Online services comprise several essential components, each requiring adequate security measures to ensure a trustworthy service. This section explores a broad range of topics, from managing data to securing the various elements of your service.
While it’s impossible to ensure any system is entirely secure, striving to design, develop, and deliver a resilient online service is vital. This section helps organizations build confidence in the security of the components they’re responsible for, ensuring overall service assurance.
Secure Development and Design
Incorporating security from the outset of the design and development phases of an online service is crucial. Security considerations should be integrated into all aspects of service management and maintenance. The NCSC’s Secure Design Principles and Digital Service Security Guidance provide foundational knowledge to help set your service up for success. Additionally, the OWASP Top 10 Web Application Security Risks outlines common vulnerabilities to be aware of during development.
Following best practices in secure development is necessary. The NCSC’s Secure Development and Deployment Guidance can assist with this, while more tailored application guidance is available in Application Development Guidance. Ensuring the production of clean and maintainable code is vital in securely building online service applications.
Exploring the NCSC blog post Defending Software Build Pipelines Against Malicious Attacks highlights the need to protect development pipelines while adhering to best practices.
Understanding the security risks when implementing an API solution is essential. The OWASP API Security Top 10 offers an overview of prevalent threats, and a secure API implementation guide can be found in the GDS API Technical and Data Standards.
Platform and Server Security
The NCSC has released guidance on securing platforms and servers, which includes the following:
- Refer to the NCSC’s Device Security Guidance for recommendations on selecting, configuring, and using devices securely. Although focusing mainly on desktops (like Android and Windows), guidance can also be adapted for server environments.
- Management interfaces require stringent security measures, as they allow privileged actions on systems. Visit our blog posts on Protecting Management Interfaces and Protecting Privileged Access Management.
- When utilizing cloud technology for hosting applications or data storage, understand the associated risks and confirm that your services meet security standards. Guidance from cloud vendors, such as the Microsoft Azure Well-Architected Framework, can be valuable.
- Ensure confidence in the hardware, operating systems, and applications employed to deliver your online service. Using products and services that meet NCSC standards can enhance security.
Network and Service Security
Design your online service to avoid direct connections to untrusted networks such as the internet. Configure the design to limit lateral movement within your systems for any potential intruders.
Utilize network and application layer security technologies such as firewalls and security groups to create a protective boundary and segment your network effectively. The NCSC provides additional resources in their guidance on Architecture and Configuration and Preventing Lateral Movement.
Prepare for denial of service (DoS) attacks, which can disrupt service availability. The NCSC’s DoS Guidance provides strategies to mitigate and respond to such incidents.
When importing data from unknown sources, there are inherent risks. Many attacks stem from malicious inputs. The NCSC’s pattern for Safely Importing Data outlines protective measures when handling external data.
Data Security
Data and information managed by online services must be safeguarded against unauthorized access, modification, and deletion. This is especially true for personally identifiable and sensitive information. For more information, refer to the NCSC’s Protecting Bulk Personal Data Guidance.
Neglecting the protection of personally identifiable information can lead to legal liabilities, financial harm, and reputational damage. The NCSC’s GDPR Security Outcomes Guidance outlines crucial security measures under the UK General Data Protection Regulation.
Data stores associated with online services are frequent targets for attackers aiming to misuse the information accessed. This could include customer credentials that, if stolen, may lead to breaching other accounts through credential stuffing. For further insights, consult the NCSC’s Use of Credential Stuffing Tools Advisory.
Secure Disposal of Data
Once data is no longer required, it should be disposed of securely, ensuring complete removal from customer accounts and preventing residual data on devices or cloud storage. The NCSC’s Secure Sanitisation of Storage Media Guidance discusses the importance of secure data disposal.
Data in Transit
Data in transit refers to any information moving from one location to another, including over the internet or through private networks. Sensitive data must be safeguarded against interception, unauthorized access, and alteration during transit.
Employ encryption and similar cryptographic techniques to secure sensitive information. The NCSC has guidance on Using TLS to Protect Data and Using IPsec to Protect Data, both of which assist in safeguarding data in transit and may limit connectivity to devices not supporting the latest security protocols.
Secure Administration
Granting privileged access for managing an online service presents potential risks, making management accounts highly attractive targets for attackers. To mitigate these risks, multi-factor authentication (MFA) should be used for all primary management access. Implement privileged access management solutions that restrict access to trusted workstations. The following NCSC resources offer guidance for secure administration:
- Multi-factor Authentication for Online Services
- Gain Trust in Your Management Devices
- Use Privileged Access Management
- Security Architecture Anti-Patterns
- Operating a Secure Digital Service
Supply Chain
The security of the supply chain is critical to the overall security of your online service. Any vulnerabilities introduced by third-party hardware, software, or services can lead to compromises. Understanding your suppliers’ risks and ensuring that their cybersecurity responsibilities are well defined in contracts can help you foster trust in these relationships. The NCSC’s Supplier Assurance Questions offer useful insights, while further guidance on Supply Chain Security outlines principles for effective oversight.
Support
All online services require human support. Thus, it’s imperative to ensure that staff and third-party service providers possess the necessary technical expertise to perform their roles effectively and securely. User education and awareness are critical aspects of maintaining security. Conducting pre-employment checks and security vetting can also bolster confidence in those managing your online service.
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/guidance/building-operating-secure-online-service
