Cloud services are readily available, but not all of them can be in scope for Cyber Essentials. Here\u2019s a (very) brief explanation of why – and why that matters: <\/p>\n
Cyber Essentials (CE) is a \u201cGovernment-backed, industry-supported scheme to help organisations protect themselves against common online threats.\u201d[1]
\nIt provides independent verification that an organisation applies and manages a basic set of security controls. Gaining CE for our own internal infrastructure is therefore straightforward.\u00a0When it comes to Cloud services however, it\u2019s not quite so simple.<\/p>\n
The 3 main types of Cloud are:<\/p>\n
Other flavours are available, but for the purposes of this article we will concentrate on the above.<\/p>\n
SaaS<\/strong> is packaged software that you connect to, and looks the same for every single customer. You don’t get to control updates, or when upgrades happen. You get some level of customization (e.g. branding), but the entire stack is taken care of by a third party. “How does this relate to Cyber Essentials?” I hear you ask. CE is based on the organisation (i.e. Kent) applying and managing the 5 control sets required to meet the standard \u2013 and only with IaaS can we do that, and provide the required assurance. And so we come to the Million Dollar Question\u00a0– “Does it really matter?”. Well, actually it does. Any contract \/ grant \/ data sharing agreement etc. that specifies Cyber Essentials as a requirement must have all data storage and processing carried out in the environment certified by CE. That means for Kent anything within our own infrastructure, or any IaaS cloud that we may include in scope in the future.
\nPaaS<\/strong> is the next layer down the cloud stack, offering platforms upon which apps and services can be built. Very few, if any, business people will interact with a PaaS, as it is primarily geared toward developers and operations professionals.
\nIaaS<\/strong> is the lowest level in the stack. This is where pre-configured hardware is provided via a virtualised interface or hypervisor. There is no high level infrastructure software provided such as an operating system, this must be provided by the buyer and embedded with their own virtual applications.<\/p>\n
\nHowever, with PaaS and SaaS we do not manage the controls (the service provider does) so therefore they fall out of scope. This does not mean that we cannot use the technologies, but we must exercise caution over what we place in the different types of cloud.<\/p>\n
\nIf we put that data into a PaaS or SaaS cloud, we are in breach of contract and may be penalised accordingly.
\nWith the growing trend towards Cloud services, and particularly PaaS and SaaS, Cyber Essentials will undoubtedly evolve to include these within scope. Until then we need to be careful about what we place into the different types of cloud.<\/p>\n