Information

You appear to be using an unsupported browser, and it may not be able to display this site properly. You may wish to upgrade your browser.

Your responsibilities when joining the cloud platform

As a member of the Scottish Government’s cloud platform, you’re responsible for your own area. This includes responsibilities as you:

  • get set up
  • do risk management
  • do security management

Getting set up

For your area of the cloud platform, you’ll need to:

  • design and build your own cloud tools and services
  • manage and maintain any workloads
  • classify and protect your data and identities
  • make sure you follow data protection legislation
  • maintain your part of the platform – carrying out updates and security patches
  • pay for the cost of running your service and for any services you share with others

Risk management

For your area of the cloud platform, you’ll need to:

  • identify IT and cybersecurity risks to your workloads 
  • review risks
  • take actions and put in place controls to limit risks
  • keep the cloud platform team up-to-date on risks
  • escalate risks to the cloud platform team when needed
  • keep any specific groups or roles that may be affected by particular risks up-to-date
  • take part in service reviews with the cloud platform

Security

For your area of the cloud platform, you’ll need to:

  • conduct security and privacy assessments
  • choose and use appropriate security controls for all parts of your service
  • secure how people connect to your workloads
  • log, monitor and prepare for security incidents
  • fix any security issues you find, such as vulnerability remediation or system patching
  • collaborate with the Security Operations Centre to work out if they need to support you
  • do annual penetration tests on every workload or anytime you make significant changes 
  • update people’s access rights as they join, move jobs or leave teams
  • back up your workloads
  • make sure your own third party suppliers meet your security standards
  • follow legislative requirements and best practice, such as NCSC cloud security principles 
  • remove personal information from log files you send to the cloud platform. For example, for archiving or sending onto the Security Operations Centre
  • define and manage user permissions for programmatic access (if you're integrating non-human service accounts)

  • rotate keys every 60 days (if you're integrating non-human service accounts)

What you’ll need to do with the cloud platform team

You’ll also have responsibilities you need to do with the cloud platform team. This includes:

  • reviewing what’s in your cloud, iterating and improving it
  • upskilling employees
  • keeping up-to-date with changes to cloud
  • keeping costs under control
  • making sure your services are eco-friendly 

What the cloud platform team will do for you

The Scottish Government’s cloud platform team are responsible for the platform. They do this with help from: 

  • iTECS and the Security Operations Centre 
  • Amazon Web Services and Microsoft Azure

Help to get set up

For the cloud platform, they’ll:

  • give you support and guidance to onboard 
  • give you guidance on best practices and standards to design your architecture
  • give you standardised accounts and subscriptions - we can customise these if needed
  • set up groups and create roles, so you can manage permissions within your accounts
  • give you control of your workload web addresses, such as sub-domains of gov.scot
  • give you access to storage, compute and databases  
  • recharge your organisation for its costs

Risk management help

For the cloud platform, they’ll:

  • identify IT and cybersecurity risks to the platform
  • review risks
  • take actions and put in place controls to limit risks
  • keep you up-to-date on risks
  • escalate risks to the appropriate governance group

Security help

For the cloud platform, they’ll:

  • conduct security assessments for the platform
  • do security monitoring and alerting for the platform
  • facilitate access to the Security Operations Centre to share log files
  • give you a centralised identity provider for the platform
Back to top