Cesg
This guidance will be expanded and updated during development of the next release based on the feedback and requests we receive.
Let us know the topics youve found useful and where you would like more by contacting enquiries@cesg.gsi.gov.uk.
This paper covers some common security answers to technology questions related to OFFICIAL enterprise IT. The vast majority of user needs for enterprise IT solutions share much commonality. Where there is a similar business context, similar user needs and similar threat, there should be a common approach to technology. The HMG Classifications Policy defines OFFICIAL and the corresponding threat model. While the OFFICIAL tier is broad, it is largely applicable to the technology challenges faced across Government.
In this paper, weve identified some of the typical technology decisions that are made during the design and implementation of enterprise IT services. For some of these technology decisions we include a typical approach to follow; for others we provide important security considerations. This paper should be read in the context of a wider suite of CESG guidance, which places greater emphasis on better management of cyber security risks when making technology decisions - rather than simply focussing on process. When making these technology decisions, security will be considered alongside other important factors such as usability, cost, strategic fit, local policies and compliance.
Although this guidance is intended to support common technology decisions for the majority of services, the decision is always yours to make. If there is something unique or specific about your situation we recommend that you gain a deeper understanding of the security implications and seek expert advice if you need to.
A range of complementary guidance is now available at GOV.UK in support of this:
CESG is in the process of consolidating this next generation of IA advice and guidance on a new web platform. We will continue to produce concise, relevant and digestible advice on how to tackle common technology questions posed across Government. Please take a look at our [How to approach technology and information risk management] guide, which provides guidance on the effective management of risk regardless of the method used.
An example enterprise IT service
There are many different ways in which your enterprise IT system can be built and configured, and it is for you to decide how best to do so. However, to help describe security considerations for common enterprise IT decisions it helps for us to be able to refer to a typical enterprise IT service. The diagram above depicts an example logical architecture, showing some of the basic components of a typical enterprise IT service which supports remote access.
In a typical scenario we expect:
- smartphones, laptops and tablets to be issued to a single user for their sole use
- end user devices to connect to an enterprise network over various untrusted networks, such as the internet or mobile networks
- all traffic from end user devices to the corporate network to be encapsulated in a VPN
- the user to interact with many services, including those internal to the enterprise, within the government community, or public cloud services. The connections to all of these are made via the enterprise.
Common decisions related to users
Can I reduce the number of passwords my users have to enter?
Yes, more passwords does not mean better security.
Help users by designing a chain of trust into your systems to allow implicit authentication of the user to different services from a previous authentication mechanism. Single sign-on (SSO) technologies can also reduce the burden on users by authenticating them once and then brokering access to other services, without further user interaction.
You can reduce the number of authentication prompts a user receives by holistically considering how:
- the user authenticates to a device
- the device authenticates to the network
- the user authenticates to services
Example
If a user unlocks their encrypted laptop by authenticating with a short password and a USB token, and the laptop authenticates to the enterprise VPN (without any user interaction) using a certificate on the device, then the user is implicitly authenticated to the VPN service because their device certificate is only available after the laptop was unlocked.
Do I need to use two-factor authentication?
You should strongly authenticate users before granting them access to sensitive data or privileged functions, using two-factor authentication is a good way to achieve this.
When two-factor authentication is used well, it can enhance the user experience of your service, for example by allowing shorter and more memorable passwords. You can further enhance user experience and security by using this strong authentication as part of a chain of trust or single sign-on mechanism.
Two-factor authentication also makes it harder for attackers to mount successful attacks by compromising user credentials. Instead of being able to simply replay a captured password, an attacker needs to hijack an already-authenticated session or compromise both authentication factors.
Do my software developers need administrative privileges on their devices?
No, most activities associated with software development do not require local administrative (or root) privileges.
Identify why the developers desire administrative access and address those issues first. For example, consider relaxing specific security controls such as application whitelisting. Providing a good modern toolset for them and responding quickly to their requirements, so that they do not need to install additional software, can also help.
When it is necessary to grant administrative privileges, for example to enable certain debugging modes for testing, use virtualisation to provide a separated environment. You can minimise the exposure to malware by restricting native internet access, including email, from testing environments. The impact of a successful attack can be minimised by using a local device account that does not have access to corporate data and services.
Common decisions related to end user devices
Can I use end user device platform X? Can I use web browser Y?
Yes, you can use any but you should understand the risks of doing so. We have guidance to help with each of these choices.
Platforms and browsers are not simply secure or insecure; the security of each is multi-faceted. Weve developed sets of security principles and configuration guidance for each that can be used to compare the risks of selecting different options.
To help make your decision, please see the relevant guidance:
Can I use mobile device management solution X?
Yes, you can use any, but you should understand the risks of doing so. We set out the most important considerations below.
Mobile device management solutions are used to remotely configure and audit devices. They typically require client and server components although they do not necessarily have to be supplied by the same vendor.
When deciding which solution to deploy you should consider:
- the supported features and policies that you need