Serviceteam IT Security News

The extent of your responsibility will vary depending on the deployment models of the cloud service, and the scenario in which you intend to use the service. Specific features of individual services may also have bearing. For example, how a content delivery network protects your private key, or how a cloud payment provider detects fraudulent transactions, are important security considerations over and above the general considerations covered by the cloud security principles. 

With IaaS and PaaS offerings, you are responsible for significant aspects of the security of your data and workloads. For example, if you procure an IaaS compute instance, you will normally be responsible for installing a modern operating system, configuring that operating system securely, securely deploying any applications and also maintaining that instance through applying patches or performing maintenance required.

Goals

You:

  • understand any service configuration options available to you and the security implications of your choices
  • understand the security requirements of your use of the service
  • educate your staff using and managing the service in how to do so safely and securely

Implementation

Approach

Description

Guidance

Enterprise managed devices

The service is accessed from devices under your control

A single compromised device would have access to any data, functionality or credentials accessible to authorised users of that device. However since the devices are under your control you can configure them securely.

See our End User Devices Security Guidance for advice in this area.

Partner managed devices

The service is accessible from devices you understand the configuration of, or have some control over. For example, via contractual clauses or conformance with your security requirements.

A single compromised device would have access to any data, functionality or credentials accessible to authorised users of that device, so it’s important to ensure the configuration is adequate.

If you rely on contracts to enforce your security requirements with partners, then they need to be well written to ensure they will be effective.

Unknown devices

You have little knowledge of the configuration or state of devices accessing the service.

It is impossible for you to identify compromised devices, so you should assume that a non-zero percentage of devices will be compromised.

Additional Notes – End user devices connecting to the service

As well as risks to the cloud service, anything you build upon the service and your data, you should consider the risks relating to your enterprise networks and the end user devices connected to the service.

For some of your data and workloads it may be appropriate to require the use of enterprise-issued and managed devices with an appropriate configuration to ensure sufficient security. Risks associated with different options are described in the table above.

< last principle

Source: NCSC

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!