The suggestions on this page are intended for UK government entities and organisations servicing them. We encourage developers to modify or enhance the ideas presented in this white paper and build outstanding multimedia security services for various enterprise sectors, including government.
Secure by default
As the threat from cyberspace increases, the need to adopt the strategy of 'secure by default' becomes more urgent. Often in order to make today’s products and services secure, their usability has to be severely reduced. If an enterprise is to operate securely in a connected world, every product, system or service that is procured or deployed should be secure by default. It should actually be hard to make them insecure.
Security conscious enterprises (including government departments) can help shape the marketplace in support of this strategy. We will initially focus on commercial/consumer computing platforms, including laptops, smartphones and tablet devices.
Managing the risks to modern platforms typically involves adding extra controls; requiring user interaction to access sensitive data, or monitoring/limiting use of some features. We reduce the likelihood or impact of a compromise, but in doing so we also reduce usability. Extra controls can also adversely impact application speed and/or device battery life.
Secure by default platforms describes the desired technical characteristics of secure platforms, and notes that many of those characteristics could be enabled at least to some extent on existing devices. Widespread adoption is not happening because the market demand is perceived to be low.
How can we create demand for 'Secure by Default' technology?
Simply ‘improving security’ is not sufficient to create commercial demand. We must enable capabilities which are compelling to users and to system managers.
a. Showcase examples
Where working examples exist, public demonstrations should be produced to show how real business problems can be solved with security technology. As the supporting software matures, trials can be conducted to ensure usability goals are satisfied.
b. Publish requirements
As showcases and trials build awareness, enterprises should be encouraged to publicly state their requirements and use cases for platform security technology.
c. Differentiate — use assurance to show the difference
In order to deploy security technology with confidence, independent assurance in the robustness of critical functions is essential. Vendors and customers must collaborate to ensure that components can be certified to an appropriate level without significantly increasing production costs or timescales.
Ideally, a secure platform should allow access to sensitive data/applications as required, but maintain separation between this and other capabilities required by the user. Equally the platform should deliver a user experience consistent with modern expectations of consumer devices. The cost to an enterprise of deploying and managing secure platforms should be minimised.
The following are some examples of where we can demonstrate the improvements described above.
Slick, integrated authentication
Users need to securely access a range of services; typically each requires its own authentication credential.
Large numbers of tokens or passwords are unwieldy for users; saving details on disk leaves credentials vulnerable to theft from malware.
We can use a secure key store such as a Trusted Platform Module (TPM) to enable the best of both worlds; authenticate once (when unlocking the device), and securely store credentials for a range of services.
There may be further opportunities to improve usability by building in physical tamper protection and resistance to brute force attacks in order to allow shorter user passwords. Technologies such as Near Field Communications (NFC) also potentially allow the use of separate physical tokens to exchange authentication data with a device with a single ‘tap’.
Flexible use of features and applications
Users desire access to an increasing range of features and services; some of these present risks to sensitive data on their platforms. For example, social networking applications are designed to allow unconstrained sharing of user data including contact and location information as well as pictures taken on a built-in camera.
Platforms can connect to a variety of peripherals including external screens/projectors, which can themselves request access to data stored on the platform.
Heavily ‘locked down’ devices frustrate users, who subsequently look to work around the restrictions. Risks posed by some applications are difficult to manage.
Strong isolation of sensitive data — perhaps through bare-metal virtualisation, or a Trusted Execution Environment (TEE) — enables a wider range of applications to be used safely on a single device.
Managing connections from many devices and locations
Administrators of secure networks typically need to be able to control, or at least monitor which devices are connecting to the network. Unknown or unmanaged devices will typically not be granted access to sensitive data.
In addition to reliable identification, the cost and effort required to set up and manage such a system must be kept low.
MAC address-based access control is known to be weak, plus it is inflexible in managing connections from mobile devices. 802.1x-based solutions allow cryptographic authentication of devices, however currently private keys are usually stored on disk by software.
TPM technology allows secure storage of keys for strong network.
Automating audit and control
As well as identifying devices, administrators are also responsible for monitoring the status of devices connecting to the network. Reasons for doing this include:
- monitoring for potential security issues arising from misconfigured or unpatched devices
- identifying compromised platforms, arising either from malicious attack or a user attempting to bypass security controls (for example, identifying that a device has been ‘jailbroken’ in order to install arbitrary software)
- asset management
Clearly it is desirable to automate as much of the above as possible in order to reduce cost, as physical audits are expensive and unlikely to identify configuration issues.
Verified Boot and secure update processes give confidence that the platform can only boot from authorised code. Measured Boot allows authenticated attestation of the boot.
There is value in using software agents to provide more detailed configuration information, however they should be underpinned by strong protection of the underlying environment.
Note also that combining these measures with the isolation mechanisms described above allows a reduction in the level of monitoring required. Applications which are securely isolated from the secure platform will not require monitoring.