Skip to content

Meeting the government’s 14 Cloud Security Principles

By Stuart Aston, Chief Security Advisor, Microsoft UK on 02/02/2015

Filed under IT Leader

How to ensure your organisation complies with the government’s 14 Cloud Security Principles

Previously cloud services could receive pan-government accreditation and this provided useful guidance as to which services would comply with the previous Impact Levels and information handling schemes.

Now individual organisations are being asked to make their own determinations about which cloud services are suitable for use in public sector organisations. On the one hand, this offers broader choices. On the other hand, individual organisations now bear the responsibility for determining which products are secure and fit for purpose.

How are you meant to make a decision? The government has outlined 14 requirements that cloud services should meet. These are called the 14 Cloud Security Principles. In inspecting these requirements, we found they pair quite nicely with 4 themes that have long been the backbone of Microsoft’s approach to delivering cloud services for our customers – namely : security , privacy, compliance and protection.

To make it easier for you to evaluate Microsoft’s Office 365, Azure, Dynamics CRM Online and Windows Intune cloud services, we’ve prepared a handy chart. We’ve paired each of the government’s 14 requirements with the ways in which our cloud services aim to satisfy those requirements, colour coded against those 4 themes so that you can see how our technical specifications tie back into our business values.

UK Government Requirements How Microsoft cloud services stack up
Point 1 Consumer data transiting networks should be adequately protected against tampering and eavesdropping. This should be via a combination of network protection and encryption.
  • All customer-facing servers negotiate a secure session using SSL/TLS with client machines, securing the data in transit.
  • This applies to various protocols such as HTTP(S), POP3, etc. that are used by clients such as Lync, Outlook and Outlook Web App (OWA) on any device.
  • Microsoft has support for strong encryption using TLS1.2 across all workloads. The use of TLS/SSL establishes a highly secure client-to-server connection to help provide data confidentiality and integrity between the desktop and the data centre.
Point 2 Consumer data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure.
  • For government data classified as OFFICIAL, we use datacentres in Dublin and Amsterdam, and provide the additional assurance of complying with EU model clauses in order meet data protection legislation.
  • Our world-class data centre security is evidenced by our compliance with the ISO-27001 and SASE-16 information security standards.
  • Customer authored Data is encrypted at rest for all cloud services.
  • When hard disks are taken out of service they are demagnetised and destroyed on site.
  • Microsoft provides a contractually backed SLA to a minimum of 99.9%
Point 3 Separation should exist between different consumers of the service to prevent one malicious or compromised consumer from affecting the service or data of another.
  • We conduct ongoing penetration tests of our environment in line with the dynamic nature of the cloud, ensuring that a customer’s data remains private to them.
  • We also conduct annual independent CREST penetration tests.
  • Residual risks are published in our Risk Management and Accreditation Document Set (RMADS) and Residual Risk statement, available under NDA
Point 4 The service provider should have a security governance framework that coordinates and directs their overall approach to the management of the service and information within it.
  • We comply with the ISO-27001 information security standard, covering the scope of the service delivered.
  • Microsoft is regularly audited by independent external auditors who are recognized by UKAS.
  • The Statement of Applicability for our ISO controls is available under NDA.
Point 5 The service provider should have processes and procedures in place to ensure the operational security of the service.
  • Configuration, change management, incident response and protective monitoring are all demonstrated in our compliance with the ISO-27001 information security standard.
  • In addition to our ISO-27001 compliance, and our use of independent 3rd party penetration tests, we operate an assumed breach model and use active red-team penetration testing and vulnerability management as part of our Operational Security Assurance (OSA).
Point 6 Service provider staff should be subject to personnel security screening and security education for their role.
  • Customer authored data can only be accessed by suitably cleared Engineering and Operation support staff.
  • Staff are subject to pre-employment and on-going background check for social security; criminal convictions; the Office of Foreign Asset Control list; the Bureau of Industry and Security list and the Office of Defence Trade Controls debarred list.
  • New hires are also subject to education history and employment history checks.
  • Contractors and others who may have access to customer authored data are subject to these same checks.
Point 7 Services should be designed and developed to identify and mitigate threats to their security.
  • Windows has a Commercial Product Assurance Build Standard verification. This is the same development practice used throughout Microsoft for all products and services.
  • The Security Development Lifecycle was the precursor to ISO-27034 and is used as the standard development practice for all Microsoft Products and Services.
Point 8 The service provider should ensure that its supply chain satisfactorily supports all of the security principles that the service claims to implement.
  • The majority of technologies used in the delivery of Microsoft’s cloud services are developed in-house.
  • Microsoft applies EU Model Clauses to our services. All of our suppliers must sign and abide by our security controls.
  • Our services are certified against the ISO-27001 information security standard.
Point 9 Consumers should be provided with the tools required to help them securely manage their service.
  • Customers maintain direct control over which user accounts can perform authorised administrative functions on the service. This is accomplished by federating the customer’s on premise active directory.
  • The separation and access control within management interfaces is subjected to independent penetration testing.
Point 10 Consumer and service provider access to all service interfaces should be constrained to authenticated and authorised individuals.
  • Our services support 2 factor authentication
  • Active Directory Federation Services provides a SAML access mechanism.
  • Username and password policies remain under the customer’s control.
  • Authentication tokens are passed over an encrypted channel.
Point 11 All external or less trusted interfaces of the service should be identified and have appropriate protections to defend against attacks through them.
  • Microsoft conducts annual independent CREST penetration tests.
  • Residual risks are published in our Risk Management and Accreditation Document Set (RMADS) and Residual Risk statement, available under NDA
Point 12 The methods used by the service provider’s administrators to manage the operational service should be designed to mitigate any risk of exploitation that could undermine the security of the service.
  • We evidence out service administration model with our ISO-27001 certification.
Point 13 Consumers should be provided with the audit records they need to monitor access to their service and the data held within it.
  • Our services provide enhanced capabilities, allowing customers to audit and delegate end-user access within the service offering. Please review the corresponding service descriptions for details.
Point 14 Consumers have certain responsibilities when using a cloud service in order for their use of it to remain secure, and for their data to be adequately protected.
  • We provide outline guidance as part of a service’s RMADS.
  • Individual devices should be configured in line with CESG’s end user device guidance.

Of course, it goes without saying that each cloud services has its own specifications. The chart above provides a general overview of our compliance with the government requirements. For specific guidance around your needs, please contact one of our cloud experts for a deeper conversation by e-mailing

Discover our commitments to privacy and security in the cloud

Useful Links

Contact Us