Online services consist of various critical components that need effective security measures to ensure the overall integrity of the service. This section discusses a comprehensive array of topics, from data management to securing individual service elements.
Although no system can claim to be completely secure, the goal should be to create an online service that is as strong and reliable as necessary. This section aims to provide organizations with confidence in the security of their online service components, ultimately ensuring a secure overall service.
Secure Development and Design
Security should be a fundamental consideration right from the design phase of any online service. It must be integrated automatically into all aspects of the service and how it is delivered, managed, and maintained. The NCSC’s Secure Design Principles and Digital Service Security Guidance provide a foundational starting point, outlining key elements necessary for developing a new system. The OWASP Top 10 Web Application Security Risks highlights prevalent online threats that should be addressed throughout the system development process.
Adhering to secure coding practices is essential, and guidance from the NCSC’s Secure Development and Deployment Guidance can assist in this regard. For more specific advice, including on mobile applications, refer to our Application Development Guidance and resources on how to create clean and maintainable code, which lay the groundwork for building secure applications.
The importance of safeguarding development pipelines against malicious attacks is addressed in the NCSC blog post Defending Software Build Pipelines Against Malicious Attacks, emphasizing the need for best practices.
When utilizing API solutions, it’s crucial to grasp the associated security risks. The OWASP API Security Top 10 details common vulnerabilities, while implementing secure API solutions is well-covered in the GDS API Technical and Data Standards.
Platform and Server Security
The NCSC has issued various guidelines to assist in securing platforms and servers, highlighted below:
- Review the NCSC Device Security Guidance to learn how to securely select, configure, and deploy devices. While the focus is on desktop versions, such as Android and Windows, the guidance can serve as a foundation for related server implementations.
- Management interfaces, which enable privileged actions, should be secured comprehensively. The NCSC provides valuable posts on securing management interfaces, such as Protect Your Management Interfaces and Protecting Your Privileged Access Management. Supplementary resources include a white paper on Security Architecture Anti-Patterns.
- For services leveraging cloud technology, understand associated risks and ensure compliance with security guidance offered by cloud vendors, such as the Microsoft Azure Well-Architected Framework and AWS Well-Architected. Utilize the NCSC Cloud Security Guidance for optimal service deployment.
- Always seek assurance regarding the hardware, operating systems, services, and applications utilized in delivering your online service. Using products and services assessed against NCSC standards can enhance your security posture.
Network and Service Security
Design your online service to avoid direct connections with untrusted networks, such as the internet, to obstruct attackers from navigating within your systems (‘lateral movement’).
Incorporate network-level and application-layer security technologies, including security groups and firewalls, to establish boundary protections and segment your network services. For further insights, consult the NCSC’s resources on Architecture and Configuration and Preventing Lateral Movement.
Be prepared to protect against denial of service (DoS) attacks. These attacks overwhelm the host server with requests, hindering access for genuine users. The NCSC’s Denial of Service (DoS) Guidance offers strategies for preparation and response.
Always be cautious when introducing data from unknown sources onto your platform, as many online service vulnerabilities arise from malicious input. The NCSC’s Pattern for Safely Importing Data provides guidance on mitigating such risks.
Data Security
All data handled by an online service must be guarded against unauthorized access, alteration, and deletion, especially personally identifiable and sensitive data. The NCSC’s Protecting Bulk Personal Data Guidance outlines when encryption should be employed to safeguard sensitive data and discusses scenarios where encryption may be impractical.
Neglecting to secure personally identifiable information can result in legal repercussions, financial damages, and harm to your organization’s reputation. The NCSC’s GDPR Security Outcomes Guidance specifies necessary security measures under the UK General Data Protection Regulation.
Data stores within online services are prime targets for attackers seeking to exploit sensitive user information. Such compromises can result in the theft of personal data, affecting the security of other accounts (a practice referred to as credential stuffing). More information can be found in the NCSC’s Use of Credential Stuffing Tools Advisory.
Secure Disposal of Data
Data and information that are no longer needed should be disposed of properly to eliminate risks of unauthorized access. This includes thoroughly deleting users’ data associated with their accounts and ensuring it no longer exists on storage devices. The NCSC’s Secure Sanitisation of Storage Media Guidance elaborates on this issue. Inadequate disposal of information could lead to unauthorized disclosures and potential legal repercussions for the organization.
Data in Transit
‘Data in transit’ refers to data transferring from one location to another, whether over the internet, private networks, or removable media. Sensitive data must be protected during its transmission to prevent interception, unauthorized access, or alterations.
Encryption and cryptographic techniques are critical for securing sensitive information during transit. The NCSC recommends resources on Using TLS to Protect Data and Using IPsec to Protect Data to assist in fortifying this aspect of your security framework. Always analyze the risks involved with data being transported to and from your service and consider restricting devices that do not support the latest security protocols.
Secure Administration
Administering an online service typically grants privileged access to your systems, making it imperative to protect these accounts. Attackers often exploit administrative access, leading to service disruptions, unauthorized information access, and reputational harm. Employ multi-factor authentication (MFA) for all administrative access and consider using privileged access management solutions that restrict access to trusted devices. The following NCSC guidance can aid in maintaining secure administration:
- Multi-Factor Authentication for Online Services
- Gain Trust in Your Management Devices
- Use Privileged Access Management
- Security Architecture Anti-Patterns
- Operating a Secure Digital Service
Supply Chain
The security of your supply chain is crucial for the overall security of your online services. Any vulnerabilities introduced by third-party hardware, software, or services could compromise your service and stored information. Understand the risks associated with suppliers and ensure their cybersecurity obligations are clearly defined in contracts and agreements. Our Supplier Assurance Questions can help build confidence in your suppliers’ cybersecurity measures, and the Supply Chain Security guidance outlines principles for effective oversight of your supply chain.
Support
Human support is essential for all online services. It is vital to ensure that all staff and third-party service providers possess the technical expertise to perform their duties without endangering the service. Providing user education and awareness is crucial in this regard. Furthermore, confidence in those managing and maintaining the service can be bolstered through thorough pre-employment checks and security vetting.
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/guidance/building-operating-secure-online-service
