Part of Cloud security – good practice guide
4. Step 2 - assess
This step is about assessing the risk and identifying governance requirements for putting the data in the cloud. At the end of this step, you should have decided as to whether you want to use public cloud to host your system.
4.1 Risk appetite
Different organisations and programmes will have different appetites towards risk and this appetite may vary over time.
The risk classes are:
- class 1 defines the lowest level of risk
- class 5 defines the highest level of risk
However, proportionate controls are available to help mitigate these risks, regardless of whether the risk is classified as class 1 or class 5. These are detailed in step 3.
Understand your organisation’s risk appetite, implement controls and monitor their effectiveness as part of your ongoing governance process.
4.2 Governance
Using the risk classification obtained in step 1, refer to the table below to understand the governance expectation.
Risk profile level | Expectation |
---|---|
Class 1 | All organisations are expected to be comfortable operating services at this level. |
Class 2 | Whilst there may be some concerns over public perception and lock-in, most organisations are expected to be comfortable operating services at this level. |
Class 3 | At this level, risks associated with impact of breach become more significant, and the use of services at this level therefore requires specific risk management across all risk classes described in part 3, requiring approval by CIO/Caldicott Guardian level. |
Class 4 | At this level, it may become more difficult to justify that the benefits of the using public cloud outweigh the risks. However, a case may still be made, requiring approval by CIO/Caldicott Guardian, and be made visible to the organisation’s Board. Specialist advice and guidance should be sought. |
Class 5 | Operating services at this level would require board-level organisational commitment, following specialist advice and guidance. |
4.3 Other considerations
Security is not the only aspect that you should consider when moving to cloud.
Other elements to think about include:
4.3.1 Public perception
There is some degree of public concern over the use of computing environments that are well-known to be publicly-consumable and used for a wide variety of small and large scale uses.
There may be a lack of trust as to the effectiveness of the people, technical and process controls that are intended to reduce the risks of confidentiality and breach to manageable levels.
You must be comfortable with any challenge that comes from the public and the media. If there's a security incident, then the question will be raised as to why public cloud was used.
4.3.2 Lock-in and migration
If you build your infrastructure using standard and widely available components such as virtual machines (VMs) and storage it will ease any migration to another provider. However, vendor specific components are attractive as they may provide lower cost options and facilitate faster delivery.
Be conscious of any trade-off. Consider the impact of the necessity of migrating potentially large quantities of data to launch a service, and the potential future impact of increased data scale if ever you wished to, or needed to, migrate to an alternative.
4.3.3 Data repatriation
Consider how any data within the system can be retrieved and returned to you when the contract for cloud services expires. Discuss with your intended provider how you wish your data to be transferred back into your custody.
Ensure such facilities and associated timescales are agreed and included within the contract. You should also seek assurances from your cloud provider that any copies of your data will be deleted, overwritten or otherwise rendered inaccessible.
4.3.4 Existing situation
When considering moving systems into public cloud, it's worth considering the 'As-Is' hosting solution. If you have an existing high risk but low security solution, then the perceived risks of moving into a public cloud may be mitigated.
4.3.5 Complex systems
Systems may host a variety of different data types, which hold different risk profiles. It may be appropriate to consider hosting some subsystems on public cloud whilst hosting other subsystems elsewhere.
4.3.6 Data residency and sovereignty
Some cloud providers may store or process data offshore, which may improve resilience and reduce costs.
Processing data in cloud services is legally complex, regardless of where the data is being processed. Data must only be hosted within territories deemed to be GDPR adequate by the UK Government, as listed at the ICO's international data transfers.
Data transfers to non adequate territories should be considered in conjunction with the ICO's international data transfer guidance.
4.3.7 Fair processing
Regardless of the where services are hosted, all organisations processing personal data must do so fairly and lawfully. This is set out in the first data protection principle of the Data Protection Act 1998.
Fair processing includes providing details of:
- your identity and, if you are not based in the UK, the identity of your nominated UK representative
- the purpose or purposes for which you intend to process the information
- any extra information you need to give individuals in the circumstances to enable you to process the information fairly
4.4 Documentation
It's important that a complete set of documentation is kept for audit purposes to prove that appropriate due diligence has been taken with regards to where and how data is hosted.
Therefore, document:
- the governance decision to use the cloud (such as meeting minutes)
- responses to all other considerations listed above
4.5 Contracts
All Cloud contracts need to be robust and clearly compliant with UK law.
It's essential that you have documentation that details what duties and obligations have been agreed.
Last edited: 10 January 2023 11:12 am