Skip to main content

Part of Cloud security – good practice guide

8. Appendix A - detailed advice and guidance

Current Chapter

Current chapter – 8. Appendix A - detailed advice and guidance


The information below is based on the National Cyber Security Centre’s (NCSC) advice for implementing the Cloud security principles. These principles have been examined within the context of health and social care and a recommended implementation approach has been specified. Further, guidance has also been listed against each principle, detailing what the Cloud provider should do/provide. It also lists what the Cloud service user should do to safeguard data.

This guidance assumes an Infrastructure as a Service (IaaS) model is being utilised and the split of responsibilities between the Cloud provider and Cloud service user reflects this. When a SaaS model is utilised then the split would need to be adjusted with the SaaS provider taking more of the responsibilities.

For clarity, the 'Cloud provider' is the organisation providing the cloud service. The 'service user' refers to the customer-side (such as the architect, developer, programmer and IT professional) that is developing and maintaining the system in the public cloud.

The specific guidance is only applicable if there is a 'Y' in the category field that matches the data risk category as defined by the risk tool. Section 2.6 - Physical resilience and availability – is an exception.  The 'Y' relates to the Service Classification, being either bronze, silver, gold or platinum.


Security principles

Open the security principles below to find out about the NHS recommended approach and guidance.

1. Data in transit protection

User data transiting networks should be adequately protected against tampering and eavesdropping.

NHS recommended approach

TLS (Version 1.2 or above) or IPsec or TLS VPN gateway.

NHS guidance

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Utilise strong cryptography as defined by NIST SP800-57 to encrypt communications:

  • internally between Cloud components
  • between Cloud data centres
  • between the Cloud admin portal and the Cloud
Y Y Y

2. Undertake annual assessment against a recognised standard such as ISO to test the security of the communication:

  • internally between Cloud components
  • between Cloud data centres
  • between the Cloud admin portal and the Cloud

Ensure that the assessment is conducted by a suitably qualified provider such as those certified under the CREST scheme.

  Y Y

 

The service user should: Class 1 and 2 Class 3 Class 4 and 5

1. Utilise strong cryptography as defined by NIST SP800-57 to encrypt communications between the Cloud and the end-user.

  Y Y

2. Undertake regular (minimum yearly) penetration testing of the communication between the Cloud and the end-user.

Ensure that the penetration test is well scoped such that ‘Data in transit protection’ is fully tested. 

Ensure that the test is conducted by a suitably qualified provider such as those certified under the CREST scheme.

  Y Y
2. Asset protection and resilience

User data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure.

2.1 Physical location and legal jurisdiction

To understand the legal circumstances under which your data could be accessed without your consent, you must identify the locations at which it is stored, processed and managed.

You will also need to understand how data-handling controls within the service are enforced, relative to UK legislation.

NHS recommended approach

Known locations for storage, processing and management.

NHS guidance

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Provide cloud infrastructure (including all hardware, software, networks and the physical data centres that house it all) within the European Economic Area (EEA), a country deemed adequate by the European Commission, or in the US where covered by Privacy Shield.

Y Y Y

2. Provide independent validation that the data centres are actually physically located within the European Economic Area (EEA), a country deemed adequate by the European Commission, or in the US where covered by Privacy Shield.

Y Y Y
3. State the legal jurisdiction(s) to which your data is subject to. Y Y Y

 

The service user should: Class 1 and 2 Class 3 Class 4 and 5

1. Only use Cloud infrastructures to store and process data that are physically located within the European Economic Area (EEA), a country deemed adequate by the European Commission, or in the US where covered by Privacy Shield.

Y Y Y

2. Review the Cloud provider’s terms and conditions to ensure they are compliant with the Data Protection Act (DPA) and the General Data Protection Regulation (GDPR).

Y Y Y
2.2 Data centre security

Locations used to provide cloud services need physical protection against unauthorised access, tampering, theft or reconfiguration of systems. Inadequate protections may result in the disclosure, alteration or loss of data.

NHS recommended approach

Conforms to a recognised standard.

NHS guidance

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Hold and maintain certification to ISO 27001. 

Prove that the scope of certification includes the physical security of the data centres.

Demonstrate that certification was performed by a suitably qualified expert party such as those certified under the CREST scheme.

Y Y Y

 

2.3 Data at rest protection

To ensure data is not available to unauthorised parties with physical access to infrastructure, user data held within the service should be protected regardless of the storage media on which it’s held.

Without appropriate measures in place, data may be inadvertently disclosed or discarded, lost or stolen media. Data written to storage must be encrypted.

NHS recommended approach

Encryption of all physical media.

NHS guidance

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Provide encryption facilities to ensure that no data is written to storage in an unencrypted form.

Y Y Y

2. Provide secure key management service providing strong cryptography as defined by the current version of NIST and FIPS standards. such as NIST SP800-57 Part 1’.

The service must provide detailed audit reporting on access of the keys.

Y Y Y
3. Confirm that the encryption utilises strong cryptography as defined by the current version of NIST SP800-57. Y Y Y

4. Undertake annual assessment against a recognised standard such as ISO or FIPS 140-3 to test the encryption.

Ensure that the test is conducted by a suitably qualified provider such as those certified under the CREST scheme.

  Y Y

 

The service user should: Class 1 and 2 Class 3 Class 4 and 5

1. Ensure that the encryption is appropriately configured when you implement the system on your chosen cloud provider.

Y Y Y

2. Ensure keys are managed by the data controller. Keys can be stored either locally or in an HSM service provided by the cloud supplier. The key management solution should utilise strong cryptography as defined by the current version of NIST and FIPS standards, such as NIST SP800-57 Part 1.

Y Y Y
2.4 Data sanitisation

The process of provisioning, migrating and de-provisioning resources should not result in unauthorised access to user data.

NHS recommended approach

Explicit overwriting of storage before reallocation.

NHS guidance

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Provide assertions about their data sanitisation approach.

Y Y Y

2. Show that the specified data sanitation approach has been validated by a suitably qualified independent third party.

  Y Y

 

2.5 Equipment disposal

Once equipment used to deliver a service reaches the end of its useful life, it should be disposed of in a way which does not compromise the security of the service, or user data stored in the service.

NHS recommended approach

A recognised standard for equipment disposal is followed or a third-party destruction service is used.

NHS guidance - recognised standard

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Hold certification to CSA CCM v4 OR ISO/IEC 27001.

Prove that the scope of certification validates the secure equipment disposal.

Demonstrate that certification was performed by a suitably qualified expert party such as those certified under the CREST or CSA STAR scheme.

  Y Y

 

NHS guidance - third party service

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Ensure the security of the equipment and prove the chain of custody until the equipment is successfully destroyed.

  Y Y

2. Demonstrate that the third-party services have been assessed against a recognised standard, such as the CESG Assured Service (destruction) scheme.

Prove that the scope of the assessment validates the secure equipment disposal and chain of custody.

Demonstrate that the assessment was performed by a suitably qualified expert party such as those certified under the CREST scheme.

  Y Y
2.6 Physical resilience and availability

Services have varying levels of resilience, which will affect their ability to operate normally in the event of failures, incidents or attacks.

A service without guarantees of availability may become unavailable, potentially for prolonged periods, regardless of the impact on your business.

NHS recommended approach

The service provider commits to a Service Level Agreement (SLA) and analysis of the design.

Service classification

The Cloud provider should: B S G/P

1. Provide a contractual commitment to SLAs, with remedies available should the SLA be missed.

Y Y Y

2. Prove that the data centres are certified to Uptime Institute Tier 2 or equivalent qualified provider such as those certified under the CREST scheme.

Y    
3. Prove that the data centres are certified to Uptime Institute Tier 3 or equivalent qualified provider such as those certified under the CREST scheme.   Y Y
4. Provide 2 or more availability zones/ data centres in-line with the requirements in 2.1.   Y Y

 

The service user should: B S G/P

1. Design for failure. Solutions should be architected for cloud such that they are resilient regardless of the underlying cloud infrastructure.

Y Y Y

2. Use at least one availability zone/data centre.

Y    
3. Have resilient network links to the zone/data centre. Y    
4. Use multiple availability zones/data centres.   Y Y
5. Have resilient network links to each zone/data centre.   Y Y
6. Consider the use of different cloud vendors or multiple regions from the same vendor; this assessment must evaluate the benefits gained in physical resilience against the increase in architecture complexity and risk of introducing software/process issues.      Y
7. Have resilient network links to each region/vendor (if using multiple regions/vendors).     Y
8. Ensure their system has DDoS protection. This may be provided by the Cloud vendor or a third party.     Y

 

3. Separation between users

A malicious or compromised user of the service should not be able to affect the service or data of another. 

NHS recommended approach

Virtualisation technologies (such a hypervisor) provide separation between users or other software provides separation between users.

NHS guidance

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Provide supplier assertions about their approach to user/customer environment separation.

Y Y Y

2. Undertake annual assessment against a recognised standard such as ISO, CyberEssentials to test the separation between users/customer environment.

Ensure that the test is conducted by a suitably qualified provider such as those certified under the CREST scheme.

  Y Y

3. Hold and maintain certification to ISO27017 for the Cloud platform.

Demonstrate that certification was performed by a suitably qualified expert party such as those certified under the CREST scheme.

  Y Y

 

The service user should: Class 1 and 2 Class 3 Class 4 and 5

1. Undertake end-to-end penetration testing of the solution.

  Y Y

2. Implement a GPG13 compliant protective monitoring solution.

    Y
4. Governance framework

The service provider should have a security governance framework which coordinates and directs its management of the service and information within it.

Any technical controls deployed outside of this framework will be fundamentally undermined.

NHS recommended approach

Conformance with a recognised standard.

NHS guidance

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Hold and maintain certification to CSA’s STAR programme OR ISO/IEC 27001.

Demonstrate that certification was performed by a suitably qualified expert party such as those certified under the CREST scheme.

  Y Y

2. Prove that the scope of certification includes the governance framework goals set out below:
a. A clearly identified, and named, board representative (or a person with the direct delegated authority) who is responsible for the security of the cloud service. This is typically someone with the title ‘Chief Security Officer’, ‘Chief Information Officer’ or ‘Chief Technical Officer’.
b. A documented framework for security governance, with policies governing key aspects of information security relevant to the service.
c. Security and information security are part of the service provider’s financial and operational risk reporting mechanisms, ensuring that the board would be kept informed of security and information risk.
d. Processes to identify and ensure compliance with applicable legal and regulatory requirements.

    Y

 

5. Operational security

The service needs to be operated and managed securely in order to impede, detect or prevent attacks. Good operational security should not require complex, bureaucratic, time consuming or expensive processes.

5.1 Configuration and change management

You should ensure that changes to the system have been properly tested and authorised. Changes should not unexpectedly alter security properties.

NHS recommended approach

Conformance with a recognised standard.

NHS guidance

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Hold and maintain certification to CSA CCM v4 OR ISO/IEC 27001.

Prove that the scope of certification includes configuration and change management processes. 

Demonstrate that certification was performed by a suitably qualified expert party such as those certified under the CREST or CSA STAR scheme.

  Y Y

 

The service user should: Class 1 and 2 Class 3 Class 4 and 5

1. Maintain an accurate inventory of the assets which make up the service, along with their configurations and dependencies.

Y Y Y

2. Ensure changes to the service are assessed for potential security impact, and the implementation of changes are managed and tracked through to completion.

Y Y Y
5.2 Vulnerability management

You should identify and mitigate security issues in constituent components.

NHS recommended approach

Conformance with a recognised standard.

NHS guidance

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Hold and maintain certification to CSA CCM v4 OR ISO/IEC 27001, ISO/IEC 27017.

Demonstrate that certification was performed by a suitably qualified expert party such as those certified under the CREST or CSA STAR scheme.

Y Y Y

2. Manage vulnerabilities in a manner that aligns with ISO 30111 and show ISO / CSA compliance to validate the process.

Y Y Y

3. Prove that mitigations for discovered vulnerabilities are implemented for the server-less devices, hypervisors and supporting infrastructure, within the NCSC best practice timescales set out below:

a. ‘Critical’ vulnerabilities should be mitigated within 24 hours
b. ‘Important’ vulnerabilities should be mitigated within 2 weeks
c. ‘Other’ vulnerabilities mitigated within 8 weeks

If compensating controls are in place to reduce the vulnerability risk, the timescales can be adjusted accordingly.

Y Y Y

 

The service user should: Class 1 and 2 Class 3 Class 4 and 5

1. Undertake patching or vulnerability management for the guest operating system and application components, within the NCSC best practice timescales set out below:

a. ‘Critical’ patches should be deployed within 24 hours
b. ‘Important’ patches should be deployed within 2 weeks of a patch becoming available
c. ‘Other’ patches deployed within 8 weeks of a patch becoming available

Y Y Y

2. Undertake regular (minimum yearly) penetration testing. 

Ensure the penetration test is well scoped such that security vulnerabilities in the operating system and components above are fully tested. 

Ensure that the test is conducted by a suitably qualified provider such as those certified under the CREST scheme.

  Y Y
5.3 Protective monitoring

You should put measures in place to detect attacks and unauthorised activity on the service.

NHS recommended approach

Conformance with a recognised standard.

NHS guidance

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Hold and maintain certification to CSA CCM v4 OR ISO/IEC 27001 and ISO/IEC 27017.

Prove that the scope of certification includes protective monitoring controls showing that:

a. The service generates adequate audit events to support effective identification of suspicious activity
b. These events are promptly analysed to identify potential compromises or inappropriate use of your service
c. The service provider takes prompt and appropriate action to address incidents

Demonstrate that certification was performed by a suitably qualified expert party such as those certified under the CREST or CSA STAR scheme.

  Y Y

 

The service user should: Class 1 and 2 Class 3 Class 4 and 5

1. Put in place appropriate monitoring solutions to identify attacks against their applications or software.

  Y Y
5.4 Incident management

Ensure you can respond to incidents and recover a secure, available service.

NHS guidance

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Hold and maintain certification to CSA CCM v4 OR ISO/IEC 27001.

Prove that the scope of certification includes incident management controls in detail showing that:

a. Incident management processes are in place for the service and are actively deployed in response to security incidents
b. Pre-defined processes are in place for responding to common types of incident and attack
c. A defined process and contact route exists for reporting of security incidents by consumers and external entities
d. Security incidents of relevance to the Service User will be reported in acceptable timescales and formats

Demonstrate that certification was performed by a suitably qualified expert party such as those certified under the CREST or CSA STAR scheme.

Y Y Y

2. Demonstrate robust, well-tested and rehearsed incident management procedures.

Y Y Y

 

The service user should: Class 1 and 2 Class 3 Class 4 and 5

1. Put in place monitoring solutions to identify attacks against their applications or software.

  Y Y

2. Have an incident management process to rapidly respond to attacks.

  Y Y
6. Personnel security

Where service provider personnel have access to your data and systems you need a high degree of confidence in their trustworthiness.

Thorough screening, supported by adequate training, reduces the likelihood of accidental or malicious compromise by service provider personnel.

NHS recommended approach

Personnel screening performed but does not conform with BS7858:2012.

NHS guidance

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Operate a personnel screening process that aligns with BS7858:2012 and show ISO / CSA compliance to validate the process.

Demonstrate that the assessment was performed by a suitably qualified expert party such as those certified under the CREST or CSA STAR scheme.

  Y Y

 

The service user should: Class 1 and 2 Class 3 Class 4 and 5

1. Ensure IT admin staff are strongly authenticated.

  Y Y

2. Have a suitable auditing solution is in place to record all IT admin access to data and hosting environments.

  Y Y
7. Secure development

Services should be designed and developed to identify and mitigate threats to their security. Those which may be vulnerable to security issues which could compromise your data, cause loss of service or enable other malicious activity.

NHS recommended approach

Independent review of engineering approach against recognised secure development standard.

NHS guidance

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Hold and maintain certification to 1 of:

a) CESG CPA Build Standard
b) ISO/IEC 27034
c) ISO/IEC 27001
d) CSA CCM v4.0

Demonstrate that certification was performed by a suitably qualified expert party such as those certified under the CREST or CSA STAR scheme.

  Y Y

 

8. Supply chain security

The service provider should ensure that its supply chain satisfactorily supports all of the security principles which the service claims to implement.

NHS recommended approach

Assessed through application of appropriate standard.

NHS guidance

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Hold and maintain certification to either:

a) ISO/IEC 27001
b) ISO/PAS 28000:2007 

Demonstrate that certification was performed by a suitably qualified expert party such as those certified under the CREST scheme.

  Y Y

2. Prove that the scope of certification includes supply chain security showing:

a) How your information is shared with, or accessible to, third party suppliers and their supply chains
b) How the service provider’s procurement processes place security requirements on third party suppliers
c) How the service provider manages security risks from third party suppliers
d) How the service provider manages the conformance of their suppliers with security requirements.
e) How the service provider verifies that hardware and software used in the service is genuine and has not been tampered with

    Y

 

9. Secure user management

Your provider should make the tools available for you to securely manage your use of their service.

Management interfaces and procedures are a vital part of the security barrier, preventing unauthorised access and alteration of your resources, applications and data.

9.1 Authentication of (admin) users to management interfaces and support channels

To maintain a secure service, (admin) users need to be properly authenticated before being allowed to perform management activities, report faults or request changes to the service.

NHS recommended approach

Strong authentication in place, which is subject to regular exercising.

NHS guidance

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Provide supplier assertions about their approach to strong authentication.

Y Y Y

2. List all the channels by which the service provider would accept management or support requests from you (such as telephone phone, web portal and email).

Y Y Y

3. Undertake annual assessment against a recognised standard such as ISO, CyberEssentials to test the ‘Authentication of users to management interfaces and support channels’.

Ensure that the test is conducted by a suitably qualified provider such as those certified under the CREST scheme.

  Y Y

 

The service user should: Class 1 and 2 Class 3 Class 4 and 5

1. Ensure that a list of authorised individuals from your organisation who can use those mechanisms is maintained and regularly reviewed.

Y Y Y

2. Use 2FA to obtain access to the system.

  Y Y
3. Configure logging of access attempts.   Y Y
4. Regularly review the access attempts to identify unusual behaviour.   Y Y
9.2 Separation with access control within management interfaces

Many cloud services are managed via web applications or APIs. These interfaces are a key part of the service’s security.

If (admin) users are not adequately separated within management interfaces, one (admin) user may be able to affect the service, or modify the data of another.

NHS recommended approach

Access control implemented in software, subject to regular testing.

NHS guidance

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Provide supplier assertions about how management interfaces are protected and what functionality they expose.

Y Y Y

2. Undertake annual assessment against a recognised standard such as ISO, CyberEssentials to test the ‘Access Control to management Interfaces’.

Ensure that the test is conducted by a suitably qualified provider such as those certified under the CREST scheme.

  Y Y

 

The service user should: Class 1 and 2 Class 3 Class 4 and 5

1. Ensure that authorised individuals from your organisation who can use those mechanisms are managed by the ‘principle of least privilege’, typically using a RBAC mechanism.

Y Y Y
10. Identity and authentication (end user)

All access to service interfaces should be constrained to authenticated and authorised (end user) individuals.

NHS recommended approach

Two factor authentication, TLS client certificate, identity federation with your existing identity provider.

NHS guidance - two factor authentication

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Allow users to authenticate with a username and either a hardware/software token, or ‘out of band’ challenge (such as SMS).

  Y Y

2. Provide details of the authentication scheme.

  Y Y

3. Undertake annual assessment against a recognised standard such as ISO, CyberEssentials to test the ‘2FA’.

Ensure that the test is conducted by a suitably qualified provider such as those certified under the CREST scheme.

  Y Y

 

NHS guidance - TLS client certificate

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Show that they use TLS 1.2 or above with an X.509v3 client certificate that identifies an individual user.

  Y Y

2. Undertake annual assessment against a recognised standard such as ISO, CyberEssentials  to test the ‘TLS 1.2+ using an X.509v3 client certificate’.

Ensure that the test is conducted by a suitably qualified provider such as those certified under the CREST scheme.

  Y

Y

 

The service user should: Class 1 and 2 Class 3 Class 4 and 5

1. Ensure the secure creation and management of certificates.

  Y Y

2. Ensure there are safeguards in place on end user devices to protect them.

  Y

Y

3. Implement processes to revoke lost or compromised credentials.       

NHS guidance - identity federation with your existing identity provider

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Provide support for federating to another authentication scheme, such as a corporate directory, an OAuth or SAML provider.

  Y Y

2. Provide details of the authentication scheme.

  Y Y

3. Undertake annual assessment against a recognised standard such as ISO, CyberEssentials to test the ‘identity federation’.

Ensure that the test is conducted by a suitably qualified provider such as those certified under the CREST scheme.

  Y Y

 

The service user should: Class 1 and 2 Class 3 Class 4 and 5

1. Only use this approach if their existing identity provider uses two-factor authentication.

  Y Y
11. External interface protection

All access to service interfaces should be constrained to authenticated and authorised individuals.

NHS recommended approach

Internet and/or community network and/or private network.

NHS guidance

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Implement a protective monitoring solution.

  Y Y

2. Undertake annual assessment against a recognised standard such as ISO, CyberEssentials to test the ‘external interface protection‘.

Ensure that the test is conducted by a suitably qualified provider such as those certified under the CREST scheme.

  Y Y

 

The service user should: Class 1 and 2 Class 3 Class 4 and 5

1. Ensure their system has Web Application Firewall (WAFs) protection. This may be provided by the Cloud vendor or a third party.

  Y Y

2. Ensure that the implemented design protects data by ensuring it is at least 2 ‘firewall’ hops from the external network, architected in such a way that the compromise of one firewall will not affect the other.

  Y Y
3. Correctly implement firewall rulesets using the 'Deny All' First and then Add Exceptions principle. Y Y Y
12. Secure service administration

Systems used for administration of a cloud service will have highly privileged access to that service. Their compromise would have significant impact, including the means to bypass security controls and steal or manipulate large volumes of data.

The methods used by the service provider’s administrators to manage the operational service should be designed to mitigate any risk of exploitation that could undermine the security of the service.

If this principle is not implemented, an attacker may have the means to bypass security controls and steal or manipulate large volumes of data.

NHS recommended approach

Known service management architecture.

NHS guidance

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Provide supplier assertions regarding their service management architecture.

Y Y Y

2. Ensure access is only available over a secure channel.

Y Y Y
3. Limit management actions to authorised staff. Y Y Y
4. Audit all management actions. Y Y Y
5. Regularly (daily) review the logs to identify any irregular activities.

 

Y Y
6. Have separate user accounts for administration and normal user activities. They should not use their administration accounts for normal business activities. Y Y Y
7. Not be able to browse the internet or open their external email in the same processing context as they manage systems. Y Y Y
8. Protect the integrity of the end user devices used to manage the service. Y Y Y

9. Undertake annual assessment against a recognised standard such as ISO, CyberEssentials to test the ‘secure service administration’.

Ensure that the test is conducted by a suitably qualified provider such as those certified under the CREST scheme.

  Y Y

 

13. Audit information for users

You should be provided with the audit records needed to monitor access to your service and the data held within it.

The type of audit information available to you will have a direct impact on your ability to detect and respond to inappropriate or malicious activity within reasonable timescales.

NHS recommended approach

Data made available.

NHS guidance

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Record system events in near real-time to provide an audit log.

Y Y Y

2. Ensure that the audit logs are tamperproof.

Y Y Y
3. Ensure that the retention period for the logs can be defined by the customer. Y Y Y
4. It's the responsibility of the user to configure log forwarding using the CSP’s monitoring solution or an alternative such as Splunk. Y Y Y
5. Provide facilities to allow logs pertaining to their own systems to be human readable. Y Y Y

6. Undertake annual assessment against a recognised standard such as ISO, CyberEssentials to test the ‘auditing facility’.

Ensure that the test is conducted by a suitably qualified provider such as those certified under the CREST scheme.

  Y Y

 

The service user should: Class 1 and 2 Class 3 Class 4 and 5

1. Use the audit data as part of an effective pro-active monitoring regime.

Y Y Y
14. Secure use of the service

The security of cloud services and the data held within them can be undermined if you use the service poorly.

Consequently, you will have certain responsibilities when using the service for your data to be adequately protected.

NHS recommended approach

Enterprise managed devices and/or partner managed devices and/or unknown devices.

NHS guidance

The Cloud provider should: Class 1 and 2 Class 3 Class 4 and 5

1. Use a security hardened master operating system image to build guest servers.

Y Y Y

2. Utilise integrated security monitoring and policy management facilities to help detect threats and weaknesses, due to poor design or mis-configuration.

Y Y Y

3. Undertake annual assessment against a recognised standard such as ISO, CyberEssentials to test the ‘security monitoring’.

Ensure that the test is conducted by a suitably qualified provider such as those certified under the CREST scheme.

  Y Y

 


Last edited: 22 May 2024 5:00 pm