In recent years, cloud has gone from being a small part of most companies’ IT strategies to a critical business capability as organisations increasingly take a cloud-centric approach. Remote work, driven by Covid, has led to an explosion of deployed, cloud-based services. One of the advantages of cloud computing is that it has given organisations more choice in the types of technology and services they deploy. However, this proliferation of cloud adoption has made it harder for organisations to understand and assess what good services look like and how to differentiate among suppliers.
Coupled with the growth in the deployment of cloud services, there has been an exponential rise in the cyber attacks targeting the cloud. According to the Palo Alto Networks 2022 Cortex Xpanse Attack Surface Threat Report, cloud continues to be a substantial and increasing target. In the data gathered from December 2021 to June 2022, cloud infrastructure issues rose from 80% to 91% of all observed cybersecurity issues. This is not surprising, given the speed at which organisations are deploying cloud services, and this is precisely why cloud service providers need to demonstrate to their customers that they take security seriously in the face of this threat landscape.
Fortunately, the UK National Cyber Security Centre (NCSC) recognised the challenging predicament many face and developed the NCSC Cloud Security Principles to help cloud consumers become better informed and enable them to ask the right questions of their cloud service providers. At Palo Alto Networks, we recently published our conformance statement to the NCSC Cloud Security Principles.
The 14 NCSC Cloud Security Principles help organisations navigate the various challenges from a compliance, conformance and operational perspective, so they can choose cloud service providers in an informed, secure and trustworthy manner. This is key when those services are likely to come from multiple providers hosted on multiple cloud environments. Leveraging these principles can result in a more effective service with lower overall costs, including decreased risk and security exposure.
The Cloud Security Principles can be grouped into five overarching themes, set out as follows:
- Standards & Protocols – Principles 1-3 identify the key characteristics to ensure the service provides the necessary level of protection and separation for the users and their data.
- Fit for Purpose – Principles 4-6 set out how the provider should have a transparent and trustworthy approach to ensuring the service is and remains safe and fit for purposes in the future.
- Supply Chain Trust – Principles 7 and 8 focus on the need for provenance of the service.
- Secure in Operation – Principles 9-13 focus on the need for the service to remain secure in operations and that the consumer achieves the correct level of access, visibility and granularity of control required to manage the risks.
- Secure by Design – Principle 14 focuses on the need for the service provider (the expert on that service) to help the consumer maintain a secure service.
At Palo Alto Networks, our most important responsibility is helping to ensure the security of our customers. To demonstrate this commitment to security, as well as transparency, the Palo Alto Networks conformance statement to the NCSC Cloud Security Principles illustrates our compliance and transparency of alignment with all of the principles.
Our approach to the NCSC Principles is indicative of the position we have taken generally and internally with our Trust 360 Program, where we have established a “trust but verify” model to our security controls. This global approach to transparent security allows our customers to continually evaluate our program and understand all of the security, compliance and privacy controls that are in place to protect our customers’ most sensitive data.