Digital services provide us with quick, convenient access to a whole range of valuable things. Goods and services of course, but also benefit payments, utilities, and even important documents like passports. In order to do this, they often need to store and use sensitive information.
Unfortunately, this convenience comes at a price. The value of these services, and the data they hold, make them prime targets for cyber attack. And if successfully compromised, the fallout can be damaging, expensive and embarrassing for the organisations involved.
The picture need not be a bleak one. Frequently, the very worst outcomes can be avoided if services are designed and operated with security as a core consideration. With this in mind we have developed a set of principles to guide you in the creation of services which are resilient to attack, but also easier to manage and update.
The goal is to enhance security without impeding the proper use of your service. It should be noted, however, that the concepts detailed below are design principles. They should be considered at the earliest developmental stages of a service and carried through to its implementation.
Principles in context
This guidance is focused on mitigating serious attacks that could affect a service. It does not address all potential security concerns.
We’ve developed these design principles using a straightforward model of the threats involved. We wish to prevent attacks that exploit basic vulnerabilities and make attacks very difficult for actors with more sophisticated capabilities.
For best results, these principles should be used by technical architects and system designers from the inception of a system and throughout its development.
How this guidance is structured
We have divided the principles into five categories, loosely aligned with stages at which an attack can be mitigated:
- Understanding your service - ensuring a firm foundation
Understand what you’re defending, and how to make your service as unattractive as possible to attackers
- Making services hard to compromise – building-in protection against common attacks
An attacker can only target the parts of the service they can reach. Make your attack surface as difficult to penetrate as possible
- Reducing the impact of a compromise - minimising the impact of any successful attack
If an attacker succeeds in gaining a foothold, they will then move to exploit the service. Make this as difficult as possible
- Making compromises easy to detect - detecting attacks so you can manage them
Design your service so you can spot suspicious activity as it happens and take necessary action
- Designing to avoid disruption - maintaining high levels of availability
Design a system that is resilient to denial of service attack and surges of popularity
Secure service management and operations
As well as design, it is vital that the service is implemented, managed and operated well to remain secure. We have separate guidance on this topic here .