How to address the 14 UK Cloud Security Principles – Using Microsoft Azure

The National Cyber Security Centre (NCSC) is the UK’s authority on cyber security.

In its publication “Implementing the Cloud Security Principles,”  it lays out the 14 security principles that organisations should use when evaluating cloud services, and which cloud service providers should consider when offering those services to government customers (referred to as “consumers” in the principles).

The 14 principles are aligned with ISO 27001, an auditable, international, information security management standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO 27001 formally defines requirements for a complete ISMS to help protect and secure an organisation’s data.

The principles defined by NCSC are:

  1. Data in transit protection. Consumer data transiting networks should be adequately protected
    against tampering and eavesdropping via a combination of network protection and encryption.
  2. Asset protection and resilience. Consumer data, and the assets that store or process it, should be
    protected against physical tampering, loss, damage, and seizure.
  3. Separation between consumers. Separation should exist between different consumers of the
    service to prevent one malicious or compromised consumer from affecting the service or data of
  4. Governance framework. The service provider should have a security governance framework that
    coordinates and directs their overall approach to the management of the service and information
    within it.
  5. Operational security. The service provider should have processes and procedures in place to
    ensure the operational security of the service.
  6. Personnel security. Service provider staff should be subject to personnel security screening and
    security education appropriate for their role.
  7. Secure development. Services should be designed and developed to identify and mitigate threats
    to their security.
  8. Supply chain security. The service provider should ensure that its supply chain satisfactorily
    supports all of the security principles that the service claims to implement.
  9. Secure consumer management. Consumers should be provided with the tools required to help
    them securely manage their service.
  10. Identity and authentication. Access to all service interfaces (for consumers and providers) should
    be limited to authenticated and authorised individuals.
  11. External interface protection. All external or less trusted interfaces of the service should be
    identified and have appropriate protections to defend against attacks through them.
  12. Secure service administration. The methods used by the service provider’s administrators to
    manage the operational service should be designed to mitigate any risk of exploitation that could
    undermine the security of the service.
  13. Audit information provision to consumers. Consumers should be provided with the audit records
    they need to monitor access to their service and the data held within it.
  14. Secure use of the service by the consumer. Consumers have certain responsibilities when using a
    cloud service in order for this use to remain secure, and for their data to be adequately protected.

To help find a way through the principles, Microsoft have released a number of Azure Blueprints, enabling the UK public sector to review and understand how solutions built on Azure can implement the 14 individual Cloud Security Principles supporting workloads with information designated as UK OFFICIAL level. The Azure Blueprint outlines how Azure implements security controls designed to satisfy each security principle and assists customers in understanding how they may implement safeguards within their Azure solution to fulfil the requirements of each principle where they hold a responsibility.

As an example, an Azure Virtual Network (VNet) allows full control of security policies and routing within virtual network architectures through deployment and configuration of subnets, network security groups, and user defined routes. Network security groups can be applied to subnets or individual machines, logically separating resources by workload, based on a multi-tier architecture, of for any other purpose.

In the reference architecture below, resources are grouped in separate subnets for the web, business, and data tiers, and subnets for Active Directory resources and management. Network security groups are applied to each subnet to restrict network traffic within the virtual network.

Network security groups can be applied to outgoing communications from subnets and virtual machines. This allows full control over communication between information system components in Azure and external information systems.  Network security group rule processing is implemented as a deny-all, permit-by-exception function. Further, user defined routes can be configured to route both incoming and outgoing communications from specific subnets and virtual machines through a virtual appliance such as a firewall or IDS/IPS, further managing system communications.

The reference architecture above demonstrates how Azure resources can be logically grouped into separate subnets with network security group rulesets applied to ensure that security functions and non-security functions are isolated. In this case, the three web-application tiers are isolated from the Active Directory subnet as well as the management subnet, which may host information system and security management tools and resources.

The reference architecture also implements managed access control points for remote access to the information system.  An Internet-facing load balancer is deployed to distribute incoming Internet traffic to the web application, and the management subnet includes a jumpbox, or bastion host, through which all management-related remote access to the system is controlled. Network security groups restrict traffic within the virtual network ensuring external traffic is only routed to designated public-facing resources.

Network security groups allow full control of communications between Azure resources and external host and systems, as well as between internal subnets and hosts, separating information system components that are designated publicly accessible and those that are not. In addition to the solutions in the reference architecture above, Azure enables deployment of virtual appliances, such as firewall and IDS/IPS solutions which, when used in conjunction with user defined routes, further secure and manage connections between Azure resources and external networks and information systems.

Rulesets for network security groups enable restrictions on specific network ports and protocols, which is a key component of ensuring that information systems are implemented in a manner that provides only essential capabilities.

Whilst this is just one example, there are lots of built-in features that can help organisations meet their security control compliance requirements to take full advantage of the security features offered by Azure.   The 14 Cloud Security Controls for the UK cloud whitepaper provides insight into how Azure services align with the fourteen cloud security principles set forth in the NCSC  publication Implementing the Cloud Security Principles.

If you would like to discuss how CoreAzure can help you take full advantage of the security features offered by Azure , then please get in touch with us using the form below.

Send us mail