Applying the five controls to cloud services, for charities

What are cloud services?

Different components of computing are available to users remotely over the internet and payable on demand or by subscription. Cloud services is the collective name for these externally managed services. Examples are: Microsoft 365, Dropbox, Googledrive, AWS and Citrix workspace.

The National Cyber Security Centre (NCSC) recommends that charities consider outsourcing some of their services to the cloud as it easily enables remote working, secure access to data, managed storage and back ups.

Using cloud providers to manage these aspects can give charities cost, scalability and security benefits, however, it is important that charities do check the cloud provider’s security provision. If workers can access an organisation’s information from anywhere, then criminals can too. It is important that these services are set up correctly and have the essential security controls in place.

The three main categories of cloud computing

There are three major cloud service models. The aaS letters stand for ‘as a service’ which means organisations can rent facilities that are physically elsewhere for a range of different purposes. 

Software as a Service (SaaS)

A widely used cloud service is office software and web-based applications, which is known as Software as a service or SaaS.  An example of SaaS is Office 365, where you can sign into your Microsoft account on any machine and access applications such as Microsoft Word, Excel and PowerPoint. Dropbox, DocuSign, Slack and Trello are also examples of SaaS.  The web applications and files are all stored on a computer in a data centre (the cloud), and this makes them accessible remotely from any computer as long as there is an internet connection.

For Software as a Service, the user organisation is usually only responsible for user access control and secure configuration, and the cloud service provider usually takes care of the malware protection, firewalls and security update management.

Platform as a Service (PaaS)
Platform as a service offers developers a platform for software development and deployment over the internet, enabling them to access up-to-date tools. A person or company might use PaaS if they needed a collaborative development and deployment environment to create and manage custom applications, without the need to build and maintain the underlying infrastructure themselves.
Examples of PaaS include Azure Web Apps and Amazon Web Services Lambda.

With Platform as a Service, the cloud service provider manages the security of the underlying infrastructure and operating system and the user manages their data use and applications, this would mean the user needs to control the secure configuration, user access control and security update management.

Infrastructure as a Service (IaaS)
An IaaS cloud service provider hosts the infrastructure components that typically exist in an on-premises data centre including servers, storage and networking hardware as well as the hypervisor or virtualisation layer. A company might use IaaS if they need to develop bespoke applications and programmes but are not equipped to handle the infrastructure that this requires. The user organisation would access, configure and manage the resources using a dashboard or Application Programming Interface (API).

In addition to program development and testing purposes, IaaS is also a solution for disaster recovery or backup solutions, hosting complex websites, high computing performance and big data analysis. Examples of IaaS include Rackspace, Google Compute Engine, or Amazon EC2.Infrastructure-as-a-Service

For Infrastructure as a Service,  the cloud service provider only provides the hardware. The backing up and all of the security including all 5 of the Cyber Essentials controls are the user organisation’s responsibility.   With this in mind, if a charity is using cloud solutions such as virtual servers and desktops, it is their responsibility to protect the virtual environment with regular security updates. 

What are the security risks with cloud services?

Most data breaches in the cloud occur when criminals are able to gain access through badly configured accounts and interfaces to locate valuable data. This is usually due to weak user access control and misconfiguration and is the responsibility of the cloud service customer.

Most data breaches involve weak, default or stolen passwords which highlights the requirement for comprehensive password policy and strong authentication. It is estimated that 99.9% of attacks can be blocked with multi-factor authentication. See guidance on MFA

Who implements the five core controls to the cloud services?

The majority of cloud providers attempt to create a secure cloud for customers and aim to prevent breaches and maintain public trust. Most invest a significant amount of resources to keep their services secure, however, they cannot control how their customers use the service, what data they add to it, and who has access.  It is worth bearing in mind that not all cloud service providers understand or value security.  It is essential that the user organisation researches the security controls used by the cloud service provider before entrusting organisational data to that service.

When talking about security, cloud service providers often reference a ‘shared responsibility model’. This means that for some security controls, it is the cloud service that is responsible for implementation whereas for other features, it is the user organisation. Who implements which controls will vary depending on the design of the cloud service being subscribed to.

For more information, see guidance explaining the shared responsibility model.

The Cyber Essentials five core controls

User access control
User access control covers the precaution of controlling who can access your devices, accounts and data and what they can do once they have access. This is essential for all cloud service accounts.

Over half of all cyber attacks are orchestrated internally. A rogue employee or volunteer can use their knowledge and access to company information to steal data or commit fraud; many breaches are simply the result of an unintentional mistake.

This can be prevented when you use the rule of ‘least privilege’ and configure accounts with in depth permission settings that only allow staff to access information that they need to perform their role but no more. Administrative accounts must be restricted and kept track of or used to do  day-to-day work, including reading emails or browsing the internet.  Administrative accounts typically have the greatest level of access to information, applications and computers and if accessed by attackers, they can cause the most amount of damage because they can usually perform actions such as install malicious software and make changes. It’s a good idea to have a comprehensive policy that details the processes for creating and controlling accounts with special access privileges including how and when to revoke access to information in a timely way when a member of staff changes role or leaves the organisation. 

 Passwords are still currently the main method securing access to almost all our different accounts and the data they are holding. Have a clear password policy that applies to everyone in your organisation including trustees and contractors.
This should include:

How to create good passwords using three random words or a random generated password created by a password manager. (Your password policy will specify which one and how to use it).

There needs to be an established process to change passwords promptly if a user knows or suspects the password or account has been compromised.

Enable multi-factor authentication (MFA) to all accounts on all of your cloud services. (add link to MFA guidance)

Provide clear advice on good password hygiene such as not using guessable passwords (eg children or pet names), not re-using or sharing passwords and storing them securely on a password manager or locked out of sight.

Secure configuration
The responsibility of the user organisation to all cloud services
An ‘out-of-the-box’ set-up can often include an administrative account with a standard, publicly known default password, one or more unnecessary user accounts enabled (sometimes with special access privileges ) and pre-installed but unnecessary applications or services. All of these present security risks. Where you are able to do so, remove or disable all the software that you do not use on your cloud services.

Security update management
The responsibility of the user organisation for IaaS and PaaS cloud services.
To protect your charity, you should ensure that all your software including Operating Systems should be licensed and supported. Automatic security updates should be automatically applied where possible. Where it is not possible, all high and critical security updates need to be applied within 14 days.

Malware protection
The responsibility of the user organisation for IaaS and PaaS cloud services
Malware (such as computer viruses) is generally used to steal or damage information. Malware is often used in conjunction with other kinds of attack such as ‘phishing’ (obtaining information by confidence trickery) and social network sites (which can be mined for information useful to a hacker) to provide a focused attack on an organisation. Anti-malware solutions (including anti-virus) are available from commercial suppliers, some free, but usually as complete software and support packages. Malware is continually evolving, so it is important that the supplier includes both malware signatures and heuristic detection facilities which are updated as frequently as possible. Anti-malware products can also help confirm whether websites you visit are malicious.

Prevent malware from entering cloud services using techniques such as file-scanning, application whitelisting, machine learning-based malware detection, and network traffic analysis.

Firewalls
The responsibility of the user organisation for IaaS.

People and processes – educate your staff 

Although the potential cost saving, flexibility and scalability attracts many charities to cloud computing, it also represents a paradigm shift for their staff who need to understand new services, tools and processes. When using cloud services, it is necessary to set up separate policies on each individual service and ensure that all access is controlled. It may be necessary to update staff about the functions and responsibilities in the cloud with training and information courses on each chosen cloud service. Google, AWS and Microsoft all offer a range of certifications and cloud computing training programs for their platforms. The goal is to get charities that aren’t as familiar with cloud to be comfortable with modern techniques and practices.