Executive Summary 

Centerprise International’s CiCloud endeavours to deliver a high degree of security and privacy for customers following the various aspects of their computingCiCloud has attained the international auditable standard of ISO 27001 by setting best practices for data privacy, security, and information governance applied to processes, IT systems and people by establishing and maintaining a company-wide Information Security Management System (ISMS).  

CiCloud is committed to openness and transparency concerning our security procedures and policies. Legal documentation for each cloud location is available publicly on the CiCloud website. In addition to ISO 27001, the cloud platform is also ISO 27017 and ISO 27018 certified in line with the GDPR. CiCloud applies the highest standards regarding users’ security, data protection, business continuity and payment processing. CiCloud is compliant with GDPR and PCI DSS. Third-party audits are also supported by either the partner or third parties.  

CiCloud certifications held include: ISO27001, ISO27017, ISO27018, ISO 10002, ISO 20000, ISO 45001, ISO 14001, ISO 22301, ISO 50001, ISO9001, GEANT, EUGDPR, PCIDSS, Cyber Essentials PLUS, JOSCAR.

 

CiCloud Security Features

 

 

 
 
 
 
 
 

A) Physical location and legal jurisdiction 

 

 
 
 
 
 

Physical location and legal jurisdiction 

 

CiCloud is physically located in the UK at two sites, one in Corsham, England the other in Newport, Wales and as such is subject to UK law only. This guarantees customers UK data residency and data sovereignty. 

 

 
 
 
 
 

B) Data centre security 

 
 
 
 

Data centre security 

 

As a public cloud operator, CiCloud exclusively runs in Tier 3 and 4 data centres, which offer physical security to the highest standards with multiple layers of physical security, including: 

Monitored and guarded perimeter 

Entry man trap to inner secure perimeter 

Biometric security with man-trap for access to actual data centre 

Locked down cage in data centre 

Locked down rack in cage 

 

CiCloud is hosted within ARK Data centres and Vantage Data centres in the UK, which hosts Crown Hosting Data Centres Limited is a joint venture between the Cabinet Office and Ark Data Centres that delivers increased efficiency, improved value and transparency of data centre hosting utilisation across all of the UK public sector. 

 

Designed to enhance the public experience of IT and accelerate new government services to market, the Crown Hosting Data Centres catalogue of simple-to-buy services substantially reduces the operational risk and overall cost of public sector departments and organisations by providing colocation services at a fraction of the cost of other hosting competitors. 

 

The ARK datacentre offers industry-leading multi-level security, including:  

  

  • Extremely robust physical security –10 layers, including the reception guards, to get access to customer rack  
  • Front reception 
  • First layer security- need permission to park and collect access badge – 1 Layer Security. 
  • Main Gate
  • A badge needs permission to allow access through into the inner campus fence line (CCTV, anti-climb, hostile topping all with detection) – 1 Layer Security. 
  • Building Access: Each building is contained within its own fence, and the security access card is restricted to specific buildings (i.e. P2) – 1 Layer Security. 
  • Building Reception Access: Front door access to reception (lobby Guard) + Secure single person gated access – Meeson Doors into the building (weighed on entrance and exit) – 2 Layers Security 
  • Data Hall Access: Secure double door access into the main hall containing the data Rooms – 2 Layers Security. 
  • Data Room Access: Again, restricted card access to those Data Rooms you have Racks- all other rooms & aisles are off limits – 2 Layers Security 

   

CiCloud is built on HPE Apollo server/storage technology, which features embedded Data Security to Protect Your Assets and Prevent data breaches:  

 

  • A 360-degree perspective on security extends from the HPE Apollo 4200 Gen10 Plus System design, through the manufacturing supply chain, to concluding with a safeguarded, end-of-life decommissioning feature that meets the NIST Guidelines for Media Sanitisation. 
  • Robust, FIPS 140-2 Level 1 validated protection for your data is provided via the optional Secure Encryption feature for HPE Smart Array storage controllers. Meanwhile, hassle-free system protection is provided by HPE iLO5, its silicon root of trust, and secure boot capabilities. 
  • Silicon Root of Trust is an immutable fingerprint in the iLO silicon. The silicon root of trust validates the lowest level firmware to BIOS and software to ensure a known good state. 
  • Run-Time Firmware Validation validates the iLO and UEFI/BIOS firmware at runtime. Notification and automated recovery are executed on the detection of compromised firmware. 
  • If system corruption has been detected, Server System Restore will automatically alert iLO Amplifier Pack to initiate and manage the system recovery process, avoiding lasting damage to your business by quickly restoring firmware to the factory settings or the last known authenticated safe setting. 

 

Key New Features: 

  • Immutable Silicon Root of Trust for Secure Start with the ability to roll back to known-good firmware automatically. 
  • Common Access Card (CAC) 2-Factor Authentication Support 
  • OpenLDAP Support 
  • Additional iLO Security Modes 
  • Granular Control of All iLO Interfaces 
  • Run-time Firmware Validation to verify the Integrity of iLO and BIOS 
  • With 2x the CPU MHz in iLO 5, Virtual Media performance is twice as fast vs iLO 4. 
  • Open IPMI Mode for Increased Interoperability with Industry IPMI Tools 

 

Silicon Root of Trust: 

  • Anchoring the root of trust into the silicon 
  • Only HPE offers industry-standard servers with major firmware anchored into the silicon. 
  • Provides impenetrable protection through the entire supply chain: Manufacturing, distribution, shipping, configuration, and installation 
  • Millions of lines of firmware code run before the server operating system boots. 

 

FW Runtime Validation: 

  • Check the firmware daily every 24 hours, verifying the validity and credibility of UEFI, CPLD, iLO, IE, and ME. 
  • Valid and secure firmware copy stored in a lockbox. 
  • Firmware on other HPE options, like drives and NICs can also be checked. 
  • Alert of compromised code through iLO audit logs 

 

Secure Recovery: 

  • Recovering firmware to a known good state after detection of compromised code 
  • Options to recover to factory settings or last known good or not recovering at all, taking the server offline 
  • Ability to recover other server settings, with future ability to recover the operating system 

 

Commercial National Security Algorithms: 

  • The highest level of security not offered by any other industry server providers 
  • Typically used for handling the most confidential and secret information 
  • Uses the highest level of cryptography in the industry 
  • No increase in server latency 

 

 
 
 
 
 

C) CiCloud WebApp/API 

 
 
 
 

CiCloud WebApp/API 

 

CiCloud provides two primary interfaces, which allow customers to control and manage their cloud infrastructure securely. These two interfaces include the public web provisioning portal and the public API. Furthermore, we offer a wide range of ‘wrappers’ that allow compatibility with other mainstream IaaS APIs. We offer a ‘full control’ API, meaning all account functions are available via the API and can thus be fully automated. The WebApp interface uses technologies such as WebSockets to provide a live environment that automatically pushes infrastructure status changes to customers. Our WebApp offers full management capabilities at the infrastructure layer and VNC access to cloud servers. Additionally, we have 100% coverage of all features via our API, allowing full automation of any functionality that customers require. CiCloud offers optional and add-on managed services across its cloud locations that handle the optimisation, enhanced security and monitoring of the tenants’ virtual machines. 

 
 
 
 
 

D) Root Access & Operating System Security 

 
 
 
 

Root Access & Operating System Security 

 

Customers retain full sole access to their data at the file system level, and our system handles all customer data automatically. CiCloud does not have access to VMs or drives. This includes activities such as drive deletion and scheduled deletion (for deprecated accounts). CiCloud makes no copies of client drive data, and therefore, the sole copy resides in our cloud unless the customer chooses to clone the drive to another storage system or location. Via the drives marketplace, preinstalled systems of many operating systems are provided. These operating systems are correctly patched regularly to ensure security vulnerabilities are patched, enabling end users to deploy secure virus and vulnerability-free operating systems for their VMs on the first boot. 

 
 
 
 
 

E) Patching Service 

 
 
 
 

Patching Service 

 

Software upgrades and system patches at both the operating system and application layer are achieved without service disruption due to the redundant and clustered architecture of the solution. System patching, including security updates, is subject to our security and change management procedures covered by Centerprise ISO 27001-certified processes. 

 
 
 
 
 

F) Secure User Management 

 
 
 
 

Secure User Management 

 

Once logged in, customers can customise their basic account security settings, such as activating auto logout and setting a timeout in minutes, hours or days. Account passwords can be changed at any time. Customers can also connect their email and other social media accounts. 

 
 
 
 
 

G) Access Control Lists (ACLs) 

 
 
 
 

Access Control Lists (ACLs) 

 

ACLs segment account control rights and access to the different operational aspects. With this feature, the account administrators can access different resources or a group of resources across the account. The account administrator delegates permissions to each account and lets users log in to the web console with their credentials. Examples of delegated abilities: 

● Provide accounting with access to billing but not to edit any server/networking resources 

● Give junior sysadmins access to start/stop servers but not to create or delete anything 

● Provide senior sysadmins access to manage the architecture fully but not be able to access billing 

● Provide the operations team with access to firewall policies and networking but not to servers 

● Provide a team with full access to their servers (using server tagging) but not any of the other resources 

 

ACLs enable very granular control over the account’s permissions and budget, resulting in higher levels of transparency and security. For each module, it is possible to delegate read-only or read-write permission. It is also possible to delegate permission on individual resources, for example, a server or set of drives. 

 
 
 
 
 

H) Two-Factor Authentication 

 
 
 
 

Two-Factor Authentication 

 

CiCloud customers can use Google’s two-step authentication to log onto their accounts. Two-step verification increases the security for access to their cloud platform account by providing a six to eight-digit unique password, which users must provide in addition to their username and password to log into the cloud platform UI. The feature is available via an API call and the WebApp. The default status of the feature is disabled and can be activated by individual customers if they want to. 

 
 
 
 
 

I) Keys Management 

 
 
 
 

Keys Management 

 

Secure access to end-user VMs is facilitated using SSH key pairs. This allows users to run commands on a machine’s command prompt without being physically present near the machine. This enables users to establish a secure channel over an insecure network. The SSH key creation covers the following three scenarios: 

 

  • The CiCloud support team can generate a public and a private SSH key for the customers. 
  • Customers can generate the SSH keys and upload only the public key to their CiCloud account. In this scenario, customers take responsibility for protecting and accessing the private key. This option is provided for customers who are especially concerned about security in the cloud. 
  • Customers can generate the SSH keys themselves and upload both SSH keys to the CiCloud account. Currently, this scenario doesn’t provide additional benefits, but soon, an SSH console (similar to the VNC console today) will be opened automatically in the WebApp. This option will only be available for customers who have uploaded their public and private SSH keys to their CiCloud accounts. 
 
 
 
 
 

J) Event Logging 

 
 
 
 

Event Logging 

 

CiCloud implements comprehensive logging against all its infrastructure deployments. All infrastructure components contain logging information against all critical system functions (including access or data impacting actions, for example) and by the user. Logs are retained locally on the infrastructure component and replicated to a central repository using the logging service tool Kibana. Logs include networking activity and key application and operating system events. Logs are retained for a minimum of one year onsite, with logs retained for up to two years upon request. 

 
 
 
 
 

K) Technical Audit 

 
 
 
 

Technical Audit 

 

All customers of the CiCloud platform are entitled to perform security, operations, and process auditing in relation to our services. The customer can perform the audit or a third party authorised by the customer. Please note the following: 

 

  • Any audits shall be executed at the cost of the customer, including but not limited to charges that we have incurred during this process. 
  • The data centre can be visited, and access can be granted only after an advance notice of two weeks prior to the day of the visit. 
  • To conduct the audit, the customer or their third-party auditor shall be accompanied by a CiCloud staff member. 

 

 
 
 
 
 

L) Network Security & Traffic Separation (Data in Transit) 

 
 
 
 

Network Security & Traffic Separation (Data in Transit) 

 

CiCloud leverages the open-source KVM hypervisor to fully separate all traffic between client accounts below the virtual machine level. No end user can view traffic from any other end user. Linux KVM achieves This through full packet inspection of all incoming and outgoing packets to VMs. KVM implements a virtual switch for every networking interface of each VM. Acceptable traffic courses (i.e., other VMs in the user’s account) are instantiated on boot and updated as VMs are added and removed from various networks (i.e., end-user private networks in the cloud). In addition, end users can apply virtual firewalls at the hypervisor level that apply additional rules. 

 
 
 
 
 

M) Storage Separation (Data at Rest) 

 
 
 
 

Storage Separation (Data at Rest) 

 

Users can easily keep data private and secure by fully encrypting the operating system/file structure using technologies such as KVM for Linux distributions or TrueCrypt for Windows environments. While this approach doesn’t eliminate the potential for data leakage, it does render any leaked data completely unusable to others. However, this approach can be somewhat disruptive if, for example, an encrypted server crashes, as it will require manual procedures to enable access to encrypted data on reboot. Customers can apply encryption to the drive on creation. This eliminates the possibility of data leakage and ensures the automatic encryption of any new data as it is written. Encryption can be enabled via the API or WebApp when creating a new drive. It should be noted that this approach may have a small impact on performance. Customers can always configure their servers to have a system drive with no encryption and a data drive that is fully encrypted. 

 
 
 
 
 

N) DDoS Protection Measures 

 
 
 
 

DDoS Protection Measures 

 

The following measures are used to prevent Distributed Denial of Service (DDoS) attacks: 

 

  • Implement additional rules for fraud payment prevention (Number of tries per new account, e.g., 5. This should only apply if the account age is less than a week.) 
  • Apply an ISP approach for safety: Traffic shaping (put in place a policy limiting the number of packets and throughput). Upon request, that policy will be editable for a particular client or set of clients. 
  • Blacklisting of IP addresses in the event of an attack 
  • Maintenance of significant spare external IP connectivity to absorb malicious traffic 
  • Additional firewall measures both at our edge and internally 
  • Obfuscation of and removal (in some cases) of public IP connectivity from core cloud infrastructure where possible to avoid targeting key cloud infrastructure assets 
  • Externally hosted cloud status page allowing status updates even during a potential total outage (see http://status.cloudsigma.com/) 
  • Using IP proxies on core services and other measures that can’t be shared publicly 
  • Automatic blocking of DDOS attacks against our clouds 
 
 
 
 
 

O) Data Encryption 

 
 
 
 

Data Encryption  

 

CiCloud supports the partial or full (boot level) encryption of virtual drives. As a best practice, we recommend that end users perform boot-level encryption of sensitive data and retain the keys outside our cloud. The cloud platform currently supports several customers running fully encrypted data storage in conjunction with their services in the cloud. End users can also connect to their VMs using encrypted protocols to ensure the integrity of login and other data they transmit to and from their servers. Typical end-user use cases where encryption would be used would be when a hosted processing provider is storing sensitive end-user information or when a service provider wishes to store proprietary data that they wish to be secured additionally. In these cases, an encrypted partition can be created for that specific data or a separate virtual drive with full file system encryption used. In this way, the end user providing the service can combine the best performance from data that does not need encryption with high security for the data that does. CiCloud has extensive experience in encrypting drive data using numerous encryption approaches, such as Cryptsetup, dm-crypt, FDE, TrueCrypt (VeraCrypt), as well as lower-level block storage encryption via ZFS and is happy to work with end users to ensure the right encryption is implemented to reflect their requirements. 

 
 
 
 
 

P) Intel-SGX 

 
 
 
 

Intel-SGX 

 

Intel Software Guard Extensions (Intel-SGX) helps protect data via application isolation technology. By protecting selected code and data from modification, developers can partition their applications into hardened enclaves or trusted execution modules to help increase application security. With the Intel-SGX application, developers can protect select code and data from disclosure or modification. Enclaves are trusted execution environments (TEE) that utilise a separate portion of memory that is encrypted for TEE use. Customers can select Software Guard Extension when provisioning a server and allocate RAM to that serverIntel-SGX is an additional security measure that can benefit companies working with sensitive and confidential data. Intel-SGX ensures the integrity and confidentiality of computations in such systems where privileged processes are deemed unreliable. The data in the enclave remain protected even if the cloud servers are compromised. 

 
 
 
 
 

Q) Virtual Router 

 

 
 
 
 

Virtual Router 

 

CiCloud offers Virtual Router functionality as an effective Network-as-a-Service tool accessible via the user interface and API. The tool allows customers to fine-tune their network and security in the cloud and offers a high level of granularity and control of access and set up of preferred connections and routing. The Virtual Router tool grants unlimited virtual domains, firewall policies and registered endpoints, and a rich set of additional features. 

 
 
 
 
 

R) Firewall Policy 

 
 
 
 

Firewall Policy 

 

Due to isolation and abstraction from the hardware, virtual machines, by nature, provide additional security over their traditional counterparts. An attack on a VM should not affect any other VMs running on the same server or the host OS. Virtual machines have security vulnerabilities, but the negative impacts of an attack can be mitigated using methods similar to those applied to physical systems. The real security concern should be at the hypervisor levelIf an unauthorised user were to gain access to the hypervisor and, ultimately, the host OS and hardware, they could take advantage of all the VMs being automatically generated on the same system. CiCloud hypervisor-level firewalls are available over the Virtual Router and ensure network protection below the level of the virtual machine without relying on the virtual machine operating system, which is resilient even to the compromise of that virtual machine. This feature allows customers to create, manage and apply enterprise-grade networking policies concerning their cloud infrastructure in a fully integrated way. The users can configure and constrain both inbound and outbound traffic through the Web interface or directly over the API, including by traffic type. Network policies also allow black and whitelisting by IP address. Management is achieved via policies applied to single or groups of infrastructure, allowing each management and application across both small and large-scale infrastructure conveniently. The policies range from a single rule that blocks all external public IP traffic to complex schemes that only allow connections to certain ports from a set of IPs. Network policies are saved and applied to one or more virtual servers as required. Furthermore, network policies can be reconfigured and re-applied to running servers without service disruption. 

 
 
 
 
 

S) Security Management 

 

 
 
 
 

Security Management 

CiCloud is ISO-27001 certified, including all areas of sales, operations and support, and PCI-DSS compliant. A copy of the latest ISO 27001, ISO 27017, and ISO 27018 certificates can be obtained upon request. In addition, CiCloud is certified by Canonical as a certified Ubuntu Public Cloud. 

 

CiCloud certifications held also include: ISO27001, ISO27017, ISO27018, ISO 10002, ISO 20000, ISO 45001, ISO 14001, ISO 22301, ISO 50001, ISO9001GEANT, EUGDPR, PCIDSS, Cyber Essentials PLUS, JOSCAR 

 

 
 
 
 
 

T) Quality Management 

 

 
 
 
 

Quality Management 

 

CiCloud applies internal quality management procedures to processes relating to the creation and quality control of the products and services the company offers. We use a combination of methodologies and management tools to ensure customer requirements and expectations are continuously monitored and met. The heads of each department are responsible for implementing all quality management procedures and ensuring the management system is compatible with ISO 27001An integrated management interface is the centralised system we use to manage and monitor the cloud from an operations and account management perspective. The separate user roles and rights define different access levels. Team members are trained and updated on the different components and metrics used and are then granted access levels based on their roles. 

 
 
 
 
 

U) Secure Development 

 

 
 
 
 

Secure Development 

 

An agile framework provides us with software development methods in which requirements and solutions evolve through collaboration between self-organising, cross-functional teams. Retaining short-term flexibility through an agile approach reduces the risk of failure and surfaces issues earlier before they threaten the success of the proposal. The iterative sprint process provides the ability to forecast the work effort required for each deliverable, allowing the product owner to fine-tune their product roadmap. Being agile also moves the trade-off between the completeness of the product and release timing. It is possible to release more frequently and to iterate faster. The second facet of our engineering approach are the systems in place to manage software deployment securely and reliably, complementing the agile methodologies outlined above. Deployment is managed across three separate environments: Development, acceptance testing, and production. The main source code repository is managed through the Mercurial Source Code Management tool and GitHub. The updated codebase is verified through the Jenkins Continuous Integration tool, which tests each check-in via an automated build and runs a sequence of integration and unit tests on the code. We run a suite of user-level acceptance tests on the integration servers that primarily monitor performance. The code is added to the Mercurial Production Repository if these tests pass successfully. At this point, the code becomes subject to an internal code review by a developer without involvement with this code base. When this is signed off, the code is sent to a third and final mercurial repository, ready for deployment into the production environment. Risk Management is applied in tandem with our agile approach and assigned the following four elements: Risk description, probability, loss size measured in days or story points and exposure. The risks are re-evaluated at each sprint, with a single consolidated risk value created.

 
 
 
 
 

W) Staff Screening 

 

 
 
 
 

Staff Screening 

 

Only full-time IT operational staff who have been security-cleared by presenting a clean criminal record have access to our cloud, which is monitored by audit trails. In addition, our access control methods are defined by role and need. All new staff are trained following our internal processes relating to security and privacy and ISO 27001 certification guidelines. 

 
 
 
 
 

X) Technical Support Staff 

 
 
 
 

Technical Support Staff 

 

CiCloud Technical Support staff are all trained to the highest degree on all aspects of Centerprise CiCloud. Our Support staff work closely with Account Managers and the DevOps team. They are highly knowledgeable and responsive, delivering a high level of customer care. CiCloud guarantees 24/7 coverage all year round via live chat, email and Zendesk, our online ticketing system. The team continuously monitors our infrastructure through an extensive and intelligent monitoring platform, ensuring that all systems are operational and reacting immediately to any incident via documented procedures or escalating to our Operations Team. All monitoring systems comply with our security and confidentiality protocols. 

 

 

Centerprise Cloud Features Mapping Against the National Cyber Security Centre Attribute 

 

 
 
 
 
 
 

NCSC Attribute  

 
 
 
 
 

CiCloud Features Mapping  

 

 
 
 
 
 

1. Data In Transit Protection 

User data transiting networks should be adequately protected against tampering and eavesdropping. 

 
 
 
 

L) Network Security & Traffic Separation (Data in Transit)

N) DDoS Protection Measures 

O) Data Encryption 

P) Intel-SGX 

Q) Virtual Router 

R) Firewall Policy 

S) Security Management 

 

 

 

 
 
 
 
 

2. Asset Protection and Resilience 

User data and stored or processed assets should be protected against physical tampering, loss, damage or seizure. 

 
 
 
 

A) Physical location and legal jurisdiction 

B) Data centre security 

M) Storage Separation (Data at Rest) 

J) Event Logging 

O) Data Encryption 

S) Security Management 

 

 

 
 
 
 
 

3. Separation Between Users 

A malicious or compromised user of the service should not be able to affect the service or data of another. 

 
 
 
 

A) Physical location and legal jurisdiction 

B) Data centre security 

C) CiCloud WebApp/API 

D) Root Access & Operating System Security 

F) Secure User Management 

G) Access Control Lists (ACLs) 

H) Two-Factor Authentication 

I) Keys Management 

J) Event Logging 

M) Storage Separation (Data at Rest) 

O) Data Encryption 

S) Security Management 

U) Secure Development 

 

 
 
 
 
 

4. Governance Framework 

The service provider should have a security governance framework which coordinates and directs its management of the service and information within it. Any technical controls deployed outside of this framework will be fundamentally undermined. 

 
 
 
 

F) Secure User Management 

G) Access Control Lists (ACLs) 

H) Two-Factor Authentication 

I) Keys Management 

J) Event Logging 

N) DDoS Protection Measures 

O) Data Encryption

S) Security Management 

T) Quality Management 

 

 

 
 
 
 
 

5. Operational Security 

The service needs to be operated and managed securely to impede, detect or prevent attacks. Good operational security should not require complex, bureaucratic, time-consuming, or expensive processes. 

 
 
 
 

A) Physical Location and Legal Jurisdiction 

B) Data Centre Security 

D) Root Access & Operating System Security 

E) Patching Service 

F) Secure User Management 

G) Access Control Lists (ACLs) 

H) Two-Factor Authentication 

I) Keys Management 

J) Event Logging 

K) Technical Audit 

L) Network Security & Traffic Separation (Data in Transit) 

M) Storage Separation (Data at Rest) 

N) DDoS Protection Measures 

O) Data Encryption 

P) Intel-SGX 

Q) Virtual Router 

R) Firewall Policy 

S) Security Management 

T) Quality Management 

W) Staff Screening 

X) Technical support staff 

 

 
 
 
 
 

6. Personnel Security 

Where service provider personnel have access to your data and systems, you need a high degree of confidence in their trustworthiness. Thorough screening, supported by adequate training, reduces the likelihood of accidental or malicious compromise by service provider personnel. 

 
 
 
 

A) Physical Location and Legal Jurisdiction 

B) Data Centre Security 

J) Event Logging 

S) Security Management 

T) Quality Management 

W) Staff Screening 

X) Technical Support Staff 

 

 
 
 
 
 

7. Secure Development 

Services should be designed and developed to identify and mitigate threats to their security. Those may be vulnerable to security issues that could compromise your data, cause loss of service, or enable other malicious activity. 

 
 
 
 

D) Root Access & Operating System Security 

E) Patching Service 

J) Event Logging 

S) Security Management 

T) Quality Management 

U) Secure Development 

W) Staff Screening 

X) Technical Support Staff 

 

 
 
 
 
 

8. Supply Chain Security  

The service provider should ensure that its supply chain satisfactorily supports all of the security principles the service claims to implement. 

 

 
 
 
 

A) Physical Location and Legal Jurisdiction 

B) Data Centre Security 

D) Root Access & Operating System Security 

E) Patching Service 

J) Event Logging 

P) Intel-SGX 

Q) Virtual Router 

S) Security Management 

T) Quality Management 

U) Secure Development 

W) Staff Screening 

X) Technical Support Staff 

HPE Silicon Root of Trust  

 

 
 
 
 
 

9. Identity and Authentication 

Your provider should make the tools available to manage your use of their service securely. Management interfaces and procedures are a vital part of the security barrier, preventing unauthorised access and alteration of your resources, applications, and data. 

 
 
 
 

C) CiCloud WebApp/API 

D) Root Access & Operating System Security 

F) Secure User Management 

G) Access Control Lists (ACLs) 

H) Two-Factor Authentication 

I) Keys Management 

J) Event Logging 

Q) Virtual Router 

R) Firewall Policy 

S) Security Management 

T) Quality Management 

U) Secure Development 

W) Staff Screening 

X) Technical support staff 

 

 
 
 
 
 

10. Identity and Authentication 

All access to service interfaces should be constrained to authenticated and authorised individuals. 

 

 
 
 
 

B) Data Centre Security 

C) CiCloud WebApp/API 

D) Root Access & Operating System Security 

F) Secure User Management 

G) Access Control Lists (ACLs) 

H) Two-Factor Authentication 

I) Keys Management 

J) Event Logging 

N) DDoS Protection Measures 

R) Firewall Policy 

S) Security Management 

T) Quality Management 

U) Secure Development 

 

 
 
 
 
 

11. External Interface Protection 

All external or less trusted service interfaces should be identified and appropriately defended. 

 
 
 
 

B) Data Centre Security 

C) CiCloud WebApp/API 

D) Root Access & Operating System Security 

F) Secure User Management 

G) Access Control Lists (ACLs) 

H) Two-Factor Authentication 

I) Keys Management 

J) Event Logging 

S) Security Management 

T) Quality Management 

 

 
 
 
 
 

12. Secure Service Administration 

Systems used to administer a cloud service will have highly privileged access to that service. Their compromise would have a significant impact, including the means to bypass security controls and steal or manipulate large volumes of data. 

 
 
 
 

A) Physical Location and Legal Jurisdiction 

B) Data Centre Security 

D) Root Access & Operating System Security 

F) Secure User Management 

G) Access Control Lists (ACLs) 

H) Two-Factor Authentication 

I) Keys Management 

J) Event Logging 

S) Security Management 

T) Quality Management 

U) Secure Development 

W) Staff Screening 

X) Technical Support Staff 

 

 
 
 
 
 

13. Audit Information for Users 

You should be provided with the audit records needed to monitor access to your service and its data. The type of audit information available to you will directly impact your ability to detect and respond to inappropriate or malicious activity within reasonable timescales. 

 
 
 
 

A) Physical Location and Legal Jurisdiction 

B) Data Centre Security 

J) Event Logging 

K) Technical Audit 

S) Security Management 

T) Quality Management 

U) Secure Development 

 

 
 
 
 
 

14. Secure Use of the Service 

The security of cloud services and the data held within them can be undermined if you use the service poorly. Consequently, you will have certain responsibilities when using the service for your data to be adequately protected. 

 
 
 
 

C) CiCloud WebApp/API 

D) Root Access & Operating System Security 

F) Secure User Management 

G) Access Control Lists (ACLs) 

H) Two-Factor Authentication 

I) Keys Management 

J) Event Logging 

O) Data Encryption 

R) Firewall Policy 

S) Security Management 

T) Quality Management