How Nine23 meets the 14 Cloud Security Principles

The 14 Cloud Security Principles published by the NCSC (National Cyber Security Centre) are designed to guide cloud service providers on how to configure, deploy and use cloud services securely while protecting their customers. The 14 principles have also been made to align with ISO 27001, an auditable, internationally recognised cloud security accreditation.

At Nine23 we want our current and future clients to recognise how we meet the 14 Cloud Security Principles so they are confident we are secure enough to handle their data.

1. Data in Transit Protection

Consumer data transitioning networks should be adequately protected against tampering and eavesdropping via combination of
network protection and encryption.

“At Nine23 we provide an integrated IPSec VPN solution which aims to be invisable during normal operation.”

3. Seperation Between Consumers

Separation should exist between consumers of the service to prevent one malicious or compromised consumer from affecting the
service or data of another.

“At Nine23 we operate on either Private, Hybrid or Community platforms. Each client has its own instance which are isolated from one another. We use a CHECK registered company to regularly test the solutions. The time frame for regular testing is defined and agreed with the client and published in the RMADs.”

5. Operational Security

The service provider should have processes and procedures in place to ensure the operational security of the service.

“Our ISO27001 framework is modelled on the concept of ‘continuous improvement’ and contains a comprehensive set of policies and procedures to effectively manage security. Our compliance ensures we have documented processes for incident reporting, management, configuration and change management.”

7. Secure Development

Services should be designed and developed to identify and mitigate threats to their security.

“The Nine23 platform is designed and developed in-line with software industry best practise. Each update release is comprehensively
tested using a mixture of automated and manual tests until it meets our standards. New and evolving threats are regularly reviewed
and appropriate actions taken. Lastly, configuration management is used to ensure the integrity of the service through development, testing and deployment.”

9. Secure Consumer Management

Consumers should be provided with the tools required to help them securely manage their service.

“Depending on which services have been purchased, customers may be given access to our cloud platform user interface, email service
ticket desk or our service desk where support requests can be logged. Named user accounts are set up prior to any customer service
being made live with secure information being exchanged out of band. Access to the secure cloud management portal is only allowed
to Nine23 security cleared admins and is based on role permissions access.”

11. External Interface Protection

All external or less trusted interfaces of the service should be identified and have appropriate protections to defend against attacks
through them.

“Nine23 conducts an annual CHECK IT test to ensure that all interface to the service are secure.”

13. Audit Information Provision to Consumers

Consumers should be provided with the audit records they need to monitor access to their service and the data held within it.

“With each LaaS (Infrastructure as a Service) provided by Nine23 a set of security related audit data is shared with the client for
monitoring purposes.”

Guidelines provided by:

2. Asset Protection and Resilience

Consumer data and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure.

“At Nine23 we are registered under the UK Data Protection Act, we maintain a strong privacy policy to protect customer data. Our data centres are protected by a robust framework of physical, technical and logical security controls, which ensures data, applications and ICT infrastucture have Official-Sensitive levels of protection and resilience. To minimise interruption, data is backed up and encrypted. We also operate a comprehensive disaster recovery program.”

4. Governance Framework

The service provider should have a security governance framework that coordinates and directs their overall approach to the
management of the service and information with it.

“Nine23 is hosted, managed and supported in the UK. We are also registered under the UK Data Protection Act. We maintain a strong privacy policy to protect customer data. Data within the service remains the property of our customers and we do not use or share it with anyone else.”

6. Personnel Security

The service provider staff should be subject to a personnel security screening and security education for the role.

“All Nine23 staff are security checked and cleared including ID verification, criminality check, right to work, employment and character referencing, credit checks and more.”

8. Supply Chain Security

The service provider should ensure that its supply chain satisfactorily supprts all of the security principles that the service claims to implement.

“We have a detailed set of ISO27001 procedures to ensure that our supply chain is secure and well-managed. These include a comprehensive appraisal of potential suppliers, a regular review of key suppliers to monitor service levels and a contractual requirement on suppliers. Where possible we choose suppliers that are themselves ISO27001 and independently security accredited.”

10. Identity and Authentication

Access to all service interfaces (for consumers and providers) should be constrained to authenticated and authorised individuals.

“Each user has a unique username and password that must be entered each time they log in. Access is restricted using the following
controls:”
– Password Expiration: Update password every 30 or 90 days
– Memorable Word: Users may only login with username/password in conjunction with correct response of randomly selected characters
from their memorable word
– 2FA (Two Factor Authentication)
– IP Address Restriction: Users may only log-in from a pre-registered IP address

12. Secure Service Administration

The methods used by the service providers administrators to manage the operational service should be designed to mitigate any risk of
exploitation that could undermine the security of the service.

“The service is managed by Nine23 staff via dedicated servers that have been separated via external and internal network control access that facilitates onward access to isolated control domain access. Management control access is made via the secure IPsec VPN, which is secured via PKI with an additional MFA access to dedicated Jump servers that only allow access to a dedicated part of the tenants environment control. All administration host management is via dedicated assists of Nine23 and has been hardened in accordance with NCSC guidance.”

14. Secure Use of the Service by the Consumer

Consumers have certain responsibilities when using a cloud service order for this use to remain secure and for their data to be
adequately protected.

“The client must understand any service configuration options available to them, the security implications of choices they make
and the security requirements on their processes, uses and infrastructure related to the use of the service. The service provider will
expected to reasonably co-operate accordingly to help the client support this principle.”

Leave a comment