There are many important factors to consider when choosing a cloud provider for your cloud use cases. For organizations in heavily regulated industries, compliance with relevant regulations is one of the most important things to think about. Whether you’re planning for a single cloud workload or a hybrid multi-cloud setup, maintaining compliance for sensitive data in the cloud is imperative.

The 14 Cloud Security Principles released by the National Cyber Security Center (NCSC) provides guidance to organizations in the UK when evaluating cloud providers. This article focuses on the main five security principles to consider from a compliance perspective to help your business choose a suitable cloud vendor. 

Principle 1: Protecting Data in Transit

Modern business IT infrastructures are complex, and data regularly moves between different across the network. It’s critical to protect sensitive data belonging to your customers and employees as it traverses between business applications/devices and the cloud. It’s also imperative that your cloud vendor protects data in transit inside the cloud such as when data is replicated to a different region to ensure high availability.

Some crucial things to look out for and ensure compliance in the context of data in transit are:

  • Your cloud vendor enforces encryption, which prevents third parties from reading confidential data.
  • Your cloud vendor uses fiber optic connections to connect data centers privately.
  • The vendor uses a recent version of TLS to provide authentication, integrity, and encryption for data in transit.

Principle 2: Asset Protection and Resilience

This principle states that cloud service providers should protect your company’s data against physical tampering, loss, or damage. In the context of compliance, an important aspect of this principle is the need to know where your data is stored, processed, and managed.

Different regulations have different requirements about where protected data can be stored. (Read more...)