software as a Service, the user organisation is usually only responsible for secure configuration and user access control, and the cloud service provider usually takes care of the malware protection, firewalls and security update management.

© The IASME Consortium Ltd 2025 All rights reserved.

  • No labels