Skip to the content

NCSC says data sharing in cloud should be ‘off by default’


Centre lays out steps to prevent data breaches when using cloud services

The National Cyber Security Centre (NCSC) has said data sharing should be set to “off by default” to strengthen security in using cloud services.

It has recommended the step as one of a series in advising organisations not to treat cloud as they would an on-premise service in managing their data.

A blogpost the NCSC’s cloud research lead, named only as Andrew A, says this leads to an assumption that, by default, they get the same control over cloud services as they would an on-premise equivalent.

This is mistaken, it argues, as many cloud services are designed to promote collaboration and data sharing while still allowing the organisations to constrain access to others. Old on-premise systems have often been configured for everyone inside the organisation to share data, and applying this to cloud has led to errors such as posting sensitive information on live Trello boards and accidentally checking web service API keys into GitHub.

The blog says that one of the main steps to prevent breaches should be to set data sharing on the systems to ‘off’ by default, and if it is not necessary to make the data public then disable the ability to do so. Only named individuals should be given access to sharing the data.

Other recommendations are:

  • Make it obvious to contributors that they must not submit sensitive data to services, or parts of a service, that have public sharing enabled.
  • Identify an individual or small team as being responsible for the organisation’s use of each cloud service.
  • Reduce the desire for employees to use shadow IT by creating accounts for services that people need or want to use.
  • Avoid sharing secrets such as credentials, API keys and password reset emails in shared services, unless they can only be accessed by specific authenticated users.

“I don’t think that any of these suggestions will be a magical sticking plaster that makes these accidental data leaks just go away,” the writer says. “However, I am hoping that we can make the number significantly smaller.”

Image from iStock

Register For Alerts

Keep informed - Get the latest news about the use of technology, digital & data for the public good in your inbox from UKAuthority.