Designing secure digital services
CESG's Lead Security Architect explains why we're launching a set of security principles for systems architecture design.
Richard Crowther, Lead Security Architect
Against a background of increasing threat, it is essential that the public sector and critical national infrastructure providers can continue to build systems that are robust to attack. Whilst re-use of components and patterns is desirable, often we’re building systems which are unique. Many of these systems really matter. They must be developed from the ground up with security as a central concern.
So, yesterday, CESG launched a set of security principles intended to inform systems architecture design where there is no precedent or architectural pattern to follow. We hope these principles will be useful to developers, technical architects and security architects in the public sector and elsewhere as they work to secure systems of national importance.
As part of GCHQ, we sit alongside world-class experts in areas like vulnerability research, cryptography, product assurance and cyber-defence operations. From them we gain powerful insights into the state-of-the-art, including how our systems are attacked by adversaries from around the globe.
In the past, CESG has responded to these threats by developing and publishing a portfolio of 'architectural patterns' - canned high level system designs which help solve common security problems. These patterns have proven popular, but when it comes to designing systems that don’t fit the pattern – and must be built securely - we need a different approach.
For several years now, the security architecture team at CESG has been helping organisations design and implement systems and services with security integrated at a fundamental level. In this environment we have evolved a set of principles which underpin our thinking on security architecture.
Some of these principles may be familiar to users of our architectural patterns, but there are many being published here for the first time. All of them provide foundation-level guidance on how to secure essential digital services which we will build upon with future publications.
We have produced this guidance in consultation with specialists from government and industry. Particular thanks to technical architects from the Government Digital Service, the Department of Work and Pensions and Home Office.
Latest News from
NCSC welcomes EU cyber sanctions against Russia following 2015 attack on Germany’s Parliament23/10/2020 13:15:00
EU cyber sanctions against Russia following a 2015 attack on Germany's Parliament have been welcomed by the NCSC.
Revamped cyber toolkit launched to support retailers improve defences22/10/2020 09:15:00
The British Retail Consortium’s (BRC) refreshed toolkit, developed alongside experts at the NCSC, will help retailers boost cyber defences.
UK and partners condemn GRU cyber attacks against Olympic and Paralympic Games20/10/2020 14:15:00
Russia warned by UK and allies against further destructive cyber attacks.
NCSC statement: Hackney Borough Council incident14/10/2020 09:15:00
The latest NCSC statement concerning an incident affecting Hackney Borough Council.
Revamped cyber guide will help small businesses work securely online09/10/2020 16:15:00
The NCSC Small Business Guide has been revamped for 2020 as well as the response and recovery guidance.
Sixth Huawei Cyber Security Evaluation Centre oversight board report published02/10/2020 16:15:00
The sixth Huawei Cyber Security Evaluation Centre oversight board report has now been published.
Cyber-savvy schools in Northern Ireland and North East given chance to join UK's finest30/09/2020 14:15:00
Applications open for schools in Northern Ireland and North East England to gain recognition for excellence in cyber security education through the CyberFirst Schools initiative.
Going for gold! Tech-savvy schools recognised for putting cyber skills first23/09/2020 11:15:00
Thirteen schools certified under the CyberFirst Schools initiative which rewards excellence in cyber security education.