By Cloud services are readily available, but not all of them can be in scope for Cyber Essentials. Here’s a (very) brief explanation of why – and why that matters:
Cyber Essentials (CE) is a “Government-backed, industry-supported scheme to help organisations protect themselves against common online threats.”[1]
It provides independent verification that an organisation applies and manages a basic set of security controls. Gaining CE for our own internal infrastructure is therefore straightforward. When it comes to Cloud services however, it’s not quite so simple.
The 3 main types of Cloud are:
- Saas – Software as a Service
- Paas – Platform as a Service
- Iaas – Infrastructure as a Service
Other flavours are available, but for the purposes of this article we will concentrate on the above.
SaaS is packaged software that you connect to, and looks the same for every single customer. You don’t get to control updates, or when upgrades happen. You get some level of customization (e.g. branding), but the entire stack is taken care of by a third party.
PaaS is the next layer down the cloud stack, offering platforms upon which apps and services can be built. Very few, if any, business people will interact with a PaaS, as it is primarily geared toward developers and operations professionals.
IaaS is the lowest level in the stack. This is where pre-configured hardware is provided via a virtualised interface or hypervisor. There is no high level infrastructure software provided such as an operating system, this must be provided by the buyer and embedded with their own virtual applications.
“How does this relate to Cyber Essentials?” I hear you ask. CE is based on the organisation (i.e. Kent) applying and managing the 5 control sets required to meet the standard – and only with IaaS can we do that, and provide the required assurance.
However, with PaaS and SaaS we do not manage the controls (the service provider does) so therefore they fall out of scope. This does not mean that we cannot use the technologies, but we must exercise caution over what we place in the different types of cloud.
And so we come to the Million Dollar Question – “Does it really matter?”. Well, actually it does. Any contract / grant / data sharing agreement etc. that specifies Cyber Essentials as a requirement must have all data storage and processing carried out in the environment certified by CE. That means for Kent anything within our own infrastructure, or any IaaS cloud that we may include in scope in the future.
If we put that data into a PaaS or SaaS cloud, we are in breach of contract and may be penalised accordingly.
With the growing trend towards Cloud services, and particularly PaaS and SaaS, Cyber Essentials will undoubtedly evolve to include these within scope. Until then we need to be careful about what we place into the different types of cloud.
[1] https://www.gov.uk/government/publications/cyber-essentials-scheme-overview