Beta This is new guidance. Complete our quick 5-question survey to help us improve it.

  1. Service manual
  2. Technology
  3. Securing your cloud environment

Your service team must consider cloud purchases before any other options because of the government’s Cloud First policy.

You can only choose an alternative to the cloud if you can show it’s better value for money in your service assessments.

Meeting the Digital Service Standard

You must maintain cloud security as part of meeting the following points:

You may have to explain how you did this in your service assessments.

Deciding whether to use the cloud

It’s government policy that public cloud is acceptable and encouraged for almost all ‘official’ workloads, even for sensitive data. However, your organisation is taking the risk so you need to actively make the decision.

Follow the National Cyber Security Centre (NCSC) guidance on understanding cloud security to decide if cloud security is secure enough for your needs, for example if you want to know whether to use the cloud for:

  • email
  • SaaS tools for ticketing or work management
  • document storage
  • hosting personal data for a digital service

Make sure you understand:

  • your business requirements
  • the information you want to store
  • the risks
  • whether the cloud provider can provide you with assurance

Use a shared responsibility model

To maintain a secure cloud environment, you need to understand how you and your provider share responsibility.

You should use a ‘shared responsibility model’ - this is a way of working which means:

  • providers are responsible for maintaining their underlying infrastructure
  • service teams are responsible for selecting the providers as well as maintaining their own virtual servers, applications and systems

Finding a secure cloud provider

You should use the government’s Cloud Security Principles help you as you evaluate cloud providers.

Some cloud providers will meet all of the security principles, while others only a few.

You need to identify which principles are important to your service. If your chosen cloud provider can’t meet a principle, check whether you can meet it with your team’s own engineering effort.

Checking confidentiality and availability

As well as considering your provider’s security, you also need to check their confidentiality and data availability.

Previously, many providers used mechanisms to maintain data confidentiality but this often involved a tradeoff with data availability.

For example, single physical devices like firewalls and virtual private network (VPN) concentrators were expensive and difficult to manage or scale.

Current cloud environments can give you functionality that provides data confidentiality safeguards as well as high data availability.

Auditing the cloud environment

The best cloud productivity tools let you access logs of activity, like who has copied which documents, who has shared what with whom, and so on.

This means you can:

  • get useful data about what’s happening in a way that’s not intrusive to your users
  • monitor any unusual activity that may be a sign of insecure practices
  • keep track of your provider’s cloud environment and the access staff have to your data
  • see what your provider is doing (for example moving your data centre)
  • keep track of your use of the cloud, for example any changes your administrators make or who has access to data

Of course not all cloud tools provide all of this functionality. You should decide which features you need and which you can implement yourself or find workarounds for.

You may also find these guides useful:

Published by:
Technology community (technical architecture)
Last update:

Guidance first published