Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • Top 5 NCSC Cloud Security Principles for Compliance
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Top 5 NCSC Cloud Security Principles for Compliance

5 years ago Tripwire Guest Authors
Top 5 NCSC Cloud Security Principles for Compliance

There are many important factors to consider when choosing a cloud provider for your cloud use cases. For organizations in heavily regulated industries, compliance with relevant regulations is one of the most important things to think about. Whether you’re planning for a single cloud workload or a hybrid multi-cloud setup, maintaining compliance for sensitive data in the cloud is imperative.

The 14 Cloud Security Principles released by the National Cyber Security Center (NCSC) provides guidance to organizations in the UK when evaluating cloud providers. This article focuses on the main five security principles to consider from a compliance perspective to help your business choose a suitable cloud vendor. 

Principle 1: Protecting Data in Transit

Modern business IT infrastructures are complex, and data regularly moves between different across the network. It’s critical to protect sensitive data belonging to your customers and employees as it traverses between business applications/devices and the cloud. It’s also imperative that your cloud vendor protects data in transit inside the cloud such as when data is replicated to a different region to ensure high availability.

Some crucial things to look out for and ensure compliance in the context of data in transit are:

  • Your cloud vendor enforces encryption, which prevents third parties from reading confidential data.
  • Your cloud vendor uses fiber optic connections to connect data centers privately.
  • The vendor uses a recent version of TLS to provide authentication, integrity, and encryption for data in transit.

Principle 2: Asset Protection and Resilience

This principle states that cloud service providers should protect your company’s data against physical tampering, loss, or damage. In the context of compliance, an important aspect of this principle is the need to know where your data is stored, processed, and managed.

Different regulations have different requirements about where protected data can be stored. For example, some regulations stipulate that data can only be transferred to companies with sufficient levels of protection in processing personal data. If your business opts for a cloud provider that doesn’t provide transparency over the location of data, you could end up unknowingly in breach of regulations.

Principle 3: Separation Between Customers

The last thing your business wants is to use a public cloud service only to find that a malicious hacker accessed your sensitive data by compromising another customer first. This type of concerning non-compliance scenario can happen when there is an insufficient separation between different customers of a cloud service.

Another plausible situation is where a competitor actively seeks to exploit your data. The competitor may know that you use the same cloud service and that the vendor doesn’t adequately separate different customers.

Before choosing a service provider, due diligence is critical in terms of having confidence that your data is separated from others customers’ data. This confidence can come from a vendor that can show the results of an independent penetration test on its services. For additional confidence, it might be worth opting for one of the big names instead of choosing a new and unproven cloud service provider. 

Principle 10: Identity and Authentication

Verifying users are who they say they are is essential for compliance purposes. When anyone in your business with cloud access attempts to use the cloud, there should be strong authentication and access controls in place. Look out for the following authentication features at a minimum:

  • Multifactor authentication so that users of the service can’t simply log in with a username-password pair.
  • The option to use private network connections to access the cloud service.
  • The ability to limit the lifetime of login sessions.
  • The use of locking or limiting accounts where brute force login attempts are detected.

Principle 14: Secure Use of the Service by the Customer

This principle is less about the vendor and more about how your business uses any cloud service. Your chosen service provider might have a strong information security posture, but misuse of the cloud service by an employee can easily lead to data breaches and non-compliance penalties.

Human error remains a staggeringly prevalent cause of data breaches. One report found that 88 percent of data breach incidents arose from employee mistakes. To combat these risks and ensure compliance, the following practices should help:

  • Shift the company culture to a security-first one with ongoing cybersecurity awareness.
  • Communicate to employees that they have a responsibility to securely use cloud services.
  • Educate everyone about how to safely use cloud services in a way that doesn’t compromise compliance.
  • Detect cloud misconfigurations using a configuration management solution such as Tripwire’s Configuration Manager. Misconfigurations are a common cause of data breaches in the cloud.

Closing Thoughts

Businesses of all sizes need to comply with a growing number of regulations implemented to protect sensitive digital information. If you’re planning on a cloud move, carefully consider the NCSC cloud security principles to ensure protection against the high penalties associated with compliance breaches.

And to combat the configuration management solution. Tripwire’s Configuration Manager can help you detect misconfigurations in multi-cloud environments. You can learn more about it here: https://www.tripwire.com/products/tripwire-configuration-manager/worry-less-about-cloud-security.

About the Author: Ronan Mahony is a freelance content writer mostly focused on cybersecurity topics. He likes breaking down complex ideas and solutions into engaging blog posts and articles. He’s comfortable writing about other areas of B2B technology, including machine learning and data analytics. He graduated from University College Dublin in 2013 with a degree in actuarial science; however, he followed his passion for writing and became a freelance writer in 2016. In his spare time, Ronan enjoys hiking, solo travel, and cooking Thai food.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

The post ” Top 5 NCSC Cloud Security Principles for Compliance” appeared first on TripWire

Source:TripWire – Tripwire Guest Authors

Tags: Cloud, Critical Severity, Encryption, Exploit, Goverment, Hacker, High Severity, TripWire

Continue Reading

Previous Researcher Uncover Yet Another Unpatched Windows Printer Spooler Vulnerability
Next Turns Out That Low-Risk iOS Wi-Fi Naming Bug Can Hack iPhones Remotely

More Stories

  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery

14 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk

15 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities

17 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

How Samsung Knox Helps Stop Your Network Security Breach

18 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

20 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Data Breach
  • Vulnerabilities

Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries

23 hours ago [email protected] (The Hacker News)

Recent Posts

  • China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery
  • CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk
  • Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities
  • How Samsung Knox Helps Stop Your Network Security Breach
  • Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT