Skip to main content
Please wait...

Cyber Security & Strategy

  • Data volume, velocity
    Customer 360
    Predicative and Prescriptive Analytics

Implementing the Cloud Security Principles to keep you safe by Surreytech Consulting

Details and context for the 14 Cloud Security Principles, including their goals and technical implementation
For each of the 14 principles, we answer three questions:

1.   What is the principle? A description giving the principle some context
2.   What are the goals of the principle? Concrete objectives for the implementation to achieve
3.   How is the principle implemented? Details for a set of possible implementations

1. Data in transit protection

User data transiting networks should be adequately protected against tampering and eavesdropping.

2. Asset protection and resilience

User data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure.

3. Separation between users

A malicious or compromised user of the service should not be able to affect the service or data of another.

4. Governance framework

The service provider should have a security governance framework which coordinates and directs its management of the service and information within it. Any technical controls deployed outside of this framework will be fundamentally undermined.

5. Operational security

The service needs to be operated and managed securely in order to impede, detect or prevent attacks. Good operational security should not require complex, bureaucratic, time consuming or expensive processes.

6. Personnel security

Where service provider personnel have access to your data and systems you need a high degree of confidence in their trustworthiness. Thorough screening, supported by adequate training, reduces the likelihood of accidental or malicious compromise by service provider personnel.

7. Secure development

Services should be designed and developed to identify and mitigate threats to their security. Those which aren’t may be vulnerable to security issues which could compromise your data, cause loss of service or enable other malicious activity.

8. Supply chain security

The service provider should ensure that its supply chain satisfactorily supports all of the security principles which the service claims to implement.

9. Secure user management

Your provider should make the tools available for you to securely manage your use of their service. Management interfaces and procedures are a vital part of the security barrier, preventing unauthorised access and alteration of your resources, applications and data.

10. Identity and authentication

All access to service interfaces should be constrained to authenticated and authorised individuals.

11. External interface protection

All external or less trusted interfaces of the service should be identified and appropriately defended.

12. Secure service administration

Systems used for administration of a cloud service will have highly privileged access to that service. Their compromise would have significant impact, including the means to bypass security controls and steal or manipulate large volumes of data.

13. Audit information for users

You should be provided with the audit records needed to monitor access to your service and the data held within it. The type of audit information available to you will have a direct impact on your ability to detect and respond to inappropriate or malicious activity within reasonable timescales.

14. Secure use of the service

The security of cloud services and the data held within them can be undermined if you use the service poorly. Consequently, you will have certain responsibilities when using the service in order for your data to be adequately protected.



Surreytech Cyber security services

  • Information security Assessment
  • Cyber security Assessment
  • Organisation Cyber Essential check
  • Disaster Response Services

Separation and cloud security

Deployment models and service models

When assessing the separation measures of a given cloud service, there are two factors determining your security and assurance requirements: The deployment model and the service model.


We have isolated three deployment models: public cloud, community cloud and private cloud deployments.


And three service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service(SaaS).


We’ll look at deployment models first, then move on to consider the separation requirements of the various service models. The concluding section summarises the risks associated with each of the service models.


Public Cloud
Public Cloud

Public cloud services can normally be accessed by anyone in possession of a credit card. For some services, an email address is all that’s required to access free trial versions.


So, if you are using public cloud service, you have to accept that your adversaries can legitimately purchase a service ‘next door’ to yours.


In such instances, you probably want a high level of confidence in the controls separating your data from that of others.

Community Cloud
Community Cloud

Community cloud services host users from a specific community, such as the public sector.


These communities often have a shared risk appetite and generally expect members to conform to an agreed minimum standard or legal agreement.


Community cloud providers can often tailor their offerings to match community requirements. For example, a service provider could choose to meet specific UK government standards for personnel security screening, or conform to the required standard to connect to a government community network. These tailored offerings can sometimes reduce risks relating to one or more of the cloud security principles.

Private Cloud
Private Cloud

Private cloud services are deployed to support a single organisation. They normally offer the ability to tailor the architecture to meet specific security and business requirements. For example, if all consumers of the service are well known and low risk, then the level of assurance in separation required may be low.


For processing untrusted (possibly malicious) or very sensitive data you may require higher confidence in the separation controls. You will need to manage, monitor and maintain the infrastructure, unless an agreement exists with the cloud service provider to do this.


In many situations a private cloud service will operate within a single security domain (for example providing a virtual desktop, or test and development resources). In such scenarios, the cloud platform is simply another part of the enterprise IT environment and should be configured, managed and monitored as such.

Which Cloud?
Which Cloud?

Infrastructure as a Service (IaaS)


Offerings implemented using hardware virtualisation and leading virtualisation products can provide a good level of separation between workloads and data in community and public cloud platforms.


However, like all complex software, IaaS offerings will never be free from vulnerabilities and the risks that these bring.


IaaS services also have a much greater burden on the user to configure and operate well.


Platform as a Service (PaaS)


PaaS offerings tend to have a larger attack surface than IaaS offerings since the separation between users is normally provided in higher level software rather than by a hypervisor. Community cloud PaaS offerings may provide some additional comfort for users where an acceptable use policy is in place that has been designed to reduce the risk of malicious workloads.


PaaS technologies are evolving rapidly and you should regularly verify that your platform choice meets your business and security needs.


Software as a Service (SaaS)


SaaS offerings tend to implement separation at a higher level than both IaaS and PaaS, meaning the potential attack surface for a would-be attacker is much greater.


Unless architected well these services will often present a potentially higher risk than deploying software packages for a dedicated user within an IaaS or PaaS service.

Our Business reference models

We Surreytech has worked wth many domains and has expereince in operatins and operating models. We use this expereince to ensure clients visions are realised and succeeded colaborating with the client and defining success via journies.