Designing secure digital services
CESG's Lead Security Architect explains why we're launching a set of security principles for systems architecture design.
Richard Crowther, Lead Security Architect
Against a background of increasing threat, it is essential that the public sector and critical national infrastructure providers can continue to build systems that are robust to attack. Whilst re-use of components and patterns is desirable, often we’re building systems which are unique. Many of these systems really matter. They must be developed from the ground up with security as a central concern.
So, yesterday, CESG launched a set of security principles intended to inform systems architecture design where there is no precedent or architectural pattern to follow. We hope these principles will be useful to developers, technical architects and security architects in the public sector and elsewhere as they work to secure systems of national importance.
As part of GCHQ, we sit alongside world-class experts in areas like vulnerability research, cryptography, product assurance and cyber-defence operations. From them we gain powerful insights into the state-of-the-art, including how our systems are attacked by adversaries from around the globe.
In the past, CESG has responded to these threats by developing and publishing a portfolio of 'architectural patterns' - canned high level system designs which help solve common security problems. These patterns have proven popular, but when it comes to designing systems that don’t fit the pattern – and must be built securely - we need a different approach.
For several years now, the security architecture team at CESG has been helping organisations design and implement systems and services with security integrated at a fundamental level. In this environment we have evolved a set of principles which underpin our thinking on security architecture.
Some of these principles may be familiar to users of our architectural patterns, but there are many being published here for the first time. All of them provide foundation-level guidance on how to secure essential digital services which we will build upon with future publications.
We have produced this guidance in consultation with specialists from government and industry. Particular thanks to technical architects from the Government Digital Service, the Department of Work and Pensions and Home Office.
Latest News from
NCSC supports US advisory regarding GRU intrusion set Sandworm29/05/2020 16:05:00
The US National Security Agency has published an advisory regarding the GRU - the Russian military intelligence service.
NCSC helps small businesses move from physical to digital21/05/2020 12:43:00
Launch of advice and practical tips to help SMEs move their business online.
NCSC statement: EasyJet cyber incident20/05/2020 14:15:00
An NCSC statement and advice following a cyber attack on EasyJet.
Flagship cyber conference confirmed for Wales in 202119/05/2020 11:15:00
CYBERUK 2021 will take place in the International Convention Centre (ICC), Newport in May.
NCSC shines light on scams being foiled via pioneering new reporting service07/05/2020 13:15:00
The UK public flags more than 160,000 suspicious emails leading to removal of over 300 fake websites.
Advisory: APT groups target healthcare and essential services06/05/2020 14:15:00
Joint UK and US advisory highlights ongoing activity by APT groups against organisations involved in the international coronavirus response.
Cyber warning issued for key healthcare organisations in UK and USA05/05/2020 15:43:00
An advisory has been issued for UK and US healthcare organisations involved in the coronavirus response.
NCSC provides security expertise on NHS COVID-19 contact tracing app05/05/2020 12:25:00
The development of the NHS COVID-19 contact tracing app has had the support of NCSC experts.