Government organisations have been encouraged to adopt a ‘default-allow, explicit-deny’ approach to authorising recipients when sharing data with each other through cloud systems.
This has come from a collaboration between the National Cyber Security Centre (NCSC), the Central Digital and Data Office (CDDO) and Microsoft to build a cross-government collaboration blueprint for the civil service through a project running from September 2021 to May 2022.
An NCSC blogpost explained that the approach means that a user allowed to share access to data when using cloud services as long as they are not covered by a ‘deny list’.
It acknowledged that there is always a risk from a malicious insider but said this can be reduced without obstructing collaboration by good security practice such as using secure mobile devices.
It claimed that ‘default-allow, explicit-deny’ can increase efficiency by allowing users to get on with their jobs, maintain confidence in security through activity audits, and reduce the management overhead as administrators do not need to maintain ‘explicit-allow’ lists.
Security and usability
“Sometimes you have to decide between more security and better usability. Fortunately, in this case we think organisations can have both,” said James L, cloud security researcher at NCSC.
The guidance – published by Microsoft in the form of a strategy document and technical guide – also caters for organisations that wish to maintain an allow-list approach due to their technical architecture or specific threat profile and risk assessment.
It also said to be consistent with the NCSC guidance on the zero trust approach to cyber security.
A government spokesperson added: "Seamless digital collaboration across government is fundamental to enabling a more efficient and effective Civil Service.
“The Central Digital and Data Office has brought together government organisations and Microsoft to produce new guidance on how to configure Microsoft 365 for better collaboration within the public sector.”
NCSC added that it plans to publish guidance on securing the use of a software-as-a-service application soon.
