© Crown copyright 2014
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: firstname.lastname@example.org.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/cloud-security-guidance-introduction/cloud-security-guidance-introduction
Note: This publication is in BETA. Please send any feedback to the address email@example.com.
1. About this guidance
This guidance is divided into the following parts.
- The introduction you are currently reading, which outlines the guidance’s aims, scope, audience and assumptions.
- A summary of the Cloud Security Principles to consider when evaluating cloud services.
- Guidance on how to manage the risks of using cloud services.
- Specific guidance on how each of these principles can be implemented.
- A list of common approaches and recognised standards than can be used to support many of the Cloud Security Principles.
- A Separation Guide: specific guidance explaining separation requirements of cloud services.
- A Consumer Guide for Infrastructure as a Service (IaaS): specific guidance on the measures that consumers of IaaS offerings should consider taking.
2. What is this guidance?
This guidance provides advice to public sector organisations who are considering the security aspects of cloud services. Specifically, this guidance:
- helps you make informed decisions about whether to use cloud services to meet specific business needs.
- advises system designers who are considering using cloud services to build applications.
- advises cloud service providers on how to best present the security properties of their offerings to public sector consumers.
Note that this guidance assumes that the consumer of the cloud service is responsible for (and owns) any risks taken. Where risks are shared (for example where data belonging to a partner is being processed) you should ensure that your risk decisions are acceptable to that partner or community.
3. How to use this guidance
To get the most from this guidance you should:
Understand the business requirements you are trying to support through using cloud services; this will help inform risk management decisions.
Consider a range of different services which support your business requirements, using the Cloud Security Principles to help compare the risks and benefits of different choices.
Choose a cloud service which balances business benefits and security risks at a level that matches your risk appetite. Read the Risk Management Guide to help you do this.
Continue to monitor and manage the risks associated with your cloud services. Periodically review whether the services still meet your business and security needs.