Have you checked your cloud security recently? Cyber essentials will.

CATEGORY
BY
Max Kruton
DATE
May 9, 2023
FOR
Security Awareness Pros

Contributed by:

⚡ TL;DR ⚡

WHAT ARE IAMSE AND CYBER ESSENTIALS?

To get us started for those unaware, here is a quick definition of Cyber Essentials and IAMSE:

Cyber Essentials: A government-backed scheme focussing on five crucial technical security controls. It helps reassures customers you are working to secure your IT against cyber attacks. It allows you to understand your cyber security level. Some Government contracts require this certification.

IASME: Cyber Essentials is partnered with the IASME consortium. From April 1st 2020, IASME became the National Cyber Security Centre's sole Cyber Essentials Partner, responsible for the scheme's delivery.

The big benefit: Cyber Essentials certification includes automatic cyber liability insurance for any UK organisation that certifies their whole organisation and has less than £20m annual turnover.

A significant change was made to Cyber Essentials at the start of the year. Any Cyber Essentials Self-Assessment certifications started after January 2022 are now assessed under the brand-new scheme update, known as Evendine.

Currently, many changes will be essential to consider for those undertaking Cyber Essentials. However, we want to draw your attention to the fact that now all cloud services are in scope and are to be fully integrated into the scheme.

PAIN IN THE AAS

Previously, Cyber Essentials only considered IaaS (infrastructure as a service) in scope. However, now that Evendine is in place, SaaS (software as a service) and PaaS (platform as a service) are now included. This means that all scheme controls need to be applied, either by you, the organisation, where possible and if not, by the cloud provider.

The National Cyber Security Centre believes when it comes to cloud services, the applicant is always responsible for ensuring all the controls are implemented. Still, the cloud service provider can implement some of the controls. They consider the three different types of cloud services:

  • Infrastructure as a Service (IaaS) - the cloud provider delivers virtual servers and network equipment configured and managed by the applicant, much like physical equipment would be. Examples of IaaS include Rackspace, Google Compute Engine, or Amazon EC2.
  • Platform as a Service (PaaS) - the cloud provider delivers and manages the underlying infrastructure, and the applicant provides and manages the applications. Examples of PaaS include Azure Web Apps and Amazon Web Services Lambda.
  • Software as a Service (SaaS) - the cloud provider delivers applications to the applicant, and the applicant configures the services. The applicant must still take time to ensure the service is configured securely. Examples of SaaS include Microsoft 365, Dropbox, and Gmail.

Further information can be found in NCSC’s Cyber Essentials: Requirements for IT infrastructure v3 document. However, if you don’t fancy reading a 22-page government document, we have you covered for the essential facts you need to know.

NCSC specify requirements under five technical control themes:

  • Firewalls
  • Secure Configuration
  • User Access Control
  • Malware Protection
  • Security Update Management

The language they use is very clear. The responsibility for ensuring these requirements are applied to cloud services rests solely with you, the applicant.

HOW TO MAKE FRIENDS WITH YOUR CLOUD PROVIDER

Now, I'm not saying you would do this, but now is not the time to throw your hands in the air and say it's out of my control. Understandably, some of the themes you cannot control will come down to your cloud provider. However, you need to be extremely careful and check the terms and conditions of your agreement with the said cloud provider. Make sure you can 100% confirm in their privacy statements documentation that the cloud provider is adequately applying those controls to the service.

If in doubt, contact the vendor to gain more information and have them follow up with written confirmation so you can be sure that you are compliant.

To help demonstrate how important it is to work with your cloud provider, here is who would typically be expected to implement each control:

Here are a couple of final points relating to user access control. If a corporate VPN solution connects back to your office location or to a virtual/cloud firewall, then it must be administered by your organisation so that firewall controls can be applied.

Also, this is obviously a good practice normally, but you need to ensure you have implemented MFA where available. Authentication to cloud services must always use MFA. All standard user accounts will need MFA when certifying in 2023. In the meantime, user accounts will need either:

  • 12 character passwords, or
  • 8 character passwords when there is a technical control to deny bad passwords.

Again, make sure you read the entirety of the "Requirements for IT Infrastructure v3” document, as we are only providing snippet advice that we think is relevant.

GO FORTH AND CONQUER

Here are a few tips and tricks to consider while ensuring your cloud services are in scope.

  • Make sure you have a list of all cloud services within your organisation and across all departments.


  • Use the list provided above as a cheat sheet. Print it, stick it on the fridge, or do whatever you need to do to see it daily.


  • Contact the cloud provider directly if you have any questions or are unsure about the information on their website.


  • Ask what certifications they hold, as it may prove helpful in demonstrating certain controls are being met.


  • Confirm that MFA is available on the cloud service for both admin and user accounts.


  • Write everything down and keep it organised.


  • Don't rely on one or two people to get the job done. Cloud security is a team/company effort.


  • Double-check everything through multiple team members before starting Cyber Essentials or Cyber Essentials Plus.