Leadership
Making security both an organisational support capability but also enabling business is not easy. Lots of the security activity is for obvious reasons not totally transparent. However one thing I want to show people is how you might want to tell existing and prospective customers about the way you approach security within your organisation. One way to do this is to show people how you align to the NCSC 14 Cloud Security Provider Principles.
You might even want to have this on your corporate website. I’m not saying to write war and peace, but you might want to at least show people a view. Imagine if someone like me comes along and sees that you have thought about it! I’ll likely be very impressed!
Now my company doesn’t host services but I do deal with customer data (as they do with mine) so this isn’t completely pointless even for a micro consulting organisation, however I’m really talking to larger organisations here who develop and/or host services.
So let’s look, I’m not doing this in total marketing lingo so there’s a bit of humour in my example but here we go:
| ID | Principal | Description | Response Statement |
| 1 | Data in transit protection | User data transiting networks should be adequately protected against tampering and eavesdropping. | Sensitive data sent over channels secured by TLS and strong configurations of ciphers and protocols alongside strict transport security (HSTS) |
| 2 | Asset protection and resilience | User data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure. | We deploy a range of contorls including full disk encryption to defend data alongside device authentication controls. We also have remote device management capaiblites to lock or wipe devices (when they are connected to the internet) |
| 3 | Separation between users | A malicious or compromised user of the service should not be able to affect the service or data of another. | Least privilidge access is leveraged where apropriate to segment user access to data and permissions. |
| 4 | Governance framework | The service provider should have a security governance framework which coordinates and directs its management of the service and information within it. Any technical controls deployed outside of this framework will be fundamentally undermined. | The leadership team conduct regular security reviews to ensure that reasonable and apropiate controls are in place and are effective. |
| 5 | Operational security | The service needs to be operated and managed securely in order to impede, detect or prevent attacks. Good operational security should not require complex, bureaucratic, time consuming or expensive processes. | We operate in alignemnt with good security practises, levarging modern techniques and processes to support our ability to both operate securely and enable execution of value delivery. |
| 6 | Personnel security | Where service provider personnel have access to your data and systems you need a high degree of confidence in their trustworthiness. Thorough screening, supported by adequate training, reduces the likelihood of accidental or malicious compromise by service provider personnel. | This is quite funny when you are a micro business. I’ve had criminal record checks (amongst other things). Also it would be very odd for me to go against myself, so there is that! |
| 7 | Secure development | Services should be designed and developed to identify and mitigate threats to their security. Those which aren’t may be vulnerable to security issues which could compromise your data, cause loss of service or enable other malicious activity. | Security is always a balance, the systems leveraged are done so in a way which I belive mitigates a sophisticaed threat actor with significant resources from being able to compromise the systems and their data. We aren’t a software development company so this doesn’t really apply but if we did, it would be done with a sensivle approach to secure the release pipeline and process. |
| 8 | Supply chain security | The service provider should ensure that its supply chain satisfactorily supports all of the security principles which the service claims to implement. | We only use sensible suppliers for our customer data systems (e.g. Amazon, Microsoft etc.). |
| 9 | Secure user management | Your provider should make the tools available for you to securely manage your use of their service. Management interfaces and procedures are a vital part of the security barrier, preventing unauthorised access and alteration of your resources, applications and data. | Mangement interfaces are protected where possible (and aproprate) with strong controls such as multi factor authetication or passkeys. |
| 10 | Identity and authentication | All access to service interfaces should be constrained to authenticated and authorised individuals. | Access is restriced based on a business need basis. |
| 11 | External interface protection | All external or less trusted interfaces of the service should be identified and appropriately defended. | External interfaces are protected to a reasonable level based on the service sensitivity. |
| 12 | Secure service administration | Systems used for administration of a cloud service will have highly privileged access to that service. Their compromise would have significant impact, including the means to bypass security controls and steal or manipulate large volumes of data. | Administerative interfaces have additional controls applied. |
| 13 | Audit information for users | You should be provided with the audit records needed to monitor access to your service and the data held within it. The type of audit information available to you will have a direct impact on your ability to detect and respond to inappropriate or malicious activity within reasonable timescales. | Audit records are kept to service activity. |
| 14 | Secure use of the service | The security of cloud services and the data held within them can be undermined if you use the service poorly. Consequently, you will have certain responsibilities when using the service in order for your data to be adequately protected. | The services leveraged are designed and deployed to enable secure service usage. |
Now, clearly how you do this for your organisation in terms of style, depth and approach is up to you. You obviously as well should not limit yourselves to this one set of principles or set of content.
You could also publish views (even if not an exact replica) of:
- Your Security Policies
- Your approach to Cyber Security
- Any certifications you have
- Any standard terms and conditions
You obviously have to get the risk balance, you don’t want to provide people a detailed architecture and attack map! But you could look at how to take your security investments and turn them into positive messages to give your customers confidence! And remember, don’t neglect your internet facing attack surface, people like me will also be looking at that! Hopefully this gives people some ideas of how to not just stick to: security is just a cost!
