Use of cloud services security policy

Purpose

This document provides the policy for the protection and security of London Borough of Enfield (LBE) data and information when using cloud services.

The policy aims to bring together all the compliance and security requirements that need to be implemented for use of cloud services.

This policy assumes that LBE is the Data Controller. The Data Processor is either:

an organization offering cloud services that LBE has contracted with and owns the cloud
an organization providing software as a service that USES cloud provider(s) to deliver their service but is not the owner of the cloud

Objectives

The main objectives of this policy are to:

present the management approved requirements, control objectives and principles for use of cloud services
provide a basis for evaluating the suitability and adequacy of a cloud service in meeting LBE’s security requirements
provide the minimum conditions expected of projects seeking to consume cloud services
maintain confidence that LBE’s use of any particular cloud service meets its corporate and Digital services (DS) risk appetite
maintain confidence that LBE’s use of any particular cloud service meets the requirements of current legislation

Scope

This policy applies to all LBE Digital Services systems, data and information using cloud services directly or indirectly via third parties.

Policy mandate, approval and maintenance

This policy is approved by the Information and Data Governance Board.

The policy will be reviewed regularly and at least annually, and in case of any impacting changes (for example, changes to HMG policy, legislation, regulation, industry standards, LBE DS environment), to ensure it remains current, appropriate and applicable.

Policy

LBE use of cloud services security framework

Figure 1 below, shows the security framework for use of cloud services. The government has provided guidance on Cloud Security Principles that have been widely accepted by the industry and the council will seek to adhere to these principles as well as any additional requirements the council may have.

Any cloud service project will need to start by considering this policy, the NCSC Summary of Cloud Security Principles and the NCSC Cloud Security Guidance: Risk Management. This will set the framework for the implementation of the project.

The implementation of this policy should be performed in accordance with the NCSC Implementing Cloud Security Principles in conjunction with LBE Cloud Services Security Impact Assessment (CSSIA) to ensure that all the applicable requirements and principles are considered and appropriately addressed.

To demonstrate compliance with this policy, project (and services) will be able to rely on verified assurances provided by cloud services providers, whilst ensuring that the on premise systems and end user devices (EUDs) meet all applicable security requirements. The framework takes account of security requirements in supplier relationships, and policies and processes applicable to system development and maintenance, services security operation.

No cloud service should be consumed as a live service until the applicable security requirements in each pillar described below have been considered.

System acquisition, development and maintenance security policies, and supplier relationships:

Pillar 1 - LBE use of cloud services security policy in conjunction with NCSC summary of cloud security principles and NCSC cloud security guidance: risk management
Pillar 2 - Use of NCSC implementing cloud security principles in conjunction with LBE cloud services security impact assessment
Pillar 3 - Cloud services ISMS / security assurance documentation - SaaS, IaaS, PaaS, hybrid services
Pillar 4 - On-premise systems ISMS manuals and end user devices security arrangements

On-going management of authentication and access control, vulnerabilities, patches, protective monitoring and intrusion detection, gateway security, audit and testing, and incident response.

Information assurance conditions

PSN Compliance Where the council is consuming cloud services from its PSN-connected infrastructure, the PSN team expects that the council will have conducted security assessments of these services against the requirements and principles in this policy. The council must be confident that its use of any particular cloud service does not reduce its overall security state below that required in the LBE Information Security Policy Framework (ISPF) and the PSN CoCo IA conditions detailed in the LBE PSN CoCo. Where use of a cloud service imposes a specific security requirement, more detail should be requested from the DS Security Team.

Responsibility for Actions - It is essential, where cloud services are employed (particularly with respect to IaaS and PaaS), that the council is absolutely clear (whether through contractual agreement or other arrangements) whether the responsibility to carry out certain actions (patching) lies with the council or the cloud provider. This must be documented in the design and/or security assessment.

Boundary Protection - The council will ensure that its network has appropriately configured boundary protection between its network/services and cloud services network.

Minimum Network Access - Network traffic, services and content should be limited to that required to support the council’s business need (for example, by setting effective firewall rule sets).

Malware Protection - Services presented outside of the protected enterprise (for example, online services for staff, mobile working), should be delivered from an appropriate architecture, with access to any core information or services constrained. The architecture will include services to identify malware at the gateway. Where encryption prevents this, the council will implement an equivalent level of protection at the end point.

Separation and Interfaces - Procurement of cloud services should consider how the services respond to different business needs and therefore have different security attributes. It is important that any interfaces between services are within scope.

Trust - LBE must establish the basis for trust and perform its own assessment before entrusting a cloud service provider with confidential or sensitive information. This must include a Data Processing or Data Sharing Agreement (or both), and a fully agreed contractual relationship. This does not require a full security audit, but due diligence. The purpose of such a review is to evidence that the provider can be trusted as a Data Processor.

Verification - LBE should ensure that any security or business continuity statement made by a cloud service provider or vendor is independently verified by a trusted and accredited third party. A key part of the evidence base will include that the provider’s services:

Comply with ISO 27001 (and related) policies, procedures and processes are inspected on an annual basis by a recognised ISO 27001 auditor. The ISMS scope must cover all of the relevant provision to LBE
(If a UK PSN provision, and not ISO27001 certified) Goes through an IT Health Check by a CHECK accredited testing partner prior to the commencement of the service and whenever major modifications to the service has taken place
Availability and uptime is continuously monitored by and published in order to ensure it meets the council’s business requirements

Risk Management - LBE’s ICT should have documented risk management and review, which must be proportionate to the system functionality and level of information risk. Where shared services have existing or a community accreditation (for example, the Public Services Network (PSN) and G-Cloud services), then LBE can rely on this assurance providing it supports its own risk appetite (including understanding of any documented residual risks). (This supports the HMG ICT Strategy Programme’s 'accredit once, use many' model.)

Utilising commercial and shared services

Service offerings supporting LBE’s OFFICIAL information classification will be commercially based. These services could be delivered by industry (with industry led independent assessment), or developed as a Public Sector service but still utilising commercial technologies. The council will have to make risk informed decisions as to what type of service is appropriate, based on its business requirements. Security enforcing products within the service offering would be expected to be independently validated or assured.

LBE and other public sector organisations will increasingly be expected to utilise shared services delivered through pan-government ICT programmes. These programmes will provide a range of commoditised products and service offerings, with different security characteristics and levels of assurance. The council’s projects that plan to utilise these shared services and infrastructure to manage assets at OFFICIAL must read the detailed technical standards and guidance developed for the relevant programme, along with any statements of residual risk associated with the use of a particular product or service:

Public Services Network (PSN) - HMG ICT Strategy anticipates that the PSN will be the primary network bearer for OFFICIAL information. PSN consuming organisations, like LBE, must comply with the PSN IA Conditions, and manage any stated residual risks in line with the LBE’s risk appetite.
G-Cloud - HMG G-Cloud programme anticipates that most OFFICIAL information can be managed through accredited service offerings available via the CloudStore. Service offerings will be accredited according to HMG G-Cloud Information Assurance (IA) requirements and Guidance, and any stated residual risks should be managed in line with LBE’s risk appetite.

Three types of service are defined, that will likely be appropriate for different types of information and business processes:

Unassured Cloud services. These services may be appropriate for a limited amount of information that would be classified as OFFICIAL – PUBLIC under the LBE Classification scheme where there is no Confidentiality requirement (such as marketing and communications data intended for public consumption). Risk owners should consider whether they have Integrity or Availability requirements that must be managed.
Assured Public Cloud services will be subject to a suitably scoped ISO27001 certification and other assurance activities. Such services may be appropriate for the generality of OFFICIAL information, although projects should carefully consider the scope of the IS027001 certification, the geographic location of the hosting, and any other residual risks identified as part of the G-Cloud Accreditation Statement. It is unlikely that these services will be suitable for more sensitive information.
Formally accredited Public Cloud or Private Cloud services will be subject to a full HMG accreditation and will be hosted within the EEA. These services are likely to be appropriate for most OFFICIAL information, although projects should still be mindful of any risks involved in outsourcing services and data to the cloud (including those set out in the G-Cloud Accreditation Statement).

In considering utilising G-cloud service offerings the council notes the following:

Off-shoring of information that relates to or supports National Security is prohibited
Wherever possible, any personal data held off-shore should be kept within the EEA or the limited number of countries with positive findings of adequacy from the European Commission

Policy exceptions and violations

Any employee, contractor, partner, service provider or other entity who is requested to undertake an activity which he or she believes is in violation of this policy, must provide a written formal complaint or Exception Request, via his or her manager or other manager or Human Resources Department, to the Director of Resources and also the council’s SIRO. Complaints may be dealt with by managers and the HR Department. All Exception Requests must first be approved by the LBE Head Of Director of Resources and also the council’s SIRO.

Any violation of this policy may result in disciplinary action, up to and including termination of employment. LBE reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. LBE does not consider conduct in violation of this policy to be within an employee’s or partner’s course and scope of employment, or the direct consequence of the discharge of the employee’s or partner’s duties. Accordingly, to the extent permitted by law, LBE reserves the right not to defend or pay any damages awarded against employees or partners that result from violation of this policy.

Terms and definitions

NCSC - National Cyber Security Centre for Information Assurance.

CoCo - PSN Code of Connection. The terms and conditions for connection to the PSN, subject to annual external evaluation.

Data Controller - A term defined in the Data Protection Act 1998. The Data Controller is the person or organisation who is accountable for the management of personal data collected. For a given data item, there is only one data controller.

Data Processor - A term defined in the Data Protection Act 1998 and the Data Protection Bill 2017 (draft at time of writing). The Data Processor is the person or organisation who is accountable for the processing of personal data collected. There may be more than one Data Processor. The General Data Protection Regulation 2016 does not define these terms.

HMG - Her Majesty’s Government.

IA - Information Assurance.

IaaS - Infrastructure as a Service. The provision by a cloud provider of services on which software can be provisioned, such as servers, storage and networking. These services are generally completely virtual and can be scaled up and down quickly, but the purchaser is responsible for maintaining software components.

PaaS - Platform as a Service. The provision by a cloud provider of services on which software can be provisioned, such as servers, storage and networking. Distinct from IaaS as the purchaser is not responsible for maintaining the underlying infrastructure, but is responsible for maintaining software services on the platform.

PSN - Public Services Network. A network for sharing data across government, to which Enfield is connected.

SaaS - Software as a Service. The provision by a cloud provider of software for use. Distinct from IaaS and PaaS as the purchaser does not have access to, or need to maintain, the underlying infrastructure or software.

SPF - Security Policy Framework. The overall governance of an area, setting the conditions for use, risk posture and scope.

The table below gives an analogy to aid understanding of the infrastructure as a service provisions and the differences.

Provision	You manage	Managed by vendor
Traditional IT	Applications Data Runtime Middleware O/S Virtualisation Servers Storage Networking	None
Infrastructure as a service	Applications Data Runtime Middleware O/S	O/S Virtualisation Servers Storage Networking
Software as a service	None	Applications Data Runtime Middleware O/S Virtualisation Servers Storage Networking
Platform as a service	Applications Data	Runtime Middleware O/S Virtualisation Servers Storage Networking

References

Data Protection Act 2018
General Data Protection Regulation 2016/EU679
PSN CoCo
Cabinet Office, Security Policy Framework (SPF)
NHS IG Toolkit
IEC/ISO 27001: 2013 Annex A
IEC/ISO 27002: 2005
IEC/ISO 27002: 2013
IEC/ISO 27005: 2011
IEC/ISO 27018: 2014
National Cloud Security Centre - Cloud security collection
G-Cloud Information Assurance Requirements and Guidance

Policy details

Author - Security Manager
Owner - Information and Data Governance Board
Version - 1.8
Reviewer - Information and Data Governance Board
Classification - Official
Issue status - Final
Date of first issue - 14.04.2016
Date of latest re-issue - 30.05.2023
Date approved by IGB - 19.05.2023
Date of next review - 30.04.2024