New cloud security guidance: it’s all about the config
The https://www.ncsc.gov.uk/blog-post/relaunching-the-ncscs-cloud-security-guidance-collection” target=”_self”>Cloud security guidance that we relaunched last year focuses on how to choose a good cloud service and gain confidence that your cloud provider can fulfil https://www.ncsc.gov.uk/collection/cloud/understanding-cloud-services/cloud-security-shared-responsibility-model” target=”_self”>the responsibility you share with them to help you meet your security responsibilities.
Today we’re launching our https://www.ncsc.gov.uk/collection/cloud/using-cloud-services-securely” target=”_self”>new guidance on how to use a cloud service securely. It will help you meet your security responsibilities by ensuring you configure your chosen service well.
Configuring ‘a’ cloud service
The security expectations on any cloud provider are broadly similar, which we cover in our guidance on https://www.ncsc.gov.uk/collection/cloud/choosing-a-cloud-provider” target=”_self”>choosing a cloud provider. However, when it comes to using a cloud service, the kind of service can have a big impact on your security responsibilities. Most security incidents we see in the cloud boil down to configuration issues in use of the service. So our guidance on using a cloud service securely comes in two parts:
- https://www.ncsc.gov.uk/collection/cloud/using-cloud-services-securely/using-saas-securely” target=”_self”>Software-as-a-Service (SaaS) where you configure and consume an application built and hosted by your provider
- https://www.ncsc.gov.uk/collection/cloud/using-cloud-services-securely/using-a-cloud-platform-securely” target=”_self”>Cloud platforms which you use to build and host your own applications using the provider’s services and infrastructure
The main focus when using a SaaS application securely is configuring identity and access controls to be secure enough, with an excellent user experience. Poor authentication and authorisation configuration is one of the most common sources of security issues in SaaS apps. With a cloud platform, there will be more people interacting with the services you build than with the platform that hosts them. As a result, the new guidance focuses on building strong observability, and using automation to implement your security approach. However, we have deliberately avoided including guidance on how to build applications on a cloud platform, as the best approach will vary between use cases and security requirements.
While the new guidance provides advice for using cloud services, much of it should not be surprising to you as it builds upon our existing guidance. For example, identity and access control is crucial across both SaaS and cloud platforms, so our guidance on modern controls like https://www.ncsc.gov.uk/collection/passwords/updating-your-approach#PasswordGuidance:UpdatingYourApproach-Usesinglesign-onsystems” target=”_self”>single sign-on (SSO), https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services” target=”_self”>multi-factor authentication (MFA), https://www.ncsc.gov.uk/collection/secure-system-administration” target=”_self”>secure administration, and the use of https://www.ncsc.gov.uk/collection/device-security-guidance” target=”_self”>trustworthy devices features heavily.
We also challenge some common security practices we’ve seen that often cause problems. For example, we advise making it easy for users to connect, build, share, and collaborate as they need, using automation, guardrails, and user training (instead of broad restrictions and frustrating approval processes). Blocking people from being productive just leads to shadow IT, as discussed in our https://www.ncsc.gov.uk/blog-post/the-security-benefits-of-modern-collaboration-in-the-cloud” target=”_self”>security benefits of modern collaboration blog.
Finding a helpful provider
A good cloud provider will help you on your journey by https://www.ncsc.gov.uk/collection/cloud/the-cloud-security-principles/principle-14-secure-use-of-the-service” target=”_self”>making it easy for you to meet the security goals we outline. This can come in many forms, such as ‘good practice guides’ that are easy to follow, and configuration ‘blueprints’ or ‘templates’ that you can use. As with our cloud security principles, we encourage cloud service providers to https://www.ncsc.gov.uk/collection/cloud/the-cloud-security-principles/responses-to-the-cloud-security-principles” target=”_self”>publish these resources so that customers can more easily meet the goals outlined in this new guidance.
We believe that by applying our refreshed Cloud Security Principles and the new cloud platform and SaaS guidance in tandem, you should be protected from most common cyber attacks we see. With this guidance, you can embrace the opportunities and benefits of cloud services with confidence. If you’ve any feedback on this guidance, please get in touch using your usual NCSC contact. Otherwise, https://www.ncsc.gov.uk/section/about-this-website/general-enquiries” target=”_self”>our Enquiries team would be pleased to pass your comments on to us.
Jamie H
Principal Security Researcher
Original Source: ncsc[.]gov[.]uk
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.