Credibility in Cloud Security

Published 26th September 2018 in Blogs

The Cabinet Office (in collaboration with the National Cyber Security Centre) published the “Minimum Cyber Security Standard” (MCSS), clearly communicating the minimum set of cyber security controls expected of UK Government departments. The aim is to ensure that the nation’s information, technology and digital services are being properly protected in accordance with the National Cyber Security Strategy’s requirements.

In line with similar recent documentation, these new requirements are focused upon the delivery of “security outcomes” without specifying how such outcomes are to be achieved, and each Department has the responsibility of ensuring that the security outcome is being effectively achieved. It is pleasing to note that each of the MCSS component areas will be progressively incremented over time, to ensure that standards rise as the cyber threat landscape continues to evolve.

Cloud infrastructure and platform providers must now confirm that existing information security framework and controls exceed the minimum stated requirements within each of the ten areas of the new standard:

  1. Cyber security governance: clear responsibilities and accountabilities, effective policies and processes, risk management, supply chain security and training and awareness
  2. Sensitive information: a full understanding of sensitive information assets, why and where it is being processed and stored, and the impact if it were to be breached
  3. Operational service: details of key operational services being provided, knowledge of technology and other dependencies which they rely upon, and the impact of unavailability
  4. User and access management: ensuring users have only minimum access to sensitive data, that such access is regularly reviewed, and access is removed when a user leaves
  5. Protecting access: ensuring only authorised and known users can access sensitive data and associated systems, and that appropriate authentication mechanisms are in place
  6. Vulnerability management: protecting enterprise technology, end-user devices, digital services and email communications through effective organisational and technical controls
  7. Protecting privileged accounts: ensuring privileged accounts are not used for daily tasks, and that their use is protected by multi-factor authentication and complex passwords
  8. Detecting common cyber-attacks: by monitoring and capturing events, which can then be assessed using threat intelligence sources such as CISP
  9. Responding to cyber security incidents: implementing effective plans to response to incidents including defined responsibilities, communication plans, investigation and mitigation actions, incident reporting and plan testing
  10. Recovery of services: ensuring contingency plans are in place for unavailability of services or cyber security breaches, that prompt restoration of normal service is well rehearsed, and that post incident reviews effectively remediate the cause to prevent recurrence

Credible IT service providers such as UKCloud who have designed, implemented and manage their organisation from a solid foundation of information security, data protection and technical resilience will have no issues with achieving the requirements of MCSS. However, the fact that this new Standard has been created and published at all suggests that there are departments and functions which have an identified need to urgently improve their cyber resilience posture.

All UK Public Sector organisations will need to demonstrate compliance with MCSS, and section 1(d) notes that they need to understand and manage the risks within their supply chain – for example their choice of cloud service provider – by completing sufficient due diligence. A provider like UKCloud welcomes the opportunity to discuss its cybersecurity capabilities: from evidencing the numerous independent security accreditation and certification activities which we are regularly subject to, to explaining the advanced security features and controls which are at the heart of our portfolio of cloud services.

 

@johngodwin1@ukcloudltd

This blog was originally published by TechUK for its Cloud Week.

Our expert author

John Godwin

John Godwin is UKCloud’s Director of Compliance & Information Assurance. He has responsibility for UKCloud’s portfolio of accreditations and certifications, and as a Certified Data Protection Officer is responsible for UKCloud’s compliance with the EU General Data Protection Regulation. John is a regular conference and event speaker on information security and data protection matters.

Related features

Blogs

The multi-cloud experts: behind the scenes with OpenStack

Here at UKCloud we pride ourselves on giving our customers innovative technology and choice through a range of cloud technologies from OpenStack to...
Press Releases

UKCloud wins a coveted position on the new Big Data and Analytics framework

UKCloud are one of a handful of SMEs to have been awarded a coveted position on Lot1d of the Data and Application Solutions (DAS) framework to...
Blogs

Women in STEM: The importance of diversity and inclusivity

At UKCloud we believe in challenging everything, including the way we work. Orthodoxy is not in our vocabulary! We encourage healthy debate, not...
Reports

Gender Pay Report 2018

“Here at UKCloud we believe creating an inclusive workplace built on the foundation of equal opportunity should be a priority for everyone–...