Skip to main content

NCSC Cloud Security Principles - CloudM

  • Updated

CloudM Migrate Self-Hosted

Fast, fail-safe, and totally secure 

Download it. Run it. Migrate it. A simple solution for large and complex migrations, CloudM Migrate Self-Hosted has performed over 45 million migrations into the cloud – and counting. With guaranteed data integrity and zero downtime, CloudM Migrate Self-Hosted offers everything you should expect from an enterprise-quality cloud migration facility. What makes us different is our genuine passion for our product, and the expert knowledge and support that comes with it.

Here at CloudM, we take security seriously, as we know how important the safety of your data is during a migration to the cloud. The National Cyber Security Centre (NCSC), an organisation of the UK Government tasked with helping to make the UK the safest place to live and work online, created a list of key Cloud Security Principles (1) for cloud service providers to adhere to. We believe that transparency in security is vital, and so have outlined exactly how CloudM Migrate Self-Hosted meets these principles below.

 

  1. Data in transit protection

User data transiting networks should be adequately protected against tampering and eavesdropping.

All user data passed from CloudM Migrate to the destination platform is performed over HTTPS via TLS using the native API ecosystem.

 

  1. Asset protection and resilience

User data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure.

As CloudM Migrate Self-Hosted is a download only application and hosted by the customer, responsibility for the physical security of the infrastructure is held with the customer themselves. No customer data is held in a central location by Cloud Technology Solutions or CloudM.

During the migration process, minimal user data is stored within CloudM Migrate. Where data is stored within either SQL or local file storage encryptions is used: Encrypted SQLite databases (AES128) and Encrypted temporary file storage (AES256) respectively.

 

  1. Separation between users

A malicious or compromised user of the service should not be able to affect the service or data of another.

Each provision of CloudM Migrate Self-Hosted is installed onto either the customer's own infrastructure or Microsoft’s Azure service. Each user account is migrated using separate processing threads.  If the thread is compromised for the user then access is restricted to the individual user account.  

 

  1. Governance framework

The service provider should have a security governance framework which coordinates and directs its management of the service and information within it. Any technical controls deployed outside of this framework will be fundamentally undermined.

Guidance, direction, and authority for information security activities are centralised for all Cloud Technology Solutions organisational units. The Management Representative in conjunction with the Senior Management Team are responsible for establishing and maintaining organisation-wide information security policies, standards, guidelines, and procedures.  

The CTS IS working group has been formed, and meets monthly, in order to address any changes to our organisational structure, roles and responsibilities, business strategy and objectives, capabilities and resources, organizational culture, information systems and processes and contractual relationships.

 

  1. Operational security

The service needs to be operated and managed securely in order to impede, detect or prevent attacks. Good operational security should not require complex, bureaucratic, time consuming or expensive processes.

All changes and updates to CloudM Migrate Self-Hosted are communicated via the product changelog (2). As a download only tool the customer has a responsibility to ensure the latest versions and patches are installed and up to date. Any major changes to the product which will require fundamental changes to infrastructure or operation will be communicated in advance in a timely manner. 

 

  1. Personnel security

Where service provider personnel have access to your data and systems you need a high degree of confidence in their trustworthiness. Thorough screening, supported by adequate training, reduces the likelihood of accidental or malicious compromise by service provider personnel.

Each member of staff must attend training for and confirm acceptance of CTS Information Security Policy.

The staff onboarding process covers product orientation and security working practices, such as how to respond to security issues.

Access to systems and their associated data is provided on a ‘least privilege’ basis. 

 

  1. Secure development

Services should be designed and developed to identify and mitigate threats to their security. Those which aren’t may be vulnerable to security issues which could compromise your data, cause loss of service or enable other malicious activity.

All software created by CloudM is developed with a security first mindset. All developers have attended formal training focused on the latest secure development methodologies. 

Industry standard processes are implemented to ensure the security of both the software and the overall software development lifecycle.

All development is undertaken following the best practices outlined in the NCSC Secure Development guidelines (3).

 

  1. Supply chain security

The service provider should ensure that its supply chain satisfactorily supports all of the security principles which the service claims to implement.

All tools and resources selected to support the development of CTS products are done so after stringent review of their security. 

Key to the development process is the central code repository platform we use to host and manage the codebase for our products. As such the robustness of the security for this tool is paramount. Further details of the secure practices of the platform we utilise can be found on the Atlassian web site (4).

 

  1. Secure user management

Your provider should make the tools available for you to securely manage your use of their service. Management interfaces and procedures are a vital part of the security barrier, preventing unauthorised access and alteration of your resources, applications and data.

CloudM Migrate provides the customer with full access control to the users of the Admin and user interface. Download and installation of the CloudM Migrate software allow the customer to control which infrastructure is used for hosting.  

Access to both source and destination data sources is controlled solely by the customer at each CloudM Migrate configuration option. Allowing for granular controls per migration Project and configuration.

Full documentation on the service configuration for source and destination environments is provided to the customer along with a support service before, during and post-migration.

 

  1. Identity and authentication

All access to service interfaces should be constrained to authenticated and authorised individuals.

All access to the product interface is protected behind the secure login methods described above.

 

  1. External interface protection

All external or less trusted interfaces of the service should be identified and appropriately defended.

No external access to the product is available and measures have been put in place to ensure this. Regular third party penetration testing is conducted on the product to verify this protection is in place. 

 

  1. Secure service administration

Systems used for administration of a cloud service will have highly privileged access to that service. Their compromise would have significant impact, including the means to bypass security controls and steal or manipulate large volumes of data.

As CloudM Migrate Self-Hosted is a download solution hosted by the customer, no administration access is available to any user outside of that organisation.

 

  1. Audit information for users

You should be provided with the audit records needed to monitor access to your service and the data held within it. The type of audit information available to you will have a direct impact on your ability to detect and respond to inappropriate or malicious activity within reasonable timescales.

CloudM Migrate Self-Hosted offers a full local audit log functionality to show all user actions taken against that instance included (but not limited to) login behaviour, configuration changes and process start/stop.

 

  1. Secure use of the service

The security of cloud services and the data held within them can be undermined if you use the service poorly. Consequently, you will have certain responsibilities when using the service in order for your data to be adequately protected.

Supporting documentation is available in the product knowledge base (5) on the recommended practices for installation and configuration. Misconfiguration of the tool can lead to both inefficient behaviour and unexpected results. 

 

(1) https://www.ncsc.gov.uk/collection/cloud-security?curPage=/collection/cloud-security/implementing-the-cloud-security-principles

(2) https://support.cloudm.co/hc/en-us/articles/360008399600

(3) https://www.ncsc.gov.uk/collection/developers-collection

(4) https://www.atlassian.com/trust/security/security-practices#architecture

(5) https://support.cloudm.co/hc/en-us

 

Confidentiality

Our success in the marketplace is directly linked to the knowledge that we have of industry best practice and the continual innovation and creativity that we apply to our business.  In preparing this document, we have endeavoured to present evidence of this to further our business relationship and to offer value.

This document contains confidential information that is proprietary to Cloud Technology Solutions Limited, (hereafter referred to as CTS).  No part of its contents may be used, copied, disclosed or conveyed to any party in any manner whatsoever without prior written consent from CTS.  

Accordingly, we ask that our intellectual property be respected. Please consider the contents of this and all other documents submitted by CTS to be confidential.

All trademarks and registered trademarks contained in this report are the property of their respective owners.

Whilst every care has been taken to ensure that the contents of this document are correct and realistic, the recommendations for equipment, programs and services are based on the information we have been given, our own observations and our experience. We believe that these recommendations are sound, but the degree of success with which equipment, software and other services can be applied to data processing and meeting your requirements, as set out in this document, are dependent upon many factors not under our control. Our recommendations for equipment, software and services together with estimates of performance and results must not be regarded as express or implied warranties.

Any Contracts in respect of third-party equipment, programs and services and CTS application programs mentioned in this document shall be subject to the terms or conditions of the standard applicable agreement. Any information, prices, terms and conditions given in this document may be amended or withdrawn at any time.

All business is subject to CTS’ standard Terms and Conditions unless otherwise agreed in writing. This document is confidential and must not be disclosed to any third party without prior written permission by the company.  All prices exclude VAT & OE.

 

© Copyright 2020 Cloud Technology Solutions Limited.  All Rights Reserved

Comments

0 comments

Please sign in to leave a comment.