Organisations need 'adequate assurance' over cloud information security, says UK agency

Out-Law News | 19 May 2014 | 11:22 am | 1 min. read

Organisations should seek "adequate assurance" from cloud providers over claims those providers make about their compliance with information security principles, the information security arm of UK intelligence agency GCHQ has said.

CESG, which also acts as the National Technical Authority on Information Assurance, included the recommendation in new guidance it has issued on cloud security risk management.

The guidance, which outlines a step-by-step risk management strategy for cloud security, highlighted the need for organisations to do more than merely accept information security guarantees provided by cloud providers at face value.

"Considering the organisation’s business requirements, risk appetite and the information which will be exposed to the service provider, determine which cloud security principles are necessary to manage risks to the organisation’s information," the CESG guidance said. "[Then] identify which principles the cloud service under consideration claims to implement and the approach taken to implement them."

"[After that,] determine whether the service provider can offer adequate assurance that the principles have been implemented correctly and understand any risks which remain. Varying levels of assurance could be available. These may range from no assurance other than a supplier’s assertion, through to formal assurance provided by an independent and qualified third party."

The cloud security principles that the CESG guidance refers to are those it has developed in conjunction with the Cabinet Office. The 14 principles outline broad requirements on a range of different aspects of information security, ranging from protecting data in transit, security offered by sub-contractors and restricting access to the data by authenticated and authorised individuals only.

CESG and the Cabinet Office have both made it clear that the principles are for organisations to refer to when "evaluating the security features of cloud services" but that it is up to the individual organisations to determine "which of the security principles are important to them in the context of how they expect to use the [cloud] service".

In its latest guidance, CESG said that, on top of the security measures cloud providers adopt, organisations should consider whether "any additional mitigations ... can be applied as a consumer to help reduce information risk".