Protect your business online

Cloud security takes in a range of policies, technologies and security controls that serve to protect data, applications and the infrastructure associated with cloud computing.

Cloud security risks

Two main types of cloud security threats relate to issues faced by:

• cloud providers - who look after the infrastructure and the client's data and applications
• cloud customers - who rely on password protection and authentication measures

Key risks in the cloud include hacking, data theft, server faults and non-compliance. You can address each by deploying the same security solutions you would normally use to protect your in-house IT devices and networks.

Cloud security controls

Many of the common cyber security measures apply in a cloud-based environment as they do in conventional IT systems, including:

• antivirus
• firewalls and perimeter protection
• traffic monitoring and reporting
• spam filtering
• real-time alerts and analytics

The National Cyber Security Centre (NCSC) offers detailed guidance to help you configure, deploy and use cloud services securely.

Your security responsibility if you use cloud services

Providers and customers share the responsibility for maintaining and protecting the security of cloud services and systems. As a buyer, your responsibilities will vary depending on the type of service involved. Your responsibilities will be the largest when using Infrastructure as a Service (IaaS).

Cloud security and data protection - things to consider

If you are processing and storing sensitive business or personal data in the cloud, you will want to check that your provider takes security seriously. Things to consider include:

Cloud provider vulnerabilities

Are they following best security practices, patching up regularly, implementing proper security controls? Can they guarantee that your assets will be protected against physical tampering, loss, damage or seizure?

Technology vulnerabilities

Are there weaknesses in the host system or server configuration? Can you get assurances that the technology is secure? Will it be reliably accessible and available when you need it?

Access policies

Did you agree standards and responsibilities between yourself and the provider? Defining roles and responsibilities can help ensure secure coverage and prevent potential liabilities in case of cyber incidents.

Access controls

Will the provider limit access to the cloud service to only those who need it? How will they minimise the risk of accidental or malicious compromises of your data by their personnel?

Service level agreements

Can you establish a documented standard with your cloud provider, including their duties in relation to ongoing management, response times and support?

Risk assessment and analysis

Does your provider have an adequate incident plan in place to quickly deal with and mitigate any potential damage?

Legal and regulatory implications

If you're storing or processing personal data in the cloud, you will have to comply with the UK General Data Protection Regulation (UK GDPR). For more information, you can read the NCSC's report on cloud computing and data storage.

If you're using software that interacts with cloud services, you may also want to read about managing the risk of cloud-enabled products.