Cloud security takes in a range of policies, technologies and security controls that serve to protect data, applications and the infrastructure associated with cloud computing.
Cloud security risks
Two main types of cloud security threats relate to issues faced by:
- cloud providers - who look after the infrastructure and the client's data and applications
- cloud customers - who rely on password protection and authentication measures
Key risks in the cloud include hacking, data theft, server faults and non-compliance. You can address each by deploying the same security solutions you would normally use to protect your in-house IT devices and networks.
Cloud security controls
Many of the common cyber security measures apply in a cloud-based environment as they do in conventional IT systems, including:
- firewalls and perimeter protection
- traffic monitoring and reporting
- spam filtering
- real-time alerts and analytics
Your security responsibility if you use cloud services
Providers and customers share the responsibility for maintaining and protecting the security of cloud services and systems.
As a buyer, your responsibilities will vary depending on the type of service involved. Your responsibilities will be largest when using Infrastructure as a Service (IaaS). Read more in the NCSC's guide on IaaS: managing your responsibilities.
Cloud security and data protection
If you are processing and storing sensitive business or personal data in the cloud, you will want to check that your provider takes security seriously. Things to consider include:
- Cloud provider vulnerabilities – are they following best security practices, patching up regularly, implementing proper security controls? Can they guarantee that your assets will be protected against physical tampering, loss, damage or seizure?
- Technology vulnerabilities – are there weaknesses in the host system or server configuration? Can you get assurances that the technology is secure? Will it be reliably accessible and available when you need it?
- Access policies – did you agree standards and responsibilities between yourself and the provider? Defining roles and responsibilities can help ensure secure coverage and prevent potential liabilities in case of cyber incidents.
- Access controls – will the provider limit access to the cloud service to only those who need it? How will they minimise the risk of accidental or malicious compromises of your data by their personnel? Service level agreements – can you establish a documented standard with your cloud provider, including their duties in relation to ongoing management, response times and support?
- Risk assessment and analysis – does your provider have an adequate incident plan in place to quickly deal with and mitigate any potential damage?
- Legal and regulatory implications – for example, if you’re storing or processing personal data in the cloud, you will have to comply with the General Data Protection Regulation (GDPR).
See further guidance on cloud computing.