Explaining the Shared Responsibility Model:

Keeping your client, donor and supporter’s data secure in the cloud

 

Cloud services are not secure by default 

The five core controls of Cyber Essentials will help protect your charity’s data and services from most cyber attack approaches. The five  controls also need to be applied to all cloud services. Why is this? Surely, we can rely on Google, Microsoft, Amazon or whoever the cloud service provider is to take care of security? Many cloud providers do ensure the security controls are in place but the user often has to set up some of the controls themselves.

Think of it this way, when you sign up for a social media account, it is possible to log in and immediately start posting ‘whatever is on your mind’. Most social media sites are designed to optimise openness to encourage social networking and will automatically have maximum sharing as a default setting. This means that before you post any information or images, it would be wise to look up the way the settings work in order to decide the appropriate level of privacy for you.

In a similar way, when you sign up to a cloud service, you have responsibility for the technical setup including the security settings of the service. It is not all down to the provider. If you do not do this, you may have little to no security; this is news for many people.

Did you know the first account that is set up on Microsoft 365  by default is a global admin? These accounts will have full power to configure and change the settings and controls of everything in your organisation’s account. If this account is set up without the necessary security controls and then hacked, an attacker could access your whole system and possibly take all the data out of the organisation. This could completely wipe out a charity.

The huge control panels within the admin centre for a cloud service in Microsoft or Google can be a daunting prospect, and anyone setting up accounts will need to set role assignments, groups and permissions to each account as well as passwords and multi-factor authentication.  This is the same whether you are a large enterprise or a micro charity and therefore expert guidance in configuring these settings may be a necessity.

Small charities that have not fully or correctly configured their cloud service accounts can be easy prey for attackers and this makes them high risk for donors, funding contracts and supply chains.

Do your homework

When talking about security, cloud service providers often reference a ‘shared responsibility model’. This means that for some security controls, it is the cloud provider that is responsible for implementation whereas for other features, it is the user organisation (your charity). Who implements which controls will vary depending on the design of the cloud service being subscribed to.

Working with a cloud provider can be unfamiliar and new for some charities and it is helpful to outline from the start where the line is between the cloud provider’s security responsibilities and those of your charity. Each provider and each service will have different security models, different tools for ensuring security, different configuration parameters, different dashboards and different contact points. The charity director or IT manager should reference their service-level agreements (usually within the small print that you sign up to when you buy the service), and clear up any confusion with the provider when necessary to ensure a successful security strategy. Understanding and documenting your responsibility for the security controls for each of your cloud providers is important.  It is a good idea to have security in mind  when researching a cloud service product in the first place, and to document a named point of contact to help and support your charity if there are difficulties.

You do not have physical control over the servers owned by your cloud service provider, so how do you know if they are secure?

With 24/7 onsite security, advanced encryption, secure backups, and firewall protected servers, most cloud service providers have invested in security features that you could never match if you used your own servers. However, it is worth bearing in mind that not all cloud service providers understand or value security.  It is essential that you research the security controls used by the cloud service provider before entrusting organisational data to that service. Have you checked the security features of the platform you’re using? 

What to look for

  • The location of the servers  in ‘the cloud’ that hold your data is very important.  This is the legal location of the data, and if that is ‘personal data’, you may be breaking GDPR law if it is located outside the UK or the European Union.
  • Look for a cloud service provider that has the option to enable multi-factor authentication to access all accounts. 
  • The data centres that holds your organisational data should hold an internationally recognised security standard such as ISO 27001.

 

In the Cyber Essentials requirements, it specifies that where the cloud provider implements a control, it is your responsibility to satisfy yourself that this has been done to the required standard. Details of implementation of these controls can usually be found in the terms and conditions of the service. Look within contractual clauses or in documents referenced by contract, such as security statements or privacy statements. Cloud providers will often explain how they implement security in documents published in their trust centres.

The security arrangements of a cloud provider are sometimes explicitly documented; for example, Microsoft Azure and AWS document shared responsibilities and whether the provider or the customer is responsible for aspects of security operations and management. With smaller providers or Software as a Service products, however, these details may be less explicit, but they will still need to be accounted for.

Understanding your security responsibility is essential to keeping your data safe in the cloud 

For further information, see guidance on applying the five controls to cloud services for charities.

 Cyber expertise

In the last three years, the cyber security sector has grown exponentially and consequently, IT and cyber security staff are in short supply.  In house or outsourced expertise applied to your specific set up is a crucial security factor. Charities can use internal experts, external consultants and third party providers, but it is worth noting that a cyber security consultant is often needed in addition to IT support.

Charities can contact one of the Cyber Essentials Certification Bodies who are located around the UK and Crown Dependencies for cyber security advice. These experts are trained and licensed to certify against Cyber Essentials and can offer consulting services.