Karl Flinders Friday 20 December 2013 15:05
The Cabinet Office has published guidance for the security considerations that should be made by public sector organisations choosing cloud service providers.
With a cloud-first policy for IT procurement the government needs to help public sector organisations overcome security fears associated with cloud services.
The considerations when procuring cloud services are still in beta version and the Cabinet Office wants feedback.
“This guidance is intended to help organisations consider the security features of cloud services they wish to use. It is the first of a number of guidance documents for the public sector relating to the use of cloud services to process official information, said the Cabinet Office.
The Cloud Service Security Principles document states that the principles apply to equally to infrastructure as a service, platform as a service and software as a service alternatives.
- Cabinet Office hands government public cloud first mandate
- G-Cloud moves to GDS
- Enterprise cloud security best practices for locking down your cloud
It is for the consumer of the service to decide which of the security principles are important to them in the context of how they expect to use the service, the document states.
Some service providers will be able to offer higher levels of confidence in how they implement the different security principles. Consumers will need to decide how much, if any, assurance they require in the different security principles which matter to them.
The Cabinet Office has a cloud-first mandate to cut costs related to IT procurement. With security a big fear for many organisations the Cloud Service Security Principles document is a step towards supporting public sector organizations moving to the cloud, often for the first time.
The principles cover 14 broad areas: the data in transit protection; asset protection and resilience; separation between consumers; governance; operational security; personnel security; secure development; supply chain security; secure consumer management; secure on-boarding and off-boarding; service interface protection; secure service administration; audit information provision to tenants; and secure use of the service by the consumer.