Designing secure digital services

15 Mar 2016 11:51 AM

CESG's Lead Security Architect explains why we're launching a set of security principles for systems architecture design.

Richard Crowther, Lead Security Architect

Against a background of increasing threat, it is essential that the public sector and critical national infrastructure providers can continue to build systems that are robust to attack. Whilst re-use of components and patterns is desirable, often we’re building systems which are unique. Many of these systems really matter. They must be developed from the ground up with security as a central concern.

So, yesterday, CESG launched a set of security principles intended to inform systems architecture design where there is no precedent or architectural pattern to follow. We hope these principles will be useful to developers, technical architects and security architects in the public sector and elsewhere as they work to secure systems of national importance.

Evolution

As part of GCHQ, we sit alongside world-class experts in areas like vulnerability research, cryptography, product assurance and cyber-defence operations. From them we gain powerful insights into the state-of-the-art, including how our systems are attacked by adversaries from around the globe.

In the past, CESG has responded to these threats by developing and publishing a portfolio of 'architectural patterns' - canned high level system designs which help solve common security problems. These patterns have proven popular, but when it comes to designing systems that don’t fit the pattern – and must be built securely - we need a different approach.

For several years now, the security architecture team at CESG has been helping organisations design and implement systems and services with security integrated at a fundamental level. In this environment we have evolved a set of principles which underpin our thinking on security architecture.

Some of these principles may be familiar to users of our architectural patterns, but there are many being published here for the first time. All of them provide foundation-level guidance on how to secure essential digital services which we will build upon with future publications.

We have produced this guidance in consultation with specialists from government and industry. Particular thanks to technical architects from the Government Digital Service, the Department of Work and Pensions and Home Office.

You can read the paper ‘Security Design Principles for Digital Services’ on the CESG web site, now. Please let us know what you think by sending your feedback to enquiries@cesg.gsi.gov.uk.