Cyber Essentials: A SecOps journey to compliance
In April 2018, Cloudreach became Cyber Essentials certified. The scheme is comprised of a minimum set of technical controls across areas of network configuration, device hardening, patch and device management, and tooling. The UK government-administered certification is intended to help organisations protect against, "Common online threats."
Cyber Essentials Project Goals
Despite being ISO 27001 certified since 2011 and having strong technical controls and security processes in place, we felt it an important certification to obtain, to further demonstrate the quality/maturity of our security posture. The certification is seen by some within industry as a seal of approval, and is another means of giving assurance of an acceptable level of organisational security.
We also decided to use the Cyber Essentials project as an opportunity for carrying out a number of security improvements we had roadmapped, which is where the primary gains of the project were generated.
Challenges of the certification
Although not particularly strenuous in nature, we did encounter a few challenges in implementing the controls. For example, in adhering to the "Letter of the law," some of the requirements forced us to address some technical controls for areas we had previously not deemed significant risks to the company. These problem areas required creative solutions, to meet both the spirit and letter of the controls, whilst at the same time achieving the levels of technological efficiency and end user satisfaction we strive for.
Similarly, we had to consider our Cloudy culture when implementing the controls and related processes. We’re proud to empower our users as much as possible, whilst maintaining responsibility framework, reasonable auditing abilities, and incident response capabilities. New controls processes therefore had to be evaluated within this framework, to ensure we have the security capabilities we require, whilst protecting users’ freedom to encourage innovation.
The project also had its benefits, though. It allowed us to devote the time required to complete the automation of some compliance checking tasks, with enhanced reporting capabilities attached. This broadens the team’s auditing, whilst saving us both significant time and tedium! On top of this, we also created new processes to formalise auditing we already did, enhancing further our frameworks and ensuring those checks were serving their purpose as effectively as possible.
Moreover, we were able to make improvements in our MDM processes. By harmonising our security controls across the different device platforms we support, we were able to create a secure baseline, whilst raising the standards across all platforms simultaneously.
The 'Not-so-Cloudy' Part
A major portion of the project was also selecting and integrating a formal enterprise security monitoring platform into our internal tooling, to centralise our security management. Although this was extremely worthwhile, the lack of a purely agent-based, cloud-native offering to achieve the asset and log management capabilities we required meant that we were forced to acquire and begin supporting Cloudreach’s first on-premise appliances! We sincerely hope this is only a short term solution, though!
Overall, in successfully pursuing the UK Cyber Essentials certification, the Cloudreach security team used the related project to optimise our internal security posture. This included unifying our monitoring capabilities, and the creation and automation of some processes.
It should also be added that compliance does not automatically mean an organisation is "Secure" in its practices. Although certifications such as Cyber Essentials can be useful for smaller organisations to build a framework around technical controls, we will continue to make additional improvements wherever necessary. This helps us ensure our internal security is maximised, and thus potential risks to ourselves and our customers are minimised.
At our recertification time, we will most likely look to obtain the Cyber Essentials Plus. We also see potential for future improvements in the scheme as a whole, and look forward to NCSC developing the programme as it grows in prominence, to make it as worthwhile and valuable a certification as possible to hold.