Secure by Design/Secure by Default

Secure by Design/Secure by Default

What it means for enterprise secure communications

Secure by Design and Secure by Default are both terms coined by the UK National Cyber Security Centre (NCSC), and used in different contexts.  Sometimes they are used interchangeably, however, they do have slightly different meanings, which are important for enterprise security in general, and for secure communications in particular.

Secure by Design

Broadly speaking, Secure by Design means that software products and services are designed to be secure from the ground up.  Every layer is considered from a security and privacy standpoint and starts with a robust architecture design.  Secure by Design incorporates strategies such as forcing patterns of behaviour, for example, strong authentication, and the use of best practice protocols such as least privilege access.

More specifically, Secure by Design is part of the Government’s National Cyber Security Strategy. The Department for Digital, Culture, Media & Sport (DCMS) and the NCSC conducted a review into how to improve the cyber security of consumer Internet of Things (IoT) products and associated services, and as a result published various documents regarding the security of smart devices.

Secure by Default

Secure by Default builds on the premise of Secure by Design.  According to NCSC Secure by Default is about taking a holistic approach to solving security problems at the root cause rather than treating the symptoms. It covers the long-term technical effort to ensure that the right security attributes are built into software and hardware. As well as ensuring that security is considered at every stage when developing products and services, it also includes ensuring that products are delivered to the end-user in such a way that the default settings enforce good security practices, while balancing usability with security.

In short, when you turn on your device and turn on your Armour Mobile app you are immediately configured to be secure. This protects against human error, where an end-user may not realise that they need to turn on encryption or security.  After all, if a product is too difficult to use, people will simply find a workaround, meaning that security ends up being compromised anyway.

Secure by Default principles prescribed by NCSC are:

    • security should be built into products from the beginning, it can’t be added in later;
    • security should be added to treat the root cause of a problem, not its symptoms;
    • security is never a goal in and of itself, it is a process – and it must continue throughout the lifetime of the product;
    • security should never compromise usability – products need to be secure enough, then maximise usability;
    • security should not require extensive configuration to work, and should just work reliably where implemented;
    • security should constantly evolve to meet and defeat the latest threats – new security features should take longer to defeat than they take to build;
    • security through obscurity should be avoided;
    • security should not require specific technical understanding or non-obvious behaviour from the user.

    Armour’s Secure by Design and Secure by Default principles are intended to help organisations safeguard and control data, privacy, and whatever secrets they need to protect, whether that’s government, military, financial, legal, medical, intellectual property, strategic or competitive.

    Armour Mobile complies with Secure by Design AND Secure by Default

    At Armour Comms we have been working with NCSC since our inception in 2014 to ensure that our products are designed with best practice security protocols in place. Our initial products were CPA certified to demonstrate they adhered to these security principles; when that scheme finished (for all products with the exception of smart meters) we focused on ISO27001 and Cyber Essentials Plus certification as externally audited proof of our strong security practices, and targeting NCSC’s latest Principles Based Assurance (PBA).

    Our products are approved for use up to OFFICIAL-SENSITIVE, NATO Restricted and for Higher Assurance requirements and are already deployed at these levels, as well as being suitable for handling Corporate Confidential information. Our innovative developers work hard to deliver products that strike the balance between providing a user experience that mimics consumer-grade apps, while delivering the security credentials required for higher assurance use.  Armour Mobile is in use in numerous areas of Government departments and the MoD, as well as to commercial customers who understand the value of securing their sensitive communications.

    For a more detailed look at the NCSC Secure by Default principles read our blog: The future of NCSC Technical Assurance:  and for more information about the NCSC Secure by Default principles please read:

    The UK Government’s Secure by Design principles are outlined at:  and these principles are recognised internationally, e.g. by the US Cybersecurity and Infrastructure Security Agency (CISA) at

    NCSC’s Principles Based Assurance is described at and is discussed in detail in

  • Secure by Design/Secure by Default
  • Secure by Design/Secure by Default
  • Secure by Design/Secure by Default
  • Secure by Design/Secure by Default
  • Secure by Design/Secure by Default
  • Secure by Design/Secure by Default
  • Secure by Design/Secure by Default
  • Secure by Design/Secure by Default