Your responsibilities when joining the cloud platform
As a member of the Scottish Government’s cloud platform, you’re responsible for your own area. This includes responsibilities as you:
- get set up
- do risk management
- do security management
Getting set up
For your area of the cloud platform, you’ll need to:
- design and build your own cloud tools and services
- manage and maintain any workloads
- classify and protect your data and identities
- make sure you follow data protection legislation
- maintain your part of the platform – carrying out updates and security patches
- pay for the cost of running your service and for any services you share with others
Risk management
For your area of the cloud platform, you’ll need to:
- identify IT and cybersecurity risks to your workloads
- review risks
- take actions and put in place controls to limit risks
- keep the cloud platform team up-to-date on risks
- escalate risks to the cloud platform team when needed
- keep any specific groups or roles that may be affected by particular risks up-to-date
- take part in service reviews with the cloud platform
Security
For your area of the cloud platform, you’ll need to:
- conduct security and privacy assessments
- use the right security controls for your service as well as the ones we set up for you
- secure how people connect to your workloads
- log, monitor and prepare for security incidents
- fix any security issues you find, such as vulnerability remediation or system patching
- collaborate with the Security Operations Centre to work out if they need to support you
- do annual penetration tests on every workload or anytime you make significant changes
- update people’s access rights as they join, move jobs or leave teams
- back up your workloads
- make sure your own third party suppliers meet your security standards
- follow legislative requirements and best practice, such as NCSC cloud security principles
- remove personal information from log files you send to the cloud platform. For example, for archiving or sending onto the Security Operations Centre
-
define and manage user permissions for programmatic access (if you're integrating non-human service accounts)
-
rotate keys every 60 days (if you're integrating non-human service accounts)
What you’ll need to do with the cloud platform team
You’ll also have responsibilities you need to do with the cloud platform team. This includes:
- reviewing what’s in your cloud, iterating and improving it
- upskilling employees
- keeping up-to-date with changes to cloud
- keeping costs under control
- making sure your services are eco-friendly
What the cloud platform team will do for you
The Scottish Government’s cloud platform team are responsible for the platform. They do this with help from:
- iTECS and the Security Operations Centre
- Amazon Web Services and Microsoft Azure
Help to get set up
For the cloud platform, they’ll:
- give you support and guidance to onboard
- give you guidance on best practices and standards to design your architecture
- give you standardised accounts and subscriptions - we can customise these if needed
- set up groups and create roles, so you can manage permissions within your accounts
- give you control of your workload web addresses, such as sub-domains of gov.scot
- give you access to storage, compute and databases
- recharge your organisation for its costs
Risk management help
For the cloud platform, they’ll:
- identify IT and cybersecurity risks to the platform
- review risks
- take actions and put in place controls to limit risks
- keep you up-to-date on risks
- escalate risks to the appropriate governance group
Security help
For the cloud platform, they’ll:
- conduct security assessments for the platform
-
set up some baseline security controls
- do security monitoring and alerting for the platform
- facilitate access to the Security Operations Centre to share log files
- give you a centralised identity provider for the platform