Essential security principles to consider when evaluating cloud services, and why these may be important to your organisation. Some cloud services will fulfil all of the security principles, while others only a subset.
Consumers of cloud services should decide which of the principles are important, and how much assurance they require in the implementation of these principles.Providers of cloud services should consider these principles when presenting their offerings to public sector consumers. This will allow consumers to make informed choices about which services are appropriate for their needs.
Some of the important security principles are as follows.
- Separation between consumers: Separation should exist between different consumers of the service to prevent one malicious or compromised consumer from affecting the service or data of another
- Operational security: The service provider should have processes and procedures in place to ensure the operational security of the service
- Personnel security: Service provider staff should be subject to personnel security screening and security education for their role
- Secure development: Services should be designed and developed to identify and mitigate threats to their security
- Secure use of the service by the consumer: Consumers have certain responsibilities when using a cloud service in order for this use to remain secure, and for their data to be adequately protected
- Data in transit protection: Consumer data transiting networks should be adequately protected against tampering and eavesdropping via a combination of network protection and encryption.