Information assurance body moves beyond architectural patterns in principles for designing digital services
The Government's lead organisation on information assurance has broadened the scope of its security design principles for digital services, publishing a new version that takes it beyond the established portfolio.
CESG said it has been working with the Government Digital Service, the Home Office and the Department for Work and Pensions in drafting the principles, which it posted on its website this week.
Richard Crowther, lead security architect at CESG, says in a blogpost that the guidance has been updated from earlier versions to take in the design of systems where there is no precedent or architectural pattern to follow.
“For several years now, the security architecture team at CESG has been helping organisations design and implement systems and services with security integrated at a fundamental level,” he says. “In this environment we have evolved a set of principles which underpin our thinking on security architecture.”
The document breaks the principles into four categories: what to do before starting; making services hard to compromise; reducing the impact of a compromise; and making compromises easy to detect.
Among the stand-outs is a warning against organisations designing or implementing their own cryptographic solutions, as it is extremely difficult and there should be no need for it. Only existing algorithms and protocols should be used, preferably those exposed by the chosen software stack.
Others include anonymising data when it is exported to reporting tools; avoiding deploying applications or design functions that make it possible to run arbitrary enquiries against a dataset; and encrypting partially completed forms under a key held by the user.
CESG says the principles are already being used in some areas, including UK Visas and Immigration systems, and the Universal Credit Digital Service.
Crowther describes the document as “foundation level guidance” and says CESG will build on it with future publications.