Cloud Security Advice

If you are interested in securely storing and processing data in the cloud, as well as using cloud platforms to create and host your own services, this guidance will assist you in doing so.

The use of cloud services is continuously expanding, both in terms of quantity and the variety of services being developed and hosted in the cloud. In fact, when organizations seek new IT services, the cloud is typically their preferred choice, as demonstrated by the UK government's Cloud First Policy.

Given this context, it is crucial to select and construct new services in a manner that takes their security requirements into account.

Who is this guidance intended for?

This guidance is applicable to all organizations, helping them navigate through the sometimes complex array of technologies that constitute 'the cloud', as well as the management models that underlie its usage.

In particular:

If you already use cloud services, you should refer to the section on evaluating the security of your selected services when considering additions or updates. To assess your existing deployments, refer to the actions described in the section "Using cloud services securely."

If you do not handle or process sensitive data, the streamlined approach to cloud security may be most beneficial to you.

If you represent a larger business or enterprise (including the public sector), you should select a cloud provider based on the cloud security principles. Once you have made your choice, you must configure and utilize your chosen cloud service in a secure manner, as outlined by the shared responsibility model.

Note:

For individuals seeking advice on securely using online services, our Cyber Aware advice on staying secure online is recommended.

This collection includes:

• An introduction to cloud security.
• Providing definitions for common terms and offering background information on the various sections of this guide.
• Understanding cloud services

Cloud services can be examined from different perspectives. This section covers:

• Service models and deployment models.
• The 'shared responsibility model' employed by numerous cloud providers to handle day-to-day security management.

Two specific security techniques: separation and cryptography.

• Choosing a cloud provider

Exploring the cloud security principles and how to utilize them, in addition to our lightweight security framework and some vendor responses to these principles.

• Using cloud services securely

Outlining the necessary actions that customers of cloud services should take. This includes advice for cloud platforms, software as a service (SaaS), and those aiming to migrate their operations to the cloud.