Page 1© Skyscape Cloud Services 2015 Commercial In Confidence

The rise of public sector cloudA major drive by the UK Public Sector to improve

public facing services and reduce costs.Digital by Default and Cloud First agendas.

Secure multi-tenancy cloud environments enablebetter resource utilisation and lower prices for the customer.

Key consideration for the rights of citizens and the protection of their data.

So data security and assurance remains the most important consideration.

Not all cloud service suppliers are the same – they need to willingly demonstrate their level of competence to their customers.

Page 2© Skyscape Cloud Services 2015 Commercial In Confidence

Public sector data – it’s OFFICIAL

Not

the

sam

e!

Page 3© Skyscape Cloud Services 2015 Commercial In Confidence

The 14 CESG Cloud Security Principles

1. Data in transit protection

2. Asset protection and resilience

3. Separation between consumers

4. Governance (e.g. ISO27001)

5. Operational process security

6. Personnel security, screening

7. Secure code development

(more detail on .gov.uk website)

8. Supply chain security

9. Secure consumer management

10. Identity and authentication

11. External interface protection

12. Secure service administration

13. Audit information provision to consumers

14. Secure use of the service by the consumer

Page 4© Skyscape Cloud Services 2015 Commercial In Confidence

Demonstrating credibility

1. Cloud Service Provider Assertions

Demonstrating an acceptable level of information security maturity. Experienced information and technical security resources. Where is the cloud service (sovereignty, data protection, etc.) Regular, proactive security testing activities. Evidence of capable responses to previous security challenges.

2. Contractual Commitments

Specific, measurable performance indicators.within contracts (e.g. maintaining certifications,clean test results, security incident responses, etc.)

Page 5© Skyscape Cloud Services 2015 Commercial In Confidence

Demonstrating credibility3. Independent Validation of Assertions

Independent third party tests, properly scoped to test the supplier’s assertions. Holding certificates of compliance against relevant, recognised standards. Controls reviewed by a suitably qualified individual (e.g. CESG Cert. IA Auditor)

4. Independent Testing of Implementation

Proper scoping of testing activities, undertakenby a suitably qualified organisation/individual.

Testing activities to demonstrate that controlshave been properly implemented: CHECK, CREST, Tiger

Page 6© Skyscape Cloud Services 2015 Commercial In Confidence

Demonstrating credibility

5. Assurance in the Service Design

Service designed/reviewed by a qualified individual (CESG Cert. IA Architect) Provides additional independent assurance about robustness of security controls.

6. Assurance in the Service Components

Scope of testing of assured products/services. Suitability of different assessment schemes. Foundation Grade assurance is considered a

good commercial level of security. Also requires checks on configuration and use.

Page 7© Skyscape Cloud Services 2015 Commercial In Confidence

Supporting cloud customersThe Digital Marketplace allows public sector customers to make easier

comparisons between different cloud service suppliers.

Risk-based decisions remain with the data-owning customer.

There is an expectation that customers will be “kicking the tyres”…

If information security skills need boosting, they should seek credible assistance. They should challenge suppliers to evidence their security assertions willingly. Gain confidence from existing accreditations or previous customer validations. If it looks suspicious, or the supplier evidence doesn’t add up, trust their instincts. Monitor cloud suppliers carefully, seek regular and meaningful interactions.

Page 8© Skyscape Cloud Services 2015 Commercial In Confidence

Thank you

jgodwin@skyscapecloud.com

@johngodwin1