Designing secure digital services
CESG's Lead Security Architect explains why we're launching a set of security principles for systems architecture design.
Richard Crowther, Lead Security Architect
Against a background of increasing threat, it is essential that the public sector and critical national infrastructure providers can continue to build systems that are robust to attack. Whilst re-use of components and patterns is desirable, often we’re building systems which are unique. Many of these systems really matter. They must be developed from the ground up with security as a central concern.
So, yesterday, CESG launched a set of security principles intended to inform systems architecture design where there is no precedent or architectural pattern to follow. We hope these principles will be useful to developers, technical architects and security architects in the public sector and elsewhere as they work to secure systems of national importance.
As part of GCHQ, we sit alongside world-class experts in areas like vulnerability research, cryptography, product assurance and cyber-defence operations. From them we gain powerful insights into the state-of-the-art, including how our systems are attacked by adversaries from around the globe.
In the past, CESG has responded to these threats by developing and publishing a portfolio of 'architectural patterns' - canned high level system designs which help solve common security problems. These patterns have proven popular, but when it comes to designing systems that don’t fit the pattern – and must be built securely - we need a different approach.
For several years now, the security architecture team at CESG has been helping organisations design and implement systems and services with security integrated at a fundamental level. In this environment we have evolved a set of principles which underpin our thinking on security architecture.
Some of these principles may be familiar to users of our architectural patterns, but there are many being published here for the first time. All of them provide foundation-level guidance on how to secure essential digital services which we will build upon with future publications.
We have produced this guidance in consultation with specialists from government and industry. Particular thanks to technical architects from the Government Digital Service, the Department of Work and Pensions and Home Office.
Latest News from
Pupils across the UK crowned champions of the NCSC cyber contest for girls07/02/2023 10:05:00
Thirteen teams around the country claimed victory at the finals of the 2023 CyberFirst Girls Competition
Political scientist Thomas Rid and US cyber chief Jen Easterly among speakers confirmed for CYBERUK 202303/02/2023 14:10:00
The UK government's CYBERUK 2023 event takes place 19-20 April at the ICC Belfast.
Schoolgirls across UK prepare to vie for crown of cyber security champion31/01/2023 13:20:00
Girls prepare to go head-to-head at the finals of the 2023 CyberFirst Girls Competition, run by GCHQ’s National Cyber Security Centre.
SEABORGIUM and TA453 continue their respective spear-phishing campaigns against targets of interest27/01/2023 11:10:00
Activity against targeted organisations and individuals in the UK and other areas of interest.
UK cyber experts warn of targeted phishing attacks from actors based in Russia and Iran27/01/2023 10:10:00
Advisory highlights techniques used by attackers in spear-phishing campaigns.
Cyber Essentials technical requirements updated for April 202323/01/2023 15:15:00
Part of a regular review of the scheme’s technical controls, ensuring that it continues to help UK organisations guard against the most common cyber threats.
Charities offered latest insight into key cyber threats to help keep out attackers20/01/2023 13:05:00
Latest report published by the NCSC outlines key threats facing the UK charity sector.
Ukraine cyber defenders in UK for high-level talks19/01/2023 12:15:00
Members of the national Computer Emergency Response Team for Ukraine (CERT-UA) held bilateral talks to discuss the conflict and resilience building.