NCSC Cloud Security Principles 2025

NCSC Cloud Security Principles 2025 and the Complete UK Enterprise Guide

5 min read

The National Cyber Security Centre's 14 Cloud Security Principles form the cornerstone of UK cloud security guidance. Updated for 2025, these principles help organisations assess whether cloud services meet their security requirements—from data protection and personnel security to operational resilience. This guide explains each principle with practical implementation guidance for UK enterprises.

CTC
Written by CTC Editorial Editorial Team

What Are the NCSC Cloud Security Principles?

The National Cyber Security Centre (NCSC) publishes 14 Cloud Security Principles to help UK organisations make informed decisions about cloud service adoption. These principles provide a framework for evaluating whether a cloud provider's security posture aligns with your organisation's risk appetite and regulatory obligations.

Originally developed by CESG (now part of NCSC), the principles underpin G-Cloud framework assessments and are referenced in Crown Commercial Service procurement guidance. For UK public sector organisations, demonstrating alignment with these principles is often mandatory; for private sector enterprises in regulated industries, they represent best practice.

The 14 Principles Explained

Principle 1: Data in Transit Protection

User data transiting networks should be adequately protected against tampering and eavesdropping. Cloud providers should implement TLS 1.2 or higher for all data in transit, with TLS 1.3 preferred for new deployments. AWS, Azure, and Google Cloud all support TLS 1.3 on their UK region endpoints.

Principle 2: Asset Protection and Resilience

User data, and the assets storing or processing it, should be protected against physical tampering, loss, damage, or seizure. For UK deployments, this means understanding datacentre locations—Azure UK South, AWS eu-west-2, and GCP europe-west2 all operate UK-based facilities.

Principle 3: Separation Between Consumers

A malicious or compromised consumer should not be able to affect the service or data of another. Multi-tenancy isolation is fundamental to public cloud. Providers implement hypervisor-level separation, network segmentation, and cryptographic isolation to prevent cross-tenant data leakage.

Principle 4: Governance Framework

The service provider should have a security governance framework that coordinates and directs its management of the service. Look for ISO 27001 certification, SOC 2 Type II reports, and documented security policies. Major providers publish these via AWS Artifact, Azure Compliance Manager, and Google Cloud Compliance Reports Centre.

Principle 5: Operational Security

The service needs to be operated and managed securely to prevent, detect, or limit attacks. This encompasses vulnerability management, protective monitoring, incident management, and configuration management. The NCSC recommends providers demonstrate Cyber Essentials Plus certification at minimum.

Principle 6: Personnel Security

Service provider staff with access to your data should be subject to appropriate personnel security procedures. For sensitive UK government workloads, this may require staff to hold Security Check (SC) or Developed Vetting (DV) clearance. Commercial cloud providers typically employ rigorous background checks but cannot provide government-level vetting.

Principle 7: Secure Development

Services should be designed and developed to identify and mitigate threats. Providers should demonstrate secure software development lifecycles (SSDLC), regular penetration testing by CREST or CHECK-accredited firms, and responsible vulnerability disclosure programmes.

Principle 8: Supply Chain Security

The provider should ensure its supply chain satisfactorily supports security. This includes hardware provenance, third-party software components, and subcontractor assessments. Post-SolarWinds, supply chain security has become a board-level concern for UK enterprises.

Principle 9: Secure User Management

Your provider should make tools available for you to securely manage your use of the service. This encompasses identity and access management, multi-factor authentication, role-based access controls, and privileged access management. Azure Entra ID, AWS IAM, and Google Cloud IAM all provide enterprise-grade capabilities.

Principle 10: Identity and Authentication

Access to service interfaces should be constrained to authenticated and authorised individuals. The NCSC recommends phishing-resistant MFA (FIDO2 security keys or passkeys) for administrative access. All major providers support FIDO2 authentication for console and API access.

Principle 11: External Interface Protection

All external or less trusted interfaces should be identified and appropriately defended. This includes management consoles, APIs, and any internet-facing services. Web application firewalls (AWS WAF, Azure WAF, Cloud Armor) provide Layer 7 protection for public endpoints.

Principle 12: Secure Service Administration

Administration of a cloud service should not enable attackers to circumvent security controls. Provider administrative access should use privileged access workstations, just-in-time access, and comprehensive audit logging. Azure Customer Lockbox and AWS CloudTrail provide visibility into provider-side access.

Principle 13: Audit Information and Alerting

You should be provided with the audit information needed to monitor access to your service and data. Cloud providers should retain logs for ICO-compliant periods (typically 12-24 months) and support real-time alerting. Integration with SIEM platforms like Microsoft Sentinel or Splunk is essential for enterprise deployments.

Principle 14: Secure Use of the Service

Cloud providers should make it easy for you to adequately protect your data. This final principle emphasises the shared responsibility model—providers secure the infrastructure, but customers must secure their configurations. Misconfigurations remain the leading cause of cloud security incidents.

Applying the Principles: A Practical Checklist

  1. Request the provider's NCSC Cloud Security Principles mapping document

  2. Review ISO 27001 certificates and SOC 2 Type II reports via compliance portals

  3. Verify UK region availability and data residency commitments

  4. Assess encryption capabilities (at rest, in transit, in use)

  5. Evaluate identity and access management integration with existing SSO

  6. Confirm audit log retention periods and SIEM integration options

  7. Review incident response procedures and breach notification timelines

  8. Validate supply chain security practices and subcontractor controls

  9. Confirm Cyber Essentials Plus certification status

  10. Document findings in your risk register and DPIA

Major Provider Compliance Status

All three hyperscale cloud providers—AWS, Microsoft Azure, and Google Cloud—publish detailed documentation mapping their services to NCSC Cloud Security Principles:

  • AWS: Publishes a dedicated whitepaper 'Using AWS with NCSC UK Cloud Security Principles'

  • Azure: Maps principles via Microsoft Compliance Manager with automated assessments

  • Google Cloud: Provides NCSC mapping documentation in the Compliance Reports Centre

For G-Cloud 14 procurement, all three providers maintain active listings with Crown Commercial Service, pre-validated against NCSC requirements.

Frequently Asked Questions

Are the NCSC Cloud Security Principles mandatory?

For UK public sector organisations procuring cloud services via G-Cloud, alignment with the principles is expected. For private sector organisations, they represent best practice guidance rather than legal requirements, though regulated industries often mandate their use.

How do I assess a cloud provider against the 14 principles?

Request the provider's NCSC Cloud Security Principles mapping document, review their ISO 27001 and SOC 2 certifications, and validate specific controls through their compliance portal. AWS Artifact, Azure Compliance Manager, and Google Compliance Reports provide self-service access.

Do AWS, Azure, and Google Cloud meet all 14 principles?

All three hyperscale providers publish comprehensive mappings demonstrating alignment with the 14 principles. However, some controls depend on customer configuration—particularly Principles 9, 10, and 14 relating to identity management and secure service use.

What is the relationship between NCSC principles and Cyber Essentials?

Cyber Essentials and Cyber Essentials Plus are separate NCSC schemes focused on baseline security controls. The Cloud Security Principles are more comprehensive, covering cloud-specific considerations. Many organisations require both—Cyber Essentials for internal security posture and Cloud Security Principles for service provider assessment.

How often are the NCSC principles updated?

The NCSC reviews and updates guidance periodically to reflect evolving threats and technologies. The core 14 principles have remained stable since initial publication, with implementation guidance refreshed to address emerging considerations such as zero trust architecture and AI workloads.

What is the shared responsibility model?

Principle 14 emphasises that cloud security is a shared responsibility. The provider secures the underlying infrastructure (physical security, hypervisor, network), whilst the customer secures their workloads (access controls, encryption keys, application security). Misunderstanding this boundary causes most cloud security incidents.

Do the principles apply to SaaS applications?

Yes, though the balance of responsibility shifts. With SaaS, the provider controls more of the stack, so Principles 4-8 (governance, operations, development, supply chain) become more critical. Customers should still assess Principles 9-14 relating to identity, access, and secure use.

What documentation should I request from providers?

Request: NCSC Cloud Security Principles mapping, ISO 27001 certificate, SOC 2 Type II report, penetration test summary, data processing agreement (DPA), and incident response procedures. G-Cloud suppliers must provide this documentation as part of framework requirements.

How do the principles relate to UK GDPR?

The principles complement UK GDPR requirements, particularly Articles 25 (data protection by design) and 32 (security of processing). Demonstrating alignment with NCSC principles provides evidence for DPIA documentation and ICO accountability requirements.

Can I use the principles for multi-cloud assessments?

Yes. The principles provide a consistent framework for comparing providers. Create a standardised assessment template based on the 14 principles and evaluate each provider against the same criteria. This enables objective comparison and identifies gaps requiring compensating controls.

About the Author

CTC
CTC Editorial

Editorial Team

The Compare the Cloud editorial team brings you expert analysis and insights on cloud computing, digital transformation, and emerging technologies.

More Articles

remote-backup guide hero image

Help Guide for Remote Backup for Small Businesses in the UK

CTC Editorial
cloud-storage-gdpr guide hero image

Help Guide for Cloud File Storage Rules for UK GDPR Compliance

CTC Editorial
password-managers guide hero image

Help Guide for Password Managers for Small Teams

CTC Editorial
mfa-rollout guide hero image

Help Guide for Multi-Factor Authentication Rollout for Microsoft 365 and Google Workspace

CTC Editorial
Back to All Articles