At Arcus we build many of our services and solutions using the AWS platform – widely regarded as the most secure cloud service available today. This is backed up by the breadth of security accreditations they have achieved including ISO27001, ISO27018 and Cyber Essentials Plus (further details can be found at https://aws.amazon.com/compliance/).
As an AWS Managed Services Provider (MSP) security is a key area of focus for us and something our customers expect. The National Cyber Security Centre (NCSC) has created a set of 14 cloud security principles that public sector organisations should be aware of, and adhere to, when selecting cloud services and solutions/service providers. This blog explores how those principles are met.
AWS have provided a comprehensive set of responses to how their platform can be used to ensure adherence to these cloud security principles (see their whitepaper and presentation), but what about suppliers?
Arcus provides its customers with a level of service that helps them achieve their security goals and alignment with these 14 principles. At a recent AWS summit talk in London, one of our customers described how we fit into the AWS shared responsibility model and provide them with the additional tools, services and assurances that their systems/applications are secure:
Built into this service is a strong alignment with the NCSC’s 14 cloud security principles:
1. Data in transit
Arcus always secures data in transit between our office and services running within the AWS cloud using a combination of technologies.
Integrity is assured through the mandatory encryption of all connections via HTTPS (SSL/TLS (1.2)) encryption for all web interface/API connections or VPN (SSL/TLS (1.2)) AES256 (minimum) encryption for all management, service and control interfaces.
Confidentiality is guaranteed with all our services deployed using AWS security groups (firewalls) and NACL’s to ensure that only authorised (Arcus controlled) IP addresses can connect.
2. Asset protection and resilience
Arcus Global’s end user assets e.g. laptops, smartphones, tablets etc. are protected by technical controls e.g. encryption and policy based controls to ensure protection. All data is continuously backed up via secure cloud based services to minimise risk of loss.
Arcus is physically based in a single office located in Cambridge and does not normally store or process consumer data within the office location. Customer data is usually stored, processed and managed in the AWS cloud – with customers choosing their required geographical location e.g. UK (London) or EEA. Arcus ensures that data remains within the geographical region required by a customer.
Arcus protects all physical device storage e.g. laptops, external disks using strong encryption (AES256). Customer data stored in the AWS cloud is protected at rest by layers of data encryption (minimum AES256), typically using the AWS KMS service, that controls access to both the encrypted data volumes and key storage/management.
Arcus operates a policy (under ISO27001) to securely erase data storage devices when they are no longer in use or required. Any devices that are removed from service are also securely destroyed by being put ‘beyond use’. For customer data stored in the cloud AWS provide additional secure data sanitisation and destruction processes.
Arcus maintains a secure equipment disposal policy (as part of our ISO27001 accreditation) to ensure that any customer credentials, data and or configuration information is identified and removed.
Arcus operates a business continuity and disaster recovery plan (as required by ISO27001) in order to mitigate potential risks in service delivery. We use cloud service providers (with appropriate levels of high availability) to minimise single points of failure e.g. physical office location. Services supplied to consumers are built, on cloud platforms, to a level of resilience and availability to meet our customers’ business needs.
3. Separation between consumers
Arcus implements AWS solutions for consumers in logically separate accounts. This ensures each customer is ring-fenced from the others at the service delivery, design, interaction and billing layers i.e. each customer account has no direct interaction with any other. Our chosen cloud service provider partner AWS implements technical controls on their service to ensure the separation of customers’ resources within their multi-tenant cloud platform.
4. Governance framework
Arcus Global has a certified ISO27001:2013 Information Security Management System (ISMS). The ISMS has been in operation since 2012 (originally ISO27001:2005) and is regularly audited in line with the standard. Arcus selects its cloud service partners according to a number of criteria including adherence to internationally recognised information management standards. AWS hold ISO27001:2013, as well as other important information security standards e.g. Cyber Essentials Plus, ISO27017, ISO27018.
5. Operational security
Arcus has invested heavily in the development of its own CMAAS monitoring and reporting solution which provides operational security for the platform. We work with our customers to agree a simple and flexible security incident management process. Our incident response process provides for the ability to both rapidly escalate issues and to take pre-emptive responses where required in order to secure the solutions we operate on our client’s behalf. The CMAAS secure reporting portal allows customers to review and analyse live and historical data about their AWS infrastructure.
Arcus undertakes configuration and change management via several, integrated routes:
- Weekly CAB (Change Advisory Board) meeting
- CMAAS monitoring services
- AWS specific tools e.g. CloudTrail, CloudWatch, Config
All changes are peer reviewed at CAB (and with customers if they require it), before being implemented either directly by our service team or in collaboration with our customer. Our flexible approach makes it easy to integrate customers’ processes into ours for a ‘joined up’ service delivery model.
Arcus monitors a wide range of sources (including vendor websites, security bulletins, official vulnerability lists) to identify threats and vulnerabilities to our customers’ cloud infrastructure.
We combine this information into our patch management strategy in order to inform our customers of new threats and vulnerabilities and outline remediation plans/timescales.
We can engage with customers’ policies and procedures to ensure that risks and vulnerabilities are appropriately mitigated. This can, if required, include facilitation of penetration test requests with AWS. AWS also performs routine vulnerability and penetration tests to ensure their systems.
Arcus has implemented a robust protective monitoring system platform that we refer to as CMaaS. The key inputs of CMaaS are:
- Cloud infrastructure monitors e.g. CloudWatch, CloudTrail
- System level information e.g. CPU, Memory, Network
- System Logs e.g. syslog
- System integrity checks/HIDS
- Anti-malware events
- Application events/logs
These feed into the event correlation management platform (ECM) that provides configurable, rules based, analysis of these events. Correlated events can automatically create tickets on our service desk and on customer service desks.
Arcus maintains a library of standard incident and response processes which are supported by our cloud based incident management platform.
Our incident management processes are ITIL v3 based and detail our responses to a wide range of incidents including:
- Service incidents
- Incident escalation
- Security Incidents
6. Personnel security
We will only use SC cleared staff to deliver our services to our customers providing you with a high level of confidence in the trustworthiness of our team.
7. Secure development
Our development processes are covered within our ISO:27001 scope. When developing changes to existing solutions or new solutions we frequently review how these changes will affect the overall security of the solution. Developing new technical and compensating controls alongside new elements of functionality. Within the development process we will work closely with our customers, present design options with the implications and risks of these options articulated to ensure we are developing in line with the risk appetite of our customers and able continue to meet the needs of their internal review processes.
8. Supply chain security
Arcus has implemented a third party supplier management approach as part of the ISO27001 ISMS in place within the organisation. This policy includes an evaluation of any external supplier e.g. AWS in their ability to meet security standards e.g. ISO27001, to ensure supply chain security.
9. Secure user management
Arcus provide layered secure access methods (SSL/TLS, VPN, SSH) to management interfaces to protect the management plane from intrusion. All accounts used by Arcus are for named individuals and can be independently de-provisioned.
Arcus works
closely with its customers to ensure that only authorised persons are allowed request access to systems, raise support tickets or other functions within the context of customers’ systems. We often hold a list of authorised persons for our customers and refer to it when logging calls and gaining approval for new work.
Where access to the infrastructure is required (console, secure shell etc.) Arcus applies the ‘principle of least privilege’ to minimise any negative impact.
10. Identity and authentication
Arcus manages identity and authentication using customer driven RBAC models to control system console and OS access that utilise:
- IAM tools
- Multi-Factor Authentication (MFA)
- Periodically rotated access keys
- Temporary credentials
- SSH Keys
- Certificate based access
- Usernames and strong passwords
11. External interface protection
Arcus implements ground level security into its cloud infrastructure deployment starting with the secure network perimeter. All data ingress and egress is protected by:
- Instance (host) based firewalls for port-protocol and source/destination IP controls
- Network Access Control Lists (NACLs)
- Secure SSL/TLS HTTPS endpoints for service access (web, app or API)
- SSL/TLS VPN connections for remote access
12. Secure service administration
Arcus tightly control user access to customers’ consoles, systems and services to ensure that only the required individuals have access. User access is reviewed periodically and strong passwords with multi-factor authentication (MFA) are required for administrative access. All administrative access is restricted to whitelisted IP addresses.
13. Audit information for users
Arcus uses AWS CloudTrail and CloudWatch Logs to provide a full audit log of all actions taken within the AWS console (including API access) and any additional system or application logs. The CMAAS portal provides access to this audit information to our customers. This data can be viewed or visualised in multiple formats and provided as data exports if required for further analysis.
14. Secure use of the service
Arcus works very closely with our customers to help them understand and realise the benefits of the AWS platform. We provide support for the architectures that we build in AWS and can educate our customers on the best and most secure ways to access and manage those architectures.