Protect your business online

Cloud security risks and solutions

Guidance

Cloud security protects your data, apps and systems hosted on cloud platforms like Microsoft Azure or Amazon Web Services. It involves controls, policies and processes to prevent unauthorised access, data breaches and service disruptions.

Cloud security risks

Cloud services can be affected by risks such as:

  • hacking and unauthorised access
  • data loss or theft
  • server faults and service outages
  • poor configuration or weak access controls
  • legal and compliance failures

Some risks are managed by the cloud provider, while others are your responsibility as the customer. The exact split depends on the type of cloud service you use:

  • Software as a Service and Platform as a Service models: the provider usually manages most of the underlying security and maintenance.
  • Infrastructure as a Service model: you are usually responsible for more of the security, including configuration, access and patching.

Make sure you know who is responsible for what before you sign up.

Cloud security controls

Many common cyber security measures work in cloud environments too, including:

  • antivirus
  • firewalls and perimeter protection
  • traffic monitoring and reporting
  • spam filtering
  • real-time alerts and analytics

The National Cyber Security Centre (NCSC) offers detailed guidance to help you configure, deploy and use cloud services securely.

Cloud security and data protection

If you process or store sensitive business or personal data in the cloud, check that your provider takes security seriously. Key checks include:

Provider vulnerabilities

Are they following best security practices, patching up regularly, and implementing proper security controls? Can they guarantee that your assets will be protected against physical tampering, loss, damage or seizure?

Technology vulnerabilities

Are there weaknesses in the host system or server configuration? Can you get assurances that the technology is secure? Will it be reliably accessible and available when you need it?

Access policies

Did you agree standards and responsibilities between yourself and the provider? Defining roles and responsibilities can help ensure secure coverage and prevent potential liabilities in case of cyber incidents.

Access controls

Will the provider limit access to the cloud service to only those who need it? How will they minimise the risk of accidental or malicious compromises of your data by their personnel?

Service level agreements

Can you establish a documented standard with your cloud provider, including their duties in relation to ongoing management, response times and support?

Risk assessment and analysis

Does your provider have an adequate incident plan in place to quickly deal with and mitigate any potential breach?

Legal and regulatory implications

If you're storing or processing personal data in the cloud, you will have to comply with the UK General Data Protection Regulation (UK GDPR).

Read NCSC's guidance on cloud computing and data storage, and managing the risk of cloud-enabled products.

Printer-friendly version
Actions
NCSC: 14 cloud security principles
Invest NI's ICT support for business
Also on this site
Business Crime Partnership
Cloud computing
IT risk management