Technology

Securing your cloud environment for services

You must follow the government’s Cloud First policy when considering cloud purchases.

You can only choose an alternative to the cloud if you can show it’s better value for money in your service assessments or departmental spending assurance process.

Deciding whether to use the cloud

It’s government policy to use the public cloud first for almost all information classed as official and some sensitive data.

Follow the Creating and implementing a cloud hosting strategy and the National Cyber Security Centre (NCSC) cloud security guidance to decide if cloud security meets your needs.

To better analyse your service’s security risks, make sure you understand:

  • your business requirements
  • the information you want to store and where you want to store it
  • if the cloud provider can give you enough assurance of their security measures
  • what user and administrator security your organisations uses
  • how you will monitor your security processes to make sure they are working

You must still do a risk analysis and mitigation exercise if you choose to use the public cloud.

Learn about government Secure by Design principles and managing third-party product security risks.

Finding a secure cloud provider

Use the government’s Cloud Security Principles to help you evaluate cloud providers.

You will need to identify which of the principles your service needs and find a supplier who meets those needs. If your chosen cloud provider can not meet a principle, check if your team can meet it instead.

You should also choose your provider from a trusted place such as the Digital Marketplace or the Crown Commercial Service.

As you identify your needs, you might find you have to balance several factors along with security. For example, balancing the risk of technical lock-in and contract flexibility with the provider can mean that you need to do less security work to get the service up and running as they have done it for you.

Configure your cloud environment for security

As well as checking that your provider’s security meets your requirements, you will need to make sure that your environment is configured properly.

Check things such as:

  • access control
  • asset encryption
  • locking down external access
  • how you keep data such as secret keys or credentials closed
  • security logging, monitoring, and alerting procedures (also known as managing observability)

Auditing the cloud environment

Do regular audits of your cloud environment so you can:

  • get real-time data about what’s happening in your environment
  • create automated alerts or actions if there is unusual or suspicious behaviour
  • keep track of your provider’s cloud environment and the access your users and administrators have to your data
  • keep track of your use of the cloud, such as any changes your administrators make or who has access to data
  • highlight and prioritise actions so that your operations or security team can respond more quickly to the most serious alerts
  • see who has copied or shared documents or what administrators have done

Cloud tools do not always provide all of this functionality, but you should make sure you have a way to monitor your environment. You should decide which features you need and which you can implement yourself.

You may also find these guides useful:

Last update:

Integrated guidance on Assessing the importance of service assets, Performing threat modelling, Performing a security risk assessment, Agreeing a security controls set for your service, Responding to and mitigating security risks and Retiring service components securely.

  1. Page updated and reworded for clarity.

  2. Guidance first published