Cloud Security Principles

This document describes our approach to implementing the National Cyber Security Centre's Cloud Security Principles. You'll find information about how we meet each principle and links to further information where appropriate.

User data transiting networks should be adequately protected against tampering and eavesdropping.

NCSC - Data in Transit Protection

We implement the Transport Layer Security protocol (TLS version 1.2) to protect data in transit for all services and service access. We also apply certificate and TLS hardening best practices wherever necessary.

Where HTTPS cannot be used, such as some connections between our service and 3rd party suppliers (or your own systems) we implement IPSec VPN gateways. IPSec VPN gateways are also used for non-http based integrations.

User data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure.

NCSC - Asset Protection and Resilience

The NCSC divide this principle into the following aspects.

Physical Location and Legal Jurisdiction

All data is stored, processed and managed in the UK. We are a UK-based service provider.

Data Centre Security

We use Amazon Web Services and Google Cloud Platform as our data centre suppliers. See aws.amazon.com/compliance/data-center/controls (opens new window) and cloud.google.com/security/overview (opens new window) for information about their security controls.

Using two suppliers allows us to remain cloud agnostic. This protects us against global issues, account compromises, security breaches and other risks that reliance on a single provider would bring.

AWS is used as a primary location for hosted services. GCP is used as an offsite backup repository and hosts Disaster Recovery environments.

Data at Rest Protection

As well as the physical access controls of the data centre, data is encrypted at rest using AES-256 encryption.

Data is backed up and restored using our own tooling, we do not directly store unencrypted files in either AWS or GCP. Files are encrypted locally using a key held in a secure vault before being synchronised to AWS's S3 service and GCP's Cloud Storage service.

For clients that have Disaster Recovery added to the service this data is restored and tested at least once every 24 hours, for all other clients restores are tested on an ad hoc basis.

Access to the data, and the keys used to encrypt them, is logged and audited.

Data Sanitisation and Equipment Disposal

AWS uses techniques described in industry-accepted standards to ensure that data is erased when resources are moved or reprovisioned, when equipment leaves service, or when you request it to be erased.

Physical Resilience and Availability

The combined use of Availability Zones, geographically distributed regions, and numerous AWS service features, provide us with the ability to design and architect resilient applications and platforms. We also commit to a hosting SLA and make historical network and service availability data available for you to review. All AWS and GCP services we utilise provide an availability SLA of at least 99.99% across the regions we utilise.

Backup and Recovery

Data from hosted sites is backed up every night and stored in 4 weekly rotations (the retention period). We have a range of DR options available offering varying levels of RTO and RPO.

A malicious or compromised user of the service should not be able to affect the service or data of another.

NCSC - Separation Between Users

The hosting services use "Infrastructure as a Service" and "Public Deployment" models. We provide a managed "Platform as a Service" to you.

All of our services run on Virtual Machines, AWS EC2 and Google Cloud Compute instances respectively. Network services are virtualised using Virtual Private Cloud offerings from both providers.

Virtual machines, networks and security rules are dedicated to a single hosted client and environment, those resources are not shared between clients and there is no network connectivity between clients or different environments for the same client.

The service provider should have a security governance framework which coordinates and directs its management of the service and information within it. Any technical controls deployed outside of this framework will be fundamentally undermined.

NCSC - Governance Framework

Our governance framework forms part of our ISO 27001 certification. It is overseen by our Information Security Manager and includes a documented framework for security governance, security risk assessments, and ongoing processes to ensure compliance with security standards.

The service needs to be operated and managed securely in order to impede, detect or prevent attacks. Good operational security should not require complex, bureaucratic, time consuming or expensive processes.

NCSC - Operational Security

There are four elements to consider as part of operational security.

Configuration and Change Management

Our approach to change management is covered in the Support Operations section of our Hosting Manual. Our change control process falls within the governance of our ISO 27001 certification.

Vulnerability Management

As with change management, our vulnerability management is covered by our ISO 27001 certification. The Scheduled Maintenance section of the Hosting Manual describes our maintenance procedures.

Protective Monitoring

In the event of a malicious attack, logging will identify the source even if the attack is repelled. GOSS engineers are trained to identify and if required block potential attacks.

Incident Management

All security breaches and incidents are investigated in line with our internal incident management process. We will inform you of incidents relevant to you in a timely manner, either by telephone or via the Online Support System, depending on the severity of the incident.

Where service provider personnel have access to your data and systems you need a high degree of confidence in their trustworthiness. Thorough screening, supported by adequate training, reduces the likelihood of accidental or malicious compromise by service provider personnel.

NCSC - Personnel Security

We perform personnel screening which conforms to BS7858:2019 for network and hosting staff, plus BPSS screening for all staff. All staff receive regular security training. All access to your data requires strong authentication, as described elsewhere in this document.

Services should be designed and developed to identify and mitigate threats to their security. Those which aren't may be vulnerable to security issues which could compromise your data, cause loss of service or enable other malicious activity.

NCSC - Secure Development

Security is considered throughout our design and development process, including the training of our developers to follow OWASP guidelines as part of the core product development process. Our engineering approach is documented as part of our ISO 9001 and ISO 27001 certified procedures.

The service provider should ensure that its supply chain satisfactorily supports all of the security principles which the service claims to implement.

NCSC - Supply Chain Security

We assess the trustworthiness of suppliers and perform due diligence checks in accordance with the security requirements relevant for the service provided. Supplier relationships are examined as part of our ISO 27001 certified processes. We do not share data with third party suppliers and your data hosted on third party systems is stored in an encrypted state, not accessible by those suppliers.

Your provider should make the tools available for you to securely manage your use of their service. Management interfaces and procedures are a vital part of the security barrier, preventing unauthorised access and alteration of your resources, applications and data.

NCSC - Secure User Management

The cloud security principles highlight two aspects of user management.

Authentication

You have complete control over the users who are able to access the management interfaces of your platform/solution. You can also perform audits of user permissions, view logs of user access, generate reports of user activity, and set password strength and complexity rules. Two factor authentication can also be enabled for website logins.

Access to the hosting infrastructure is restricted to a limited number of GOSS staff, as described elsewhere in this document.

Our support systems are secured and can only be accessed by approved users. Our support procedures are assessed as part of our ISO 27001 certification.

Separation and Access Control

User infrastructure is segregated using virtualised environments, eliminating any chance of others affecting your service management. Within the service you have the ability to manage user access and privileges - we provide training and documentation to assist you in setting this up. Penetration testing feeds into our regular security improvements.

All access to service interfaces should be constrained to authenticated and authorised individuals.

NCSC - Identity and Authentication

Access to the service infrastructure is limited to authorised staff who require access for a specific documented purpose. There's more information in the Secure Service Administration section. Users have no direct access to the service infrastructure.

Access to the service management interface (iCM) is performed via HTTPS, can be federated with an existing identity provider, may be restricted to certain IP addresses, and requires a username and password with complexity rules you define.

All external or less trusted interfaces of the service should be identified and appropriately defended.

NCSC - External Interface Protection

Due to the nature of the services we deliver, they will have public interfaces available over the internet (eg your website). We enforce HTTPS across all sites, and as a GOSS hosted client we provide an appropriate certificate which uses SHA-2.

Interfaces exposed to a third party for integration purposes should use a site to site VPN connection for the transfer of data. Our IPSec endpoints support all profiles listed in the NCSC guidance.

Systems used for the administration of a cloud service will have highly privileged access to that service. Their compromise would have significant impact, including the means to bypass security controls and steal or manipulate large volumes of data.

NCSC - Secure Service Administration

Our service administration is based upon a model that uses dedicated devices for multiple community service administration. We use this model as we have clients in both the public and private sectors.

In addition we implement the following:

• GOSS administrators have individual accounts to access cloud administration portals
• Two-factor authentication is required for login
• Different levels of access is given to administration networks
• Only designated technicians have access

You should be provided with the audit records needed to monitor access to your service and the data held within it. The type of audit information available to you will have a direct impact on your ability to detect and respond to inappropriate or malicious activity within reasonable timescales.

NCSC - Audit Information for Users

You have complete control over the users who are able to access the management interfaces of your platform/solution and the data stored within it. You can perform audits of user permissions, view logs of user access and generate reports of user activity on demand.

We do not make public the audit information of the underlying cloud infrastructure.

The security of cloud services and the data held within them can be undermined if you use the service poorly. Consequently, you will have certain responsibilities when using the service in order for your data to be adequately protected.

NCSC - Secure Use of the Service

We provide full training and comprehensive documentation to aid you in using the service securely. You can also contact our support teams for advice.