UK-specific Cloud Guidance

One of the things that we, as a UK chapter, are keen to deliver to our members is some local flavour to the comprehensive but generic guidance produced by the wider global Cloud Security Alliance.    To that aim, I thought it worthwhile to highlight some of the local, UK-specific, sources of security guidance to help out those of you either already working in the cloud or else exploring the potential for future cloud-based delivery of services.     Whilst aimed very much at the Public Sector, the Cloud Security Principles and associated cloud security guidance published on Gov.uk offers a considerable amount of pragmatic guidance to those looking to adopt cloud services.      The landing page for a variety of guidance documents can be found here:
 
https://www.gov.uk/government/collections/cloud-security-guidance
 
One, more hard to find, Government source of guidance relates to the security assertions that cloud providers looking to deliver to HMG clients are required to make as part of entry on to the G-Cloud procurement framework.   Those requested assertions may be a useful baseline for organisations wondering what information they should be seeking from cloud providers as part of their own due diligence exercises.    Cloud providers may wish to cover these topics in the security, risk and assurance documentation that they offer their prospective clients (perhaps under non-disclosure agreement) to assist in their decision making.   The UK G-Cloud Supplier Security Assertions can be found on Github at:
 
https://github.com/alphagov/supplier-submission-portal/tree/master/conf
 
There are long-standing concerns around cloud computing relating to data protection and privacy issues such as data sovereignty.    These concerns were recognised by the Information Commissioner (ICO) here in the UK and the ICO released guidance on the usage of cloud computing back in 2012.    The cloud world has moved on since, e.g. many cloud providers are now signed up to the model data protection clauses published by the European Commission, however the guidance is still a worthwhile read and can be found at:
 
https://ico.org.uk/media/for-organisations/documents/1540/cloud_computing_guidance_for_organisations.pdf
 
The final piece of UK-specific guidance that I’ll point you towards in this post is that offered by the Financial Conduct Authority (FCA).   Regulatory compliance is another factor commonly touted as inhibiting the adoption of cloud services.    As such, the pragmatic nature of the draft guidance produced by the FCA should be welcomed.   It will be interesting to see what the final version of the guidance contains once it has been approved following the consultation round; but for now the draft guidance can be found here:
 
https://www.fca.org.uk/static/documents/guidance-consultations/gc15-06.pdf
 
I hope you found the more UK-focussed flavour of this post valuable – please let us know either way!
 
Lee Newcombe

Lee is a member of the Board of the UK Chapter of the CSA, a named contributor to the CSA’s “Security Guidance for Critical Areas of Focus in Cloud Computing” document and author of the book “Securing Cloud Services” published in 2012.

Comments

Post a Comment

Popular posts from this blog

CSA UK Applying MITRE ATT&CK Cloud and Microsoft K8 Matrix

Image
The Cloud Security Alliance UK chapter is presenting a series of sessions to provide CISO's, Cloud Security Architects, DevSecOps and SOC teams a breadcrumb roadmap of how to apply the recently published (late 2019)  MITRE ATT&CK for the Cloud  and also take influence from Microsoft’s recent Threat matrix on Kubernetes (K8).   We are seeking feedback or additional items you would like us to cover.  The proposed series of sessions will cover:   Session 1: [ Author/Presenter: Stephen Owen] 90 mins planned online 24th June CSA session on "What is MITRE ATT&CK and Cloud" and what benefits it brings to each of the stakeholders  What is  MITRE ATT&CK Enterprise  and  Cloud Where to start How to take advantages of the current  MITRE ATT&CK Cloud  and combining with Microsoft’s K8 Matrix;  Suggested practices to follow targeted to each of the below roles: Cloud Security Architects DevSecOps SOC Team  Cloud/CISO Lea...
Read more

Understanding ISO 27001 certification

A guest blog by Steve Watkins, Director at IT Governance Ltd Even though ISO 27001 is the international standard for implementing an ISMS (information security management system) and is used by thousands of organisations around the globe, it occasionally faces criticism on a number of issues. Those with first-hand experience of ISO 27001 know that, when implemented correctly, it provides a comprehensive guide to managing the information security risks that organisations face. Further, the accredited certification scheme that enables organisations to demonstrate that they conform with the requirements in ISO 27001 offers real benefits to those who understand how to interpret claims of certification appropriately. So, what are the Standard’s critics potentially misunderstanding? This blog takes a look at some of the misconceptions, and explains why ISO 27001 is an appropriate framework for managing your information security. What are the criticisms of ISO 27001 certification? You don’t k...
Read more

What is hybrid cloud computing?

Image
    (Hybrid) cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardised or proprietary technology that enables data and application portability. National Institutes for Standards in Technology (NIST) While a Hybrid Cloud can take many forms; in essence it means managing two (or more) disparate cloud environments (say private & public) as one, or having management tools in place that let the two (or more) environments be managed and appear as one single environment. Hybrid cloud uses a mix of on-premises, private cloud together with third-party, public cloud services; with orchestration between multiple platforms thus allowing workloads to move between the various cloud environments as computing needs; thus giving businesses greater flexibility and more deployment options. A cloud is hybrid when; You extend an internal web server (that has “burst...
Read more