What Security Controls are required for Cloud Services

This is a common question and there are many articles available from the NCSC to help with this, however, for your assessment, these are the things you need to know:

What is a cloud service for Cyber Esssentials (our article here)

MULTI-FACTOR (MFA) / TWO FACTOR (2FA) AUTHENTICATION

Where it is available (and required after January 2023) you should have Multi-Factor / Two Factor Authentication enabled and enforced within your cloud service.

ADMINISTRATOR ACCOUNTS (MFA/2FA)

MFA/2FA should be enabled and enforced for any administrative accounts within your cloud platform - this INCLUDES any BreakGlass Accounts you may have.

You MUST have unique admin accounts for any and all admin users of the cloud platform, including any external support companies - therefore, if you were to have 2 internal admins and 10 engineers from your support company, we will be looking for 12 admin accounts, all unique and all with MFA/2FA enabled.

USER ACCOUNTS (MFA/2FA)

As a really basic security feature, you should have MFA/2FA enabled on all user accounts, and from January 2023 this will be a requirement of the Cyber Essentials Standard.

MY SERVICE DOESN'T SUPPORT MFA/2FA

The real question here you have to ask yourself, is, if they are not delivering what is now a really basic security feature, which should be standard, then are you sure they are the right company to work with to secure your data.

The NCSC suggests that if your cloud service doesn't support MFA/2FA you should look for an alternative solution - after January 2023 this will be a Cyber Essentials Failure.