Cloud principles

Cloud principles for the Scottish public sector to guide beneficial decision making and behaviours when adopting and using cloud services.

This document is part of a collection

Principle 2: Be secure by design


Develop services that are secure by design by focusing on defining an effective security architecture early on, and deploying security controls that are proportionate to the risks.


Effective security enables convenient access to public services. Designing services to be secure from the ground up results in a better service for users and protects their data.

If you focus on security too late in a project, you risk imposing an unsuitable security architecture that places unnecessary constraints on a service. Often this results in an inferior experience for users, with increased running costs and service complexity.

What does this mean?

  • to meet this principle, project teams must include a security architect with strong cloud expertise and experience from the beginning
  • your service architecture must be based on a clearly defined security architecture that is proportionate to the risks
  • the security of your cloud services must be reviewed and proven at key project milestones. Automated security testing should be built into your software release cycle using secure DevOps practices
  • security requirements must be met in full before your service is deemed fit for purpose (signed off)

Digital Scotland Service Standards

Applying this principle helps you to meet the Digital Scotland Service Standards:

8. Create a secure service which protects users’ privacy: cloud services natively provide a greater level of security and access control than many on-premises options. You can apply cloud security controls proportionately, on a service-by-service basis.

13. Reliable service: secure services are less susceptible to downtime resulting from cyber incidents. Properly monitored services enable you to identify and react to threats proactively.


Apply a security baseline

Apply a standard security baseline to your harden your service against the most common attacks and vulnerabilities.

Make risk-based decisions

Security controls should be proportionate to the risks. Don’t implement unnecessary security controls. Instead, take the time to properly understand your risk profile – it will save time and money later.

Follow proven approaches to security

Exploit proven and best-practice approaches to creating secure cloud services to avoid re-inventing the wheel. Using proven approaches improves your security baseline, increases standardisation and reduces time to delivery. But remember, your security requirements are specific to the risks and threats of your service, and you must always assess security in the context of your service and data.

Go native

Use native security controls where you can. Implement advanced security features from third-party providers only where your risk assessment indicates it is required. Security products often represent a significant proportion of your cloud spend.

Use security services, not security appliances

For the most part, you should protect your cloud services using cloud-based security services, not virtual security appliances. Cloud-based security services are more flexible, require less maintenance and can protect your whole estate without making the architecture of individual services more complex.



Telephone: 0300 244 4000


Cloud First
Cloud and Digital Services Division
Area 1H South
Victoria Quay

Back to top