Compatibility with UK laws and shared responsibility: MoD sets cloud security controls for suppliers

Shortly after a cyberattack allegedly perpetrated by China, the MoD has issued security guidance prohibiting data from being stored where cloud firms could be compelled to provide it to authorities

A month on from being affected by a cyberattack on the systems of one its tech suppliers, the Ministry of Defence has published a set of “cloud security control requirements” that will apply to all providers in its supply chain.

The department yesterday published a new industry security notice which “outlines the minimum requirements for cloud security controls and the individual responsibilities” of suppliers – including cloud providers that work directly with the MoD, as well as those whose services rely on third-party hosting.

The requirements set out in the notice are intended “to allow for handling of Official – including Official Sensitive – MoD information in cloud services”. This encompasses software-, platform-, and infrastructure-as-a-service environments, the document adds.

The new guidance is necessary, according to the MoD, as “cloud usage continues to grow steadily, both in volume and the type of services being built and hosted in it”.

The notice adds: “Cloud is usually the preferred option when organisations procure new IT services. Use of cloud also has the potential to improve the security of information if the security risks of cloud usage are effectively managed.”

To ensure that these risks are mitigated, all suppliers using cloud services must ensure they are aligned with the Cloud Security Principles set out by the National Cyber Security Centre – and that documentary evidence is provided of such compliance and passed onto the ministry.

The notice makes provisions for MoD data to be stored outside the UK, but stipulates that the “supplier must understand the country (or countries) where the data will be processed, and also the country (or countries) of any customer support service desks, and ensure appropriate controls are in place to protect the data from unauthorised access, specifically… [ensuring] that there are no obligations upon the cloud provider to share or allow access to MoD information in a manner incompatible with UK laws [and] regulations”.

This requirement is likely to be seen as a direct reference to China, where legislation is widely understood to provide government with the power to compel private sector companies to hand over data to the state. The recent cyber assault on MoD supplier SSCL – in which data was exposed on an estimated 270,000 servicewomen and men and veterans – was reported to have been orchestrated by Beijing, although ministers did not formally attribute the attack.

Related content

EU laws that came into effect earlier this year also “establishes a mechanism through which public sector bodies can request data from a business where there is an exceptional need”, according to guidance form the European Commission.

The MoD security document says that, if data is stored beyond the borders of the UK, the supplier must ensure that all hosting services comply with UK data-protection law and take heed of guidance on international data transfers issued by the Information Commissioner’s Office.

The notice adds: “Where the legislative position of an international cloud provider’s home country is not equivalent to the UK data and information protection landscape, the defence supplier shall consider whether this rules out doing business with them, or if this can be provided for by way of imposing contractual obligations in lieu of legislative obligations.”

Potential defence suppliers are advised that they may be subjected to “additional enquiries… about how MoD information is stored, processed, transited and accessed, and the measures the supplier has in place to mitigate the risks to MoD information”.

“Responses to these enquiries, or the inability to respond to enquiries, may result in additional measures/controls or changes being imposed in any relevant contracts,” the MoD adds.

Sharing is caring
The security notice goes on to outline the need for defence suppliers to agree a “shared responsibility” model with any cloud services providers in their own supply chain.

“The cloud service model should be taken into account when allocating responsibilities… [which] shall be documented, [and] should include but are not limited to the following: application configuration; identity and access controls including enforcement of least privilege, authentication and who will manage encryption keys; application data storage; application; operating system; network flow controls; host infrastructure; [and] physical security.”

The MoD’s requirements also include a demand that cloud services undergo “a regular assurance process to ensure ongoing management of security risks and to check that all relevant parties performing their responsibilities”. These checks should take place “whenever a significant change is made” to services and, even in the absence of any such changes, must be conducted at least once a year.

Suppliers must obtain commitments from their cloud providers to be notified of any “security incidents”, while the ministry must be informed of “any intended, planned or actual change in control of their cloud provider – such as change in ownership”.

The notice says that it will remain in effect until such point as it “superseded or withdrawn”.

The document adds: “All information systems and services shall be managed throughout their lifecycle, including prompt updating and patching, and adoption of the latest good practice configuration in accordance with NCSC guidance… and vendor direction.”

Sam Trendall

Learn More →

Leave a Reply

Your email address will not be published. Required fields are marked *