Security Design Principles Released by CESG

Digital services are “prime targets for cyber attacks and if successfully compromised the fallout can be damaging, expensive and embarrassing for the organisations involved. However, in many cases the direst of outcomes can be avoided if services are designed and operated with security as a core consideration.”

Two weeks ago the Communications Electronics Security Group (CESG) unveiled a set of security design principles that assist with creating services which are not only resilient to attack, but also easier to manage and update. These design principles were specifically written to help the digital services sector enhance their security. In the past, there have been many attacks on government services as they make use of sensitive data and deal with high-value assets. The release of these guidelines marks the beginning of a cyber security transformation within this industry.

Despite being written for the digital services sector, these design principles are applicable to a much wider audience. Some of these guidelines are already being followed by private businesses, however many businesses are not even aware of how vulnerable they are to cyber security attacks.

It is likely that in the future private businesses will be required to follow cyber security guidelines such as the CESG security design principles.

A few of the key guidelines outlined in the report include:

  • Only handle data which is essential to your service
  • Render untrusted content in a disposable environment
  • Users with access to data should be identified and authenticated
  • Protect your management/operations environments from spear-phishing and watering-hole attacks.
  • Data model design should allow for tokenisation
  • Use transaction monitoring to provide additional security for high-risk transactions in digital services.

For the full article, see https://www.cesg.gov.uk/guidance/security-design-principles-digital-services-0.