Cloud Security Principles – Part 1 – Data in Transit Protection

Posted on 4 August 2017

The National Cyber Security Centre (part of GCHQ) has published a set of 13 cloud security principles that offer a good framework to build your identity management solution. As a result over the coming weeks we will be looking at all 13 in a little more detail – starting with the first: data in transit protection.

This states that “User data transiting networks should be adequately protected against tampering and eavesdropping. “ The principle sates that you should be sufficiently confident that data in transit is protected:

  • Between your end user device(s) and the service
  • Internally within the service
  • Between the service and other services (e.g. where APIs are exposed)

This should be achieved by using a mixture of:

  • Network protection – denying your attacker the ability to intercept data
  • Encryption– denying your attacker the ability to read data

How an attack could occur

To compromise data in transit, an attacker would need access to infrastructure over which the data transits. This could take the form of physical access, or logical access if the attacker has compromised software components within the service.

It’s more likely that attackers would access infrastructure between the user and the service, as opposed to infrastructure within the service. However, the impact of an attacker accessing communications internal to the service would likely be significantly greater.

How to achieve data in transit protection

The cloud security principle highlights 5 approaches you can use to achieve this aim:

  1. Private WAN service – using a private (as opposed to a public) circuit will make it much more difficult for an attacker to gain access to your communications.
  2. Legacy SSL and TLS – but not less than V1.2 of which there are known vulnerabilities.
  3. TLS V1.2 and above – configured to use cipher suites and certificate sizes – and fully patched
  4. IPsec or TLS VPN gateway – configured to support a strong cryptographic profile
  5. Bonded fibre optic communications – between physically protected locations – like data centres.

To read more about the Cloud Security Principles – go here

Or, if you would like to talk about your cloud security and how we can help, please contact us.

A few people we've already done it for