Roadmap about migration of public services into the cloudA step by step roadmap for Public Authorities to help them as they plan, determine effort and budget, select the appropriate services, make the required internal organisational changes and finally execute the migration into cloud.
Cloud computing security is an evolving sub-domain of information security and refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure . There are a number of security concerns associated with cloud computing, which can be broadly classified in two categories: (a) issues faced by Cloud Service Providers (CSPs) and (b) issues faced by their customers. Providers must ensure that their infrastructure is secure and clients’ data and applications are protected; customers, on the other hand, must ensure that their provider has taken appropriate security measures to protect their information. The security expectations and obligations of both supplier and user are described in Service Level Agreements (SLAs) (Gianakoulias, 2016).
Organisations need to understand the specific security requirements, regarding data protection, audits, etc., and any regulations that are applicable to a particular application that they are looking to move to the cloud. To achieve this, they should map every application that is a candidate for migration to cloud computing to a set of security, governance, and compliance issues that are specific to that application. Thus, they have the ability to understand the application requirements, and how the migration and re-development effort to the cloud should impact application operations.
The UK’s National Technical Authority for Information Assurance, which provides advice on Information Assurance Architecture and cyber-security to UK government and the wider public sector and suppliers to UK government, published 14 security principles to consider when evaluating cloud services, and why these may be important to an organisation .
|Cloud Security Principle||Description|
|1. Data in transit protection||Consumer data transiting networks should be adequately protected against tampering and eavesdropping via a combination of network protection and encryption.|
|2. Asset protection and resilience||Consumer data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure.|
|3. Separation between consumers||Separation should exist between different consumers of the service to prevent one malicious or compromised consumer from affecting the service or data of another.|
|4. Governance framework||The service provider should have a security governance framework that coordinates and directs their overall approach to the management of the service and information within it.|
|5. Operational security||The service provider should have processes and procedures in place to ensure the operational security of the service.|
|6. Personnel security||Service provider staff should be subject to personnel security screening and security education for their role.|
|7. Secure development||Services should be designed and developed to identify and mitigate threats to their security.|
|8. Supply chain security||The service provider should ensure that its supply chain satisfactorily supports all of the security principles that the service claims to implement.|
|9. Secure consumer management||Consumers should be provided with the tools required to help them securely manage their service.|
|10. Identity and authentication||Access to all service interfaces (for consumers and providers) should be constrained to authenticated and authorised individuals.|
|11. External interface protection||All external or less trusted interfaces of the service should be identified and have appropriate protections to defend against attacks through them.|
|12. Secure service administration||The methods used by the service provider’s administrators to manage the operational service should be designed to mitigate any risk of exploitation that could undermine the security of the service.|
|13. Audit information provision to consumers||Consumers should be provided with the audit records they need to monitor access to their service and the data held within it.|
|14. Secure use of the service by the consumer||Consumers have certain responsibilities when using a cloud service in order for this use to remain secure, and for their data to be adequately protected.|
Consumers of cloud services should decide which of the principles are important, and how much assurance they require in the implementation of these principles, while providers of cloud services should consider these principles when presenting their offerings to public sector consumers. This will allow consumers to make informed choices about which services are appropriate for their needs.