Options available for NTP sources include:
Open source or “internet based” time services are available for free of charge over the internet. However, these have no service-level agreements (SLAs) and no guarantee of how these services are configured or maintained.
That doesn’t mean all internet based NTP providers are not building to IETF standards or are a reliable provider.
Using internet searches, it is possible to find several open source, free UK-based time service providers accessible directly from the internet. However, no formal assessment or continued assessment has been performed on any potential services.
The reputation and certification/compliance of NTP provider organisations could indicate of a level of maturity in the way it handles and provides services, offering reassurances of its reliability and security. This allows you to select the most suitable reliable sources.
Public and private cloud hosted environments
The public cloud is defined as computing services offered by third-party providers over the public internet, making them available to anyone who wants to use or purchase them. Private cloud refers to IT services provided over private IT infrastructure for the use of a single organisation.
Global public cloud providers such as AWS, Azure and Google implement DDoS protection for their own cloud infrastructure and production services. These mechanisms will ensure no single service can overwhelm the shared infrastructure (for example, NTP is a shared infrastructure resource).
Top tier global cloud providers (such as Amazon, Azure, Google) are compliant, standards driven suppliers. They are trusted to provide global infrastructure, services and platforms for any consumer, at multiple different security levels, depending upon the relevant customer needs. Evidence for this comes from the compliance and certification their infrastructure has been assessed to. Private cloud providers may also have similar certification but that should be checked on an organisation by organisation basis.
Global cloud providers offer the time service without needing to connect the infrastructure to the internet. Therefore, we recommend you use public cloud services where appropriate as no external connectivity would be required, reducing security perimeters. If your system doesn’t require connectivity to the internet for any other reason, then you may want to reduce the number of NTP sources used. This applies if the cloud provider is a trusted provider with up-to-date compliance certification including ISO27001/2013.
Global cloud providers such as Azure, AWS and Google Cloud meet a broad set of international and industry-specific compliance standards, such as:
- General Data Protection Regulation (GDPR)
- ISO 27001:2013
- Health Insurance Portability and Accountability Act (HIPAA)
- Federal Risk and Authorization Management Program (FedRAMP)
- System and Organization Controls (SOC) 1
- SOC 2
This is in addition to country-specific standards that include Australia IRAP, UK G-Cloud, and Singapore MTCS.
Rigorous third-party audits, such as those done by the British Standards Institute, verify adherence to the strict security controls these standards mandate. The control requirements for ISO27001:2013 require the provider to ensure:
- accurate time
- that clock synchronisation is across all devices and systems
- that any vulnerability in the time service technologies (such as the NTP protocol) are actively looked at and alerts responded to appropriately
This allows us to treat these cloud providers as a trusted source when using its own time infrastructure for customers.
Time synchronization for financial services in Azure
AWS Compliance Programs
Google Cloud - Standards, regulations & certifications
The NTP services provided by these global public cloud providers are deemed trustworthy, accurate and reliable, and can be used if your organisation has deployments already within these cloud providers’ infrastructures.
ISP or CNSP provided service
Your internet service provider (ISP) or consumer network service provider (HSCN access provider) may also offer a service which may be included within the cost of your HSCN connectivity. Their routers/devices could themselves be used to provide a source for your organisation. You should consult your supplier for further information.