CyberUK 22: NCSC refreshes cloud security guidance

The UK’s National Cyber Security Centre (NCSC) has published a refreshed set of guidelines to support organisations in migrating their online services and sensitive data into the cloud, setting out the groundwork for what it describes as a “more adaptable approach” to assure technology.

Dating back nearly 10 years, although it has been reviewed and revised in that time, the Cloud Security Guidance, at its core, is designed to help buyers determine how confident they can be that a cloud service is secure enough to handle their data through a framework that is built around 14 cloud security principles.

Launched on the opening day of its annual CyberUK conference in Wales, the guidance is aimed at organisations of any size from across the public and private sectors, reflecting the growing number of businesses and bodies utilising the benefits of cloud to streamline their operations. To this end, it has been specifically designed to be as accessible as possible – it now includes two frameworks to enable everybody from small businesses to the very largest enterprises to adopt cloud services in confidence.

“The cloud plays an increasingly vital role in the functioning of online services across the UK, and this trend will continue into the future,” said Paul Maddinson, director of national resilience and strategy at the NCSC.

“Our refreshed Cloud Security Guidance has the philosophy of security by design at its heart, meaning that organisations can have confidence when choosing a provider. I’d strongly encourage network defenders at organisations of all sizes to make use of the actionable advice set out in our refreshed Cloud Security Guidance.”

Reflecting a growing awareness of issues affecting supply chain security – which takes on a heightened urgency when applied to providers of public cloud services – it also now emphasises how critical it is for buyers to thoroughly vet and assess their potential suppliers to reduce the risk of their data being lost or stolen.

It also adheres to a newly published, principles-based technology assurance approach, which according to the NCSC enables thorough consideration of how technologies or systems can keep themselves, and the other systems (and humans) that rely on them, safe from the threats they are likely to encounter during their lifespan.

Chris Hayman, director of UK public sector at Amazon Web Services (AWS), commented: “Organisations are using cloud computing for ever more diverse and mission-sensitive use cases, and we’re pleased to see the NCSC’s updated guidance reflect that.

“The NCSC is a world leader in the development of advice and guidance on the security benefits of cloud, and we look forward to continuing our work with them to support their mission to help make the UK the safest place to live and work online.

“Security matters to everyone and, for our part, we will continue to innovate and help raise the security bar for everyone,” said Hayman.

Meanwhile, the ongoing CyberUK 2022 conference supports the so-called “whole-of-society” approach to the UK’s national cyber security posture, in train with the aims of the government’s National Cyber Strategy.

The event includes various panels, sessions and interactive workshops, many streamed live on the NCSC’s YouTube channel, with key topics this year inevitably including the global cyber security community’s response to the war in Ukraine and the potential threat that Russia’s invasion poses to organisations in the UK.

The conference also hosts the Cyber Den competition, which sees emerging security companies pitch their solutions to various security challenges to the NCSC’s panel of dragons, with the winner receiving a year’s worth of bespoke support and assistance to develop their product or service further.

The full CyberUK 2022 programme can be found here.