Cloud Computing Security Policy and Standard
Cloud Computing Security Policy and Standard
D-U-N-S: International House, 24 Holborn Viaduct, London, EC1A 2BN, UK, Number:
06871 International House, 24 Holborn Viaduct, London, EC1A 2BN, UK, Number:
06871193, D-U-N-S: 211601017193, D-U-N-S: 211601017 211601017
Version: 2.1
INTRODUCTION
Document Purpose
Cloud computing is an approach to delivering IT services that promise to be highly agile
and lower costs for Foresight Cyber. Many cloud service providers allow organisations to
use new services, support new ways of working, and overcome the gap in internal IT
capabilities.
This Cloud Security Standard sets the use of best practices for providing security assurance
within Cloud Computing. The standard is setting the required processes and controls for
cloud computing use in Foresight Cyber.
Scope
The document covers all security aspects of Cloud services, namely design, procurement,
running and decommissioning. The Standard covers the whole Foresight Cyber Ltd group,
systems, employees and contractors.
Cloud Services enable Foresight Cyber to be agile and concentrate on its core business, however
the cloud services must be carefully assessed, selected and embedded into company’ operational
processes to limit to the extent possible business risks, such as but not limited to business
disruption security incidents , and financial loss.
This policy is owned by CEO and enforced by Head of Operations. The cloud security
standard statements that follow expand on this policy statement. Further guidance is
located in wiki pages.
However, the use of certain types of cloud services increases risk to unacceptable levels
and therefore the Foresight Cyber requirements related to Cloud are listed below:
Generic requirements
• Requirement 13: Limit the use of live data for testing and development purposes
• Requirement 14: Maintain security of cloud environments
• Requirement 15: Monitor Cloud providers security arrangements
GENERIC REQUIREMENTS
Justification: Foresight Cyber needs to manage risk diligently. Knowing what Cloud services
are deployed is key for managing unknown risks.
Detailed requirements:
1. Gather information about possible cloud deployments and correlate with the
central cloud services register.
2. Monitor connections between Foresight Cyber internal networks / systems and
external networks to identify new services that have been deployed.
3. Identify large amounts of data that are being transferred between Foresight Cyber
and Cloud providers.
Justification: Business applications that are developed and deployed internally must
conform to the Foresight Cyber enterprise and security architecture requirements. One of
the main features of the security architecture is that it ensures that there is an integrated
approach – helping to ensure that individual weaknesses in applications do not
compromise the security, regulatory compliance and business continuity of Foresight
Cyber. Additionally, as cloud native organisation, we must preferably use cloud security
controls.
Detailed requirements:
1. CTO to outline how cloud services should and should not be used and how cloud
services should integrate with standard security services
2. CTO to ensure security controls are extended to cloud, and where possible use
cloud vendor native security controls.
3. The Security Architecture and associated controls & tooling should adapt to Cloud
Shared Responsibility Model
4. Cloud Services to be assessed against the enterprise and security architectures
5. Document all Cloud Services in Foresight Cyber CMDB, as defined by Cloud
Security Alliance Guidance1 and detailed by each cloud provider (such as Azure
2
and AWS3)
1
https://cloudsecurityalliance.org/research/guidance/
2
https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility
3
https://aws.amazon.com/compliance/shared-responsibility-model/
Justification: Cloud Providers and their Services change and Foresight Cyber may choose
or be forced to exit a cloud provider service.
Detailed requirements:
1. When evaluating a cloud service for a business process, prepare a high-level plan
for existing the cloud provider
2. Where possible setup automated data exports to ensure business continuity
Justification: The data owner is accountable for ensuring the security controls for the data
are adequate and without the data owner permission the data cannot be processed in the
Cloud. Public clouds share infrastructure and potentially data with other customers and
that could present unacceptable risk to Foresight Cyber.
Detailed requirements:
1. Consult with the data owner and obtain the permission to process data in the
cloud
2. Ensure all copies of personally identifiable information are protected by the same
controls
3. Ensure the Cloud provider has appropriate system and data segregation controls
in place, based on the criticality of the systems and data classification
4. Comply with the data classification table for Cloud services:
Detailed requirements:
Link the Cloud service into the Foresight Cyber Identity and Access
architecture and monitoring of activities of users
Justification: Different identity and access management solutions could be required for
each cloud computing service or no solution being provided at all. This could result in users
potentially having multiple unrelated user identities all of which need to be managed by
both the user and Foresight Cyber.
Detailed requirement:
1. Evaluate the access controls of the cloud service to determine if they meet the
Foresight Cyber requirements, specifically:
a. log changes to access rights,
b. prevent access by cloud service provider users to Foresight Cyber data
c. satisfy the access requirements of Foresight Cyber including the
appropriate granularity of access rights.
2. Determine how access control to cloud services will be managed and utilise
Foresight Cyber Identity and Access systems to manage the access.
3. Require all cloud services to integrate with the Foresight Cyber Identity Access
Management (AIM) architecture for provisioning and single sign-on (SSO)
4. Identify which events (e.g. login, access to data or changing user permissions) need
to be logged.
5. Determine the level of event logging of user activity that is available with the cloud
provider.
6. Commission transfer of logging information, together with correct mapping to
enable parsing of logs, from the Cloud provider to Foresight Cyber logging
platform.
Justification: If cloud services are being purchased outside Foresight Cyber purchasing
process, then the necessary assessments are missed. Proper process ensures technology
solutions are fit for Foresight Cyber and do not increase the risk to unacceptable levels.
Detailed requirements:
Justification: While Foresight Cyber may not exercise the right to audit for all Cloud
providers, not having the right to review the audit results may constitute a breach of clients’
contracts.
Detailed requirements:
Justification: Privacy (or data protection) legislation typically places restrictions on the
geographical locations that can be used to store personally identifiable information. Often
it specifies that information can only be stored in recognized jurisdictions and restricts the
movement of the information across national boundaries. Placing personally identifiable
information in the cloud may result in Foresight Cyber breaching privacy laws or
regulations – possibly incurring severe penalties and causing reputational damage.
Detailed requirements:
Justification: Cloud services offer flexible and sometimes inexpensive way of supporting
business processes. However, disasters and other disruptions can happen, such as
criminal investigations, and the potential business impact for lost time and data can be
order of a magnitude bigger than the compensation from the cloud provider.
Detailed requirement:
1. Evaluate the availability requirements and the business impact of the cloud
computing service in case of disaster or criminal investigation
2. Request the Cloud provider’s disaster recovery plan and update Foresight Cyber’s
plans accordingly:
3. Add SLAs and compensation clauses in the contract, based on impact of loss of
service or loss of access to service.
Justification: Foresight Cyber needs to exercise due diligence when acquiring services of
3rd parties, including the Cloud providers.
Detailed requirement:
1. Require the cloud provider to provide information about the security architecture,
the security controls deployed to protect their services and details of any incidents
they have experienced via the 3rd party assessment.
2. Obtain details of the timing, scope, results and mitigating actions for any
independent audits or certification assessments performed on the cloud provider
and its services
Justification: Foresight Cyber must exercise due diligence and be able to perform forensic
investigations on Systems and Data provided to Foresight Cyber by the Cloud Provider, and
on Systems, Data, and Processes used by the Cloud Provider to provision and manage the
Foresight Cyber Cloud infrastructure.
Detailed requirements:
Justification: Foresight Cyber may face issues related to the privacy of personally
identifiable information if the test information is an exact copy of the live information.
Detailed requirements:
Justification: Running IT systems and Business applications, observing the constrains and
principles of Shared Responsibility Model, is key control to ensure Foresight Cyber
maintains the business benefits of cloud computing whilst limiting business, security and
compliance risks.
Detailed Requirements:
1. Secure all cloud systems and applications according to information security policy
requirements, adjusting controls to fit the Shared Responsibility model and cloud
specific attributes
2. Monitor improvements in security controls natively available by cloud providers that
allow Foresight Cyber secure workloads, and implement these by default unless
there is a good business justification not to do so, an exception can be approved by
CTO
Justification: Security arrangements need to be monitored not just at the point of contract
signing but throughout the contract life, in order to ensure that the security of Foresight
Cyber data and processes is not affected.
Detailed requirements:
1. Where possible integrate Cloud provider logging and monitoring solution with that
of Foresight Cyber
2. At minimum annually, review Cloud provider security posture
Detailed requirement:
1. Remove Foresight Cyber Data from the cloud provider system, application, data
storage
2. Remove technical integrations, such as IAM, logging, data transfers
Essential Characteristics
Service Models
• Software as a Service (SaaS) - The capability provided to the consumer is to use the
provider’s applications running on a cloud infrastructure. The applications are
accessible from various client devices through either a thin client interface, such as
a web browser (e.g., web-based email), or a program interface. The consumer does
not manage or control the underlying cloud infrastructure including network,
Deployment Models
• Private cloud. The cloud infrastructure is provisioned for exclusive use by a single
organization comprising multiple consumers (e.g., business units). It may be owned,
managed, and operated by the organization, a third party, or some combination of
them, and it may exist on or off premises. Community cloud. The cloud
infrastructure is provisioned for exclusive use by a specific community of consumers
from organizations that have shared concerns (e.g., mission, security requirements,
policy, and compliance considerations). It may be owned, managed, and operated
by one or more of the organizations in the community, a third party, or some
combination of them, and it may exist on or off premises.
• Public cloud. The cloud infrastructure is provisioned for open use by the general
public. It may be owned, managed, and operated by a business, academic, or
government organization, or some combination of them. It exists on the premises
of the cloud provider.
• Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud
infrastructures (private, community, or public) that remain unique entities, but are
bound together by standardized or proprietary technology that enables data and
application portability (e.g., cloud bursting for load balancing between clouds).
REVISION HISTORY
2.1 4th
April 2022 Changes page numbers