The UK National Cyber Security Centre (NCSC) has published cloud security guidance for organisations seeking to use cloud platforms to store or process organisational data, or to use cloud-hosted infrastructure for their specific business needs. NCSC has outlined 14 principles that should be evaluated when assessing the security of a cloud provider that may need to store or process sensitive data (e.g. PII, commercially sensitive, or government OFFICIAL information). Each principle sets out goals that, if met, should provide you with assurance that a cloud provider fulfils the intent of the principle.

The NCSC Cloud Security Principles describes suggested implementations that a cloud provider may use to meet the goals. However, the guidance is not prescriptive and different cloud providers may implement different methods to achieve the same goal.

Clients should review the evidence provided by the cloud provider to determine for themselves whether the goals are met and aligns with their own organisation’s risk appetite.

If you are a smaller organisation looking to do some due diligence on your online services, or a larger organisation that is not processing sensitive data in the service, you should use the NCSC’s lightweight approach to cloud security.

How can Risk Ledger help?

Risk Ledger’s Supplier Assessment Framework is a standardised set of security controls aligned with well-known industry frameworks representing best practices to reduce supplier cyber risk. A controls-based approach allows you to quickly and efficiently assess the cyber security posture of your suppliers at scale, across your entire supply chain. As most controls are answered in a binary yes/no format, you can easily compare suppliers and view their compliance against your cyber security policy.

You can leverage your suppliers’ answers and documentation within Risk Ledger to generate a body of evidence for your assessment.

When a supplier is building their Risk Ledger profile, they can choose whether to answer the control questions at an organisational level, or whether to provide different answers specific to each product or service they provide. (See Product Level Answers (PLA) for Clients)

Often, suppliers deploy the same controls across all their products & services, so they may not need to provide separate answers to give you all the information you need.

The control-level information and the documentation you find within a supplier profile on Risk Ledger will serve as a baseline of evidence. This may be sufficient on its own to assess certain cloud security principles or may be a starting point for further discussions with suppliers.

For each principle, you should:

1. Read and understand the security goals for that principle, outlined by NCSC.

1. Analyse the relevant controls & documentation to determine how effectively the security goals are met.

1. If the information & evidence provided does not give you enough confidence that the goals have been met, you should ask the supplier for further information via a Discussion.
   ‍

An example - Principle 1: Data in transit protection

‍

Step 1: Understand the security goals

This principle states that user data transiting networks should be adequately protected against tampering and eavesdropping. This requires data in transit protection should be achieved through a combination of encryption, network protection, and authentication.

Goals

You should be sufficiently confident that:

• data is protected in transit between your end user device(s) and the service

• data is protected in transit as it flows between internal components within the service

• data is protected in transit where exposed to other external services, such as via an API

You should prefer a cloud provider that:

• encrypts all customer-data in transit by default

• pre-configures data in transit encryption, and defaults to the latest industry standard

• uses standardised, well-understood algorithms and protocols (such as TLS and IPsec) to protect data

• makes it easy to implement good data in transit protections in your application

Source: https://www.ncsc.gov.uk/collection/cloud/the-cloud-security-principles/principle-1-data-in-transit-protection
‍

Step 2: Analyse the relevant controls & documentation to determine how effectively the security goals are met

The following controls will help you assess a supplier’s controls and implementation for protecting data in transit.

Primary Controls

These controls are the most aligned to Principle 1 as they broadly cover the extent to which encryption is used in data transfers and remote connections. Within their Risk Ledger profile, suppliers are asked to provide details (both technical and procedural) of these controls.

• F.11: Does your organisation secure and encrypt all data transfers using an appropriate control/protocol (for example, SFTP, HTTPS), and are all data transfers subject to review and authorisation?

• F.10: Does your organisation secure and encrypt remote connections to its network or environment using an appropriate control/protocol (for example, by using VPNs or SSH connections)?

Supplemental Controls

These controls provide you with additional context on a supplier’s implementation of additional cryptographic and authentication controls. These answers may also be relevant to your assessment of Principle 1.

• F.12: Does your organisation manage and control the use of, and access to, any cryptographic keys?

• D.35: Does your organisation use opportunistic TLS on all email services and are you able to apply enforced TLS to specific domains on request?

• D.6: Does your organisation enforce multi-factor authentication on all remotely accessible services?

• F.13: Does your organisation secure remote access to its network or cloud environment using multi-factor authentication?

The information found within a supplier profile against these controls may be enough for you to determine how well the provider has met these goals. If not, move to step three.
‍

Step 3: Engage with the supplier via discussions

If you need further information or clarification to give you enough confidence that the security goals have been met, you can request this from the supplier using the Discussions feature.

‍

Summary

Risk Ledger’s Supplier Assessment Framework can be utilised to gather evidence on a cloud provider’s alignment with the NCSC Cloud Security Principles. However, the effectiveness of this alignment also depends on how the service is configured and deployed within your organisation. Modifying security controls to meet specific business requirements may reduce security protections and introduce additional risks.

The process outlined above for Principle 1: Data in Transit Protection should be repeated for each of the 14 NCSC Cloud Security Principles. For every principle, you should:

• Understand the security goals.
• Analyse the relevant controls & documentation to determine how effectively the security goals are met.
  • Note: Some controls may apply to multiple principles. Use the relevant supplier evidence and documentation specific to the principle being assessed.

• Engage with the supplier via discussions.

Risk Ledger provides a baseline body of evidence. However, it is ultimately up to each client to review the evidence and make a determination, based on their requirements and overall risk appetite, as to whether a cloud provider sufficiently meets the goals of the NCSC Cloud Security Principles.

‍