In our ongoing series of blog posts looking at the 14 National Cyber Security Centre’s Cloud Security Principles, we will be looking at secure development.
The cloud services you use should be designed and developed to identify and mitigate threats to their security. Those which aren’t may be vulnerable to security issues which could compromise your data, cause loss of service or enable other malicious activity.
For whichever service you choose, you should be confident that:
- New and evolving threats are reviewed and the service improved in line with them.
- Development is carried out in line with industry good practice regarding secure design, coding, testing and deployment.
- Configuration management processes are in place to ensure the integrity of the solution through development, testing and deployment.
There are 3 approaches that need to be considered.
Engineering approaches consider security as an important factor
Here, the service provider asserts that they implement a number of controls to ensure the security of their service. For this approach you will need to carry out your own assessment of whether the controls in place are appropriate.
Engineering approach adheres to a secure development standard or recognised good practice
A number of security standards or good practice guides exist which service providers could claim support their achievement of the goals outlined above. These include:
Although it appears reassuring that the service provider claims to implement one of these standards, without independent confirmation of that you will need to make a judgement on whether that gives you sufficient confidence in whether all parts of the system are securely engineered.
Independent review of engineering approach against recognised secure development standard
A number of security standards with supporting certification mechanisms exist which could be used to demonstrate conformance with the goals outlined above. These include:
In this scenario it is advisable to check that any certification has been performed by an appropriately independent and recognised party and that the scope of the assessment included the incident management aspects required.
To read more about all the Cloud Security Principles – go here
Or, if you would like to talk about your cloud security and how we can help, please contact us.