Use of cloud services security policy

Purpose

This document provides the policy for the protection and security of London Borough of Enfield (LBE) data and information when using cloud services.

The policy aims to bring together all the compliance and security requirements that need to be implemented for use of cloud services.

This policy assumes that LBE is the Data Controller. The Data Processor is either:

Objectives

The main objectives of this policy are to:

Scope

This policy applies to all LBE Digital Services systems, data and information using cloud services directly or indirectly via third parties.

Policy mandate, approval and maintenance

This policy is approved by the Information and Data Governance Board.

The policy will be reviewed regularly and at least annually, and in case of any impacting changes (for example, changes to HMG policy, legislation, regulation, industry standards, LBE DS environment), to ensure it remains current, appropriate and applicable.

Policy

LBE use of cloud services security framework

Figure 1 below, shows the security framework for use of cloud services. The government has provided guidance on Cloud Security Principles that have been widely accepted by the industry and the council will seek to adhere to these principles as well as any additional requirements the council may have.

Any cloud service project will need to start by considering this policy, the NCSC Summary of Cloud Security Principles and the NCSC Cloud Security Guidance: Risk Management. This will set the framework for the implementation of the project.

The implementation of this policy should be performed in accordance with the NCSC Implementing Cloud Security Principles in conjunction with LBE Cloud Services Security Impact Assessment (CSSIA) to ensure that all the applicable requirements and principles are considered and appropriately addressed.

To demonstrate compliance with this policy, project (and services) will be able to rely on verified assurances provided by cloud services providers, whilst ensuring that the on premise systems and end user devices (EUDs) meet all applicable security requirements. The framework takes account of security requirements in supplier relationships, and policies and processes applicable to system development and maintenance, services security operation.

No cloud service should be consumed as a live service until the applicable security requirements in each pillar described below have been considered.

System acquisition, development and maintenance security policies, and supplier relationships:

On-going management of authentication and access control, vulnerabilities, patches, protective monitoring and intrusion detection, gateway security, audit and testing, and incident response.

Information assurance conditions

PSN Compliance – Where the council is consuming cloud services from its PSN-connected infrastructure, the PSN team expects that the council will have conducted security assessments of these services against the requirements and principles in this policy. The council must be confident that its use of any particular cloud service does not reduce its overall security state below that required in the LBE Information Security Policy Framework (ISPF) and the PSN CoCo IA conditions detailed in the LBE PSN CoCo. Where use of a cloud service imposes a specific security requirement, more detail should be requested from the DS Security Team.

Responsibility for Actions – It is essential, where cloud services are employed (particularly with respect to IaaS and PaaS), that the council is absolutely clear (whether through contractual agreement or other arrangements) whether the responsibility to carry out certain actions (patching) lies with the council or the cloud provider. This must be documented in the design and/or security assessment.

Boundary Protection – The council will ensure that its network has appropriately configured boundary protection between its network/services and cloud services network.

Minimum Network Access – Network traffic, services and content should be limited to that required to support the council’s business need (for example, by setting effective firewall rule sets).

Malware Protection – Services presented outside of the protected enterprise (for example, online services for staff, mobile working), should be delivered from an appropriate architecture, with access to any core information or services constrained. The architecture will include services to identify malware at the gateway. Where encryption prevents this, the council will implement an equivalent level of protection at the end point.

Separation and Interfaces – Procurement of cloud services should consider how the services respond to different business needs and therefore have different security attributes. It is important that any interfaces between services are within scope.

Trust – LBE must establish the basis for trust and perform its own assessment before entrusting a cloud service provider with confidential or sensitive information. This must include a Data Processing or Data Sharing Agreement (or both), and a fully agreed contractual relationship. This does not require a full security audit, but due diligence. The purpose of such a review is to evidence that the provider can be trusted as a Data Processor.

Verification – LBE should ensure that any security or business continuity statement made by a cloud service provider or vendor is independently verified by a trusted and accredited third party. A key part of the evidence base will include that the provider’s services:

Risk Management – LBE’s ICT should have documented risk management and review, which must be proportionate to the system functionality and level of information risk. Where shared services have existing or a community accreditation (for example, the Public Services Network (PSN) and G-Cloud services), then LBE can rely on this assurance providing it supports its own risk appetite (including understanding of any documented residual risks). (This supports the HMG ICT Strategy Programme’s 'accredit once, use many' model.)

Utilising commercial and shared services

Service offerings supporting LBE’s OFFICIAL information classification will be commercially based. These services could be delivered by industry (with industry led independent assessment), or developed as a Public Sector service but still utilising commercial technologies. The council will have to make risk informed decisions as to what type of service is appropriate, based on its business requirements. Security enforcing products within the service offering would be expected to be independently validated or assured.

LBE and other public sector organisations will increasingly be expected to utilise shared services delivered through pan-government ICT programmes. These programmes will provide a range of commoditised products and service offerings, with different security characteristics and levels of assurance. The council’s projects that plan to utilise these shared services and infrastructure to manage assets at OFFICIAL must read the detailed technical standards and guidance developed for the relevant programme, along with any statements of residual risk associated with the use of a particular product or service:

Three types of service are defined, that will likely be appropriate for different types of information and business processes:

In considering utilising G-cloud service offerings the council notes the following:

Policy exceptions and violations

Any employee, contractor, partner, service provider or other entity who is requested to undertake an activity which he or she believes is in violation of this policy, must provide a written formal complaint or Exception Request, via his or her manager or other manager or Human Resources Department, to the Director of Resources and also the council’s SIRO. Complaints may be dealt with by managers and the HR Department. All Exception Requests must first be approved by the LBE Head Of Director of Resources and also the council’s SIRO.

Any violation of this policy may result in disciplinary action, up to and including termination of employment. LBE reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. LBE does not consider conduct in violation of this policy to be within an employee’s or partner’s course and scope of employment, or the direct consequence of the discharge of the employee’s or partner’s duties. Accordingly, to the extent permitted by law, LBE reserves the right not to defend or pay any damages awarded against employees or partners that result from violation of this policy.

Terms and definitions

NCSC – National Cyber Security Centre for Information Assurance.

CoCo – PSN Code of Connection. The terms and conditions for connection to the PSN, subject to annual external evaluation.

Data Controller – A term defined in the Data Protection Act 1998. The Data Controller is the person or organisation who is accountable for the management of personal data collected. For a given data item, there is only one data controller.

Data Processor – A term defined in the Data Protection Act 1998 and the Data Protection Bill 2017 (draft at time of writing). The Data Processor is the person or organisation who is accountable for the processing of personal data collected. There may be more than one Data Processor. The General Data Protection Regulation 2016 does not define these terms.

HMG – Her Majesty’s Government.

IA – Information Assurance.

IaaS – Infrastructure as a Service. The provision by a cloud provider of services on which software can be provisioned, such as servers, storage and networking. These services are generally completely virtual and can be scaled up and down quickly, but the purchaser is responsible for maintaining software components.

PaaS – Platform as a Service. The provision by a cloud provider of services on which software can be provisioned, such as servers, storage and networking. Distinct from IaaS as the purchaser is not responsible for maintaining the underlying infrastructure, but is responsible for maintaining software services on the platform.

PSN – Public Services Network. A network for sharing data across government, to which Enfield is connected.

SaaS – Software as a Service. The provision by a cloud provider of software for use. Distinct from IaaS and PaaS as the purchaser does not have access to, or need to maintain, the underlying infrastructure or software.

SPF – Security Policy Framework. The overall governance of an area, setting the conditions for use, risk posture and scope.

The table below gives an analogy to aid understanding of the infrastructure as a service provisions and the differences.

Provision You manage Managed by vendor
Traditional IT
  • Applications
  • Data
  • Runtime
  • Middleware
  • O/S
  • Virtualisation
  • Servers
  • Storage
  • Networking
  • None
Infrastructure as a service
  • Applications
  • Data
  • Runtime
  • Middleware
  • O/S
  • O/S
  • Virtualisation
  • Servers
  • Storage
  • Networking
Software as a service
  • None
  • Applications
  • Data
  • Runtime
  • Middleware
  • O/S
  • Virtualisation
  • Servers
  • Storage
  • Networking
Platform as a service
  • Applications
  • Data
  • Runtime
  • Middleware
  • O/S
  • Virtualisation
  • Servers
  • Storage
  • Networking

References


Policy details

Author – Security Manager
Owner – Information and Data Governance Board
Version – 1.8
Reviewer – Information and Data Governance Board
Classification – Official
Issue status – Final
Date of first issue – 14.04.2016
Date of latest re-issue – 30.05.2024
Date approved by IGB – 19.05.2024
Date of next review – 30.04.2025

Council news directly to you

The latest news in your inbox every week. Council news, community updates, local events and more.

Sign up Sign up