Cloud Security Principles – Part 6 – Personnel Security

Posted on 10 October 2017

In our ongoing series of blog posts looking at the 14 National Cyber Security Centre’s Cloud Security Principles, we will be looking at personnel security.

Where service provider personnel have access to your data and systems you need a high degree of confidence in their trustworthiness. Thorough screening, supported by adequate training, reduces the likelihood of accidental or malicious compromise by service provider personnel.

Here, you should be confident that:

  • The level of security screening conducted on their staff with access to your information, or with ability to affect your service, is appropriate.
  • The minimum number of people necessary have access to your information or could affect your service

There are 3 scenarios to consider.

Personnel screening is not being performed

Some organisations may be unwilling or unable to perform personnel screening checks. In this case, unscreened individuals may have the ability to access your information or affect your service.

Personnel screening is being performed but does not conform with BS7858:2012

BS7858:2012 sets out a basic standard for personnel screening. Many multinational companies will perform background checks on staff that encompass the requirements of this standard, though in some countries it is not possible to perform all of the checks.

In these cases it is recommended that you ask the service provider to describe the personnel security screening functions they carry out on staff with access to your data, or the ability to affect user services. You will then need to make a judgement over whether that is sufficient.

Where service providers are unable to verify the identity, check for unspent criminal convictions, and right to work of staff there is an increased risk of insider threat.

Personnel screening is being performed which conforms to BS7858:2012

Whilst personnel screening is valuable, it’s worth noting that it’s extremely difficult to design systems capable of defending data from attack by a privileged user who is both skilled and motivated.

It is likely that service provider personnel with privileged roles will be able to gain access to your data and/or affect the reliability of your service. If possible, you may find it valuable to understand the service provider’s approach to detecting potential malicious insiders and use this information as part of your risk management decision.

To read more about all the Cloud Security Principles – go here

Or, if you would like to talk about your cloud security and how we can help, please contact us.

A few people we've already done it for