The NCSC cloud security principles and secure by default

We’ve heard it all before. 

Moving to the cloud can bring businesses untold benefits, from reduced costs to greater flexibility, yet many organisations are still reluctant to use the cloud due to security concerns. The perception that moving to the cloud offers, in many cases, more risk than an organisation is prepared to take on still persists, which can in turn lead to a decrease in cloud adoption as businesses and public sector organisations are put off from using the cloud.

Why do these concerns and questions around the security of the cloud exist, and what can we do to help build trust in the security of the cloud?

Cloud Security Principles

The key is transparency.  Companies can alleviate their customers’ concerns by being transparent about the security credentials of their products and services.  To help achieve this transparency, the National Cyber Security Centre (NCSC) published a framework around 14 Cloud Security Principles which include important considerations such as data in-transit protection, supply chain security, identity and authentication and secure use of the service. 

The aim of the principles is to enable cloud companies to showcase how solutions built on their platforms adhere to the principles. Some providers use the Principles to self-assess against, showcasing how they abide by a number of them, if not all, whilst others have used them to publish whitepapers and thought leadership reports highlighting the security credentials of their products and services. 


One of the main issues around the Principles, however, is that of awareness and understanding amongst customers.  Providers can be as transparent as possible by using the Principles however, if the end-user is not aware of them or finds them opaque and difficult to understand, then their usefulness is limited. 

That is why education and awareness must go hand in hand with transparency. The simple fact is that the majority of cyber security breaches affecting the cloud are due to user error and misconfiguration; from poor authentication practices like weak passwords to not implementing two-factor authentication.  More can be done by vendors to educate end-users about the security protocols behind the tools that they are using but, ultimately, we need to move to a world where the onus is not on the user.

Secure by Default

That is why the NCSC are so keen for the Principles to be used in conjunction with secure by default, enterprise ready cloud services that include configurations that are easy for people to understand.  For example, end-users should not have to explicitly turn on audit and monitoring services when buying products. The problem, however, is that whilst vendors can provide a secure by default service, they cannot control what their customers do.  That is why the work of the NCSC, and the Principles, are so important.

Through adopting this secure by default posture, companies can help contribute to a future where the demand for secure “serverless” products increases, more organisations begin using cloud services securely and data breaches become less common.





To read more from techUK's Cloud Week, visit our landing page

  • Sue Daley

    Sue Daley

    Associate Director, Technology & Innovation
    T 020 7331 2055
  • Katherine Mayes

    Katherine Mayes

    Programme Manager | Cloud, Data, Analytics and AI
    T 020 7331 2019

Share this


"Technology is a key enabling tool for collaboration within organisations and across the public services ecosystem"…
Emily Jenkins, Girlguiding Advocate and A-Level student, spoke at #CogX19 during #LTW about why we need to get more…
First tranche of speakers confirmed for our 'going plastic free' conference on 10 July - @OakdeneHollins
3 Months to go until our fantastic #techUKSmarterState 2019 focusing on how emerging tech will transform public ser…
Join us at @Public_SectorUK (25 – 26 June, ExCeL London) & learn how to implement the latest digital solutions and…
ICYMI: During #LondonTechWeek, @PwC_UK published its report into AI in Healthcare, assessing the practicalities of…
Nominations for the World Class Policing awards close in 2 weeks. You can nominate here - @WCPAwards
Become a Member

Become a techUK Member

By becoming a techUK member we will help you grow through:

Click here to learn more...