How to use a cloud service securely: NCSC launches new security guidance

The National Cyber Security Centre (NCSC) has launched new guidance on how to use a cloud service securely, which aims to help users meet their security responsibilities by ensuring proper configuration of their chosen service.

In a blog post accompanying the new guidance, a principal security researcher emphasises that “most security incidents we see in the cloud boil down to configuration issues in use of the service”, calling the chosen service “a critical investment”.

The NCSC’s guidance is delivered in two parts, focusing on software as a service (SaaS) and cloud platforms.

On the first, NCSC states that the main focus when using a SaaS application securely is “configuring identity and access controls to be secure enough, with an excellent user experience. Poor authentication and authorisation configuration is one of the most common sources of security issues in SaaS apps.”

The blog goes on to make the distinction between this and use of a cloud platform, noting that on a cloud platform people will be interacting with the services rather than the hosting platform itself. “As a result, the new guidance focuses on building strong observability, and using automation to implement your security approach,” it notes. “However, we have deliberately avoided including guidance on how to build applications on a cloud platform, as the best approach will vary between use cases and security requirements.”

The new guidance largely builds upon the foundation of the NCSC’s existing guiding principles, such as identity and access control. Guidance on modern controls like single sign-on (SSO), multi-factor authentication (MFA), secure administration, and the use of trustworthy devices features heavily in the newest update.

The guidance also challenges some common security practices which have emerged, stating that: “We advise making it easy for users to connect, build, share, and collaborate as they need, using automation, guardrails, and user training (instead of broad restrictions and frustrating approval processes). Blocking people from being productive just leads to shadow IT.”

The researcher concludes: “We believe that by applying our refreshed Cloud Security Principles and the new cloud platform and SaaS guidance in tandem, you should be protected from most common cyber attacks we see. With this guidance, you can embrace the opportunities and benefits of cloud services with confidence.”

The new guidance can be accessed here.