The NCSC has now unveiled its vision for the future of assuring high technology products including secure communications systems such as Armour Mobile. In its recently published white paper NCSC has announced its Principles Based Assurance (PBA).
In a fast-moving, more connected world, assurance needs to cope with the ever-evolving landscape of threats and technologies. The NCSC has developed a methodology that is more flexible and agile than the previous stance – which focused on specific product versions mitigating each defined threat by a defined means.
Principles Based Assurance enables a very practical approach that aims to set the basic tenets, by stipulating the outcomes – the ‘what’ – and then leave the ‘how’ to be devised by the vendors and suppliers who have expertise in their particular niche. A pertinent example of this cited in the white paper is that ‘technology cannot silently default to operate insecurely’ – something we’ve seen time and again with consumer-grade communications apps. By leaving the ‘how’ to the vendor community, the NCSC fosters innovation, a key point highlighted in the UK’s Integrated Review of Security, Defence, Development and Foreign Policy 2021. It discusses the ambition of equipping our armed forces with cutting-edge cyber capability, which Armour Comms is already involved with through our work with the MOD.
The phrase ‘Secure by Default’ is central to this thinking, where security is designed into the product, without compromising the user experience. Secure by Default is about taking a holistic approach to solving security problems at their root rather than treating the symptoms – this approach is embedded in every aspect of Armour’s development and service delivery.
Assurance in context
The new Principles aim to provide an assurance framework that takes account of the threats and risks that a given technology is looking to mitigate. For example, Armour Mobile can be hosted within the Armour secure cloud, or can be delivered as an on-premises solution giving the end-user organisation total control over every aspect of the deployment and usage. The decision would be made based on the customer’s level of risk appetite.
The principles will cover three key areas:
- Product design and functionality principles – describing the features a product needs to implement
- Product development principles – describing how a product should be designed, implemented and tested
- Through-life principles – describing the security measures that need to happen beyond development
The Secure by Default principles as prescribed by NCSC are:
- security should be built into products from the beginning, it can’t be added in later
- security should be added to treat the root cause of a problem, not its symptoms
- security is never a goal in and of itself, it is a process – and it must continue throughout the lifetime of the product
- security should never compromise usability – products need to be secure enough, then maximise usability
- security should not require extensive configuration to work, and should just work reliably where implemented
- security should constantly evolve to meet and defeat the latest threats – new security features should take longer to defeat than they take to build
- security through obscurity should be avoided
- security should not require specific technical understanding or non-obvious behaviour from the user.
Secure by Default is in our DNA
We’ve been working with NCSC for many years, indeed, our products were CPA certified while that scheme was applicable. The Secure by Default principle is one that we’ve subscribed to since the early days of developing our Armour Mobile products (based on NCSC’s MIKEY-SAKKE key management) and our SigNet products (using alternative, leading edge cryptography). With this in mind, we’ve achieved ISO27001 certification – a proven methodology for ensuring processes are security focused. As well as a security-first approach to ensure that our products meet the requirements of our customers, they are also designed with the end user in mind, since usability is important to ensuring user engagement. Feedback from our users is that people enjoy using the Armour secure collaboration products and find many more use cases for it than we originally imagined.
For more information about how Armour Comms can help your organisation to adopt a more secure approach to communications and collaborative working, contact us today