Is your businesses looking to move to the cloud but worried about its safety?
We think you are right to be cautious but there can be many factors in place to keep your business secure.
Cloud-native applications are the technology being the most heavily invested in but cyber-attacks and disruptive events are affecting 82% of organisations according to Dell Technologies (see their Global Data Protection Index 2020 Snapshot ).
Despite that cloud computing is now considered the new normal. With the pandemic validating the cloud’s value proposition, Gartner says spending is forecast to grow by 18% this year.
With that in mind, it’s crucial you invest in a system that you are confident is secure enough to handle your data.
Cloud Security Principles
The National Cyber Security Centre (NCSC) provides detailed guidance on how to configure, deploy and use cloud services securely in their Cloud Security Principles.
Here’s how IT Naturally follow, comply and adhere to all these principles to ensure the maximum safety levels are met and what we would recommend you follow too:
- Data in transit protectionIT Naturally is an entirely cloud based IT managed service provider with no dedicated internal network. Whilst data is transmitted via home or office-based internet circuits, all employee devices use encryption of data at rest. We use an email validation system at domain level to protect against exploitation and ensure the legitimacy of all sent messages. We use Microsoft Office 365 for email, file storage, conferencing, and internal communications. There are restrictions on the external sharing of documents, with security auditing undertaken weekly to ensure security best practices are enforced. To access customer systems, we utilise secure IPsec VPN tunnels with multi-factor authentication.
- Asset protection and resilience We utilise and manage Microsoft O365 tenants located in Microsoft EU Data Centres, which again enforce encryption of data at rest and data in transit. We comply with the UK GDPR legislation and use data sanitisation and equipment disposal processes. As a cloud-based organisation, we pride ourselves on our ability to offer service resilience through a physically dispersed workforce.
- Separation between users We only grant access rights following principles of least privilege – users only have the rights and permissions required to do their job and, on a need-to-know basis – these users only have access to data they need to do their job. All our employees sign a confidentiality agreement when handling customer data.
- Governance framework Our Chief Information Security Officer (CISO) is responsible for internal security compliance and cloud services. IT Naturally has been awarded 3 certifications which shows how tightly we follow a security governance framework, ISO 9001:2015, ISO 27001:2013 and Cyber Essentials. You can read more about our seal of approval here.
- Operational security We maintain an information asset register and enforce security standards on employee devices to address any potential vulnerabilities. Weekly, monthly, and quarterly security compliance audits are carried out (on our own and our customers O365 tenants) to ensure any risks are mitigated. All changes to internal and customer systems are reviewed and approved by our IT Security Team.
- Personnel security All of our staff undertake security awareness training yearly so that they have an up-to-date awareness of cybersecurity and IT Security best practices. Completion of this training is tracked alongside agreement to our End User Device Security Policy. We use memorandums of understanding (MOU) and non-disclosure agreements (NDAs) when necessary.
- Secure development Our IT Security Team carry out daily monitoring of customer systems and security incident investigations. A fundamental part of this is the recommendations and guidance on the mitigation of current and future cyber threats. This runs hand in hand with applying security best practices, including the security sign-off on a new project solution. Our leadership team also carry out a management review quarterly of our procedures, policies, and operations. This ensures continuous improvement and reflects any changes in regulations to ensure appropriate security measures are in place.
- Supply chain security We maintain a record of all approved third-party suppliers to ensure we do not allow any of them to bypass our information security controls. IT Naturally only provide levels of access to third-party suppliers which is appropriate and necessary to conduct their duty. We ensure all hardware and software used in our services is genuine and has not been tampered with.
- Secure user management You must ensure all the information you own and manage is secured with proper role-based access controls to protect against breaches of confidentiality, integrity and unavailability of information. We maintain records of standard and elevated administrative access to all internal and customer systems, which is audited by the IT Security Team. Multi-factor authentication is used wherever possible and elevated access is also restricted to a defined period following activation.
- Identity and authenticationAny security and/or operational risks through identity and authentication controls are recorded within our risk register and addressed as a priority. The responsibility of user administration for each system is assigned to someone and reviewed on a regular basis. Anyone accessing our information is aware of their security responsibilities. IT Naturally provide federated access to customers to allow governance of all users within a single identity. Two-factor authentication is used for all system access (when available) and is conducted over secure channels with older protocols disabled.
- External interface protection On subscription to a new cloud service, IT Naturally identifies and documents external interfaces, acknowledging the levels of access available to data. Risk mitigation comes from implementing connections from community and private networks. As access to cloud services from any internet connected device offers the most risk, where possible, additional levels of security are implemented. For instance, managed firewalls can be configured to limit the incoming connections by IP address and port. With Increased protection measures for administration interfaces, we impose measures to limit the geographical locations from which a member of staff can access cloud services.
- Secure service administration When enlisting with a cloud provider, adopting the most secure administration model available is essential. Using strong authentication methods and administration roles that can only be activated within the service model are a good example of this. IT Naturally follows an approval process involving data owners and our CISO for the activation of such roles. Admin is restricted to named accounts only, audited by the IT Security Team, and applied on a least privilege basis.
- Audit information for users Prior to taking on additional cloud services, IT Naturally ensure that adequate audit information is supplied by the provider. If the customer needs additional requirements like backup frequency and data retention period, the correct levels of security access for named individuals are formally approved and recorded to permit access. We also ensure the cloud alert notifications are proactively monitored to reduce potential threats of inappropriate activity. IT Naturally undertakes security compliance checks at agreed intervals to analyse access and sharing methods to identify the possibility of misuse.
- Secure use of the service Ensure you are fully aware of the security capabilities before committing to a provider’s service, confirming that your requirements can be fully met by the deployment and service model. Through security awareness training provided to all our employees, we ensure that everyone is aware of specific cloud service security measures. To reduce the risk of compromise further a full list of managed devices connecting to the service is maintained and routinely audited by the IT Security Team.
Cloud Security Is Crucial
While businesses increasingly look to the cloud as a means to expand, modernise and stay competitive. The benefits of cloud computing are numerous, but organisations should not make the switch without first understanding the risks involved and more importantly, how to protect themselves, their staff and their customers. Setting up a secure cloud environment is often complicated and there are many possible ways that it can go wrong without anyone realising. Due to the inherently accessible nature of cloud storage, businesses therefore need to be aware that it doesn’t always take a high level of technical knowledge to breach a misconfigured system.
IT Naturally can implement, manage or audit your cloud security