Cloud Security Principles – Part 5 – Operational Security

Posted on 8 October 2017

In our ongoing series of blog posts looking at the 14 National Cyber Security Centre’s Cloud Security Principles, we will be looking at operational security.

This states that “The service needs to be operated and managed securely in order to impede, detect or prevent attacks. Good operational security should not require complex, bureaucratic, time consuming or expensive processes. “

Within this there are four elements that need to be looked at.

Configuration and change management

You should have an accurate picture of the assets which make up the service, along with their configurations and dependencies. Changes which could affect the security of the service should be identified and managed. Unauthorised changes should be detected. Where change is not effectively managed, security vulnerabilities may be unwittingly introduced to a service. And even where there is awareness of the vulnerability, it may not be fully mitigated.

For this you should have confidence that:

  • The status, location and configuration of service components (both hardware and software) are tracked throughout their lifetime.
  • Changes to the service are assessed for potential security impact. Then managed and tracked through to completion.

Vulnerability management

Service providers should have a management processes in place to identify, triage and mitigate vulnerabilities. Services which do not will quickly become vulnerable to attack using publicly known methods and tools.

For this element you should have confidence that:

  • Potential new threats, vulnerabilities or exploitation techniques which could affect your service are assessed and corrective action is taken.
  • Relevant sources of information relating to threat, vulnerability and exploitation techniques are monitored by the service provider.
  • The severity of threats and vulnerabilities is considered within the context of the service and this information is used to prioritise the implementation of mitigations.
  • Using a suitable change management process, known vulnerabilities are tracked until mitigations have been deployed.
  • You know service provider timescales for implementing mitigations and are happy with them.

Protective monitoring

A service which does not effectively monitor for attack, misuse and malfunction will be unlikely to detect attacks (both successful and unsuccessful). As a result, it will be unable to quickly respond to potential compromises of your environments and data.

For this element you should have confidence that:

  • The service generates adequate audit events to support effective identification of suspicious activity.
  • These events are analysed to identify potential compromises or inappropriate use of your service.
  • The service provider takes prompt and appropriate action to address incidents.

Incident management

Unless carefully pre-planned incident management processes are in place, poor decisions are likely to be made when incidents do occur, potentially exacerbating the overall impact on users.

These processes needn’t be complex or require large amounts of description, but good incident management will minimise the impact to users of security, reliability and environmental issues with a service.

For this final element you should have confidence that:

  • Incident management processes are in place for the service and are actively deployed in response to security incidents.
  • Pre-defined processes are in place for responding to common types of incident and attack.
  • A defined process and contact route exists for reporting of security incidents by consumers and external entities.
  • Security incidents of relevance to you will be reported in acceptable timescales and formats.

To read more about all the Cloud Security Principles – go here

Or, if you would like to talk about your cloud security and how we can help, please contact us.

A few people we've already done it for