I. Before you start
1. Understand your service and the data you will need to operate it.
2. Only handle data which is essential to your service.
3. Establish your data retention and removal policies.
4. Understand the role your suppliers play in securing your service.
5. Ensure you have a clear, end-to-end understanding of your service and how it is accessed.
6. Make it easy for everyone involved in designing and operating the service to know what their role is, and what constitutes acceptable behaviour.
7. Ensure the governance arrangements for the system are clear.
II. Making services hard to compromise
1. Validate or transform all external input before processing it.
2. Render untrusted content in a disposable environment.
3. Only import trustworthy software and verify its legitimacy.
4. Design for easy maintenance.
5. Use tried and tested frameworks rather than reinventing the wheel.
6. Reduce your attack surface.
7. Users with access to data should be identified and authenticated.
8. Make it easy for administrators to manage access control.
9. Don’t design or implement your own cryptographic protections.
10. Protect your management/operations environments from spear-phishing and watering-hole attacks.
11. Make it easy for users to do the right thing.
III. Reducing the impact of a compromise
1. Build your service using a segmented approach.
2. Anonymise data when it’s exported to reporting tools.
3. Don’t deploy applications or design functionality that enables the running of arbitrary queries against your data set.
4. Do not implement functionality that would be damaging if used by unauthorised individuals.
5. Avoid creating caches or temporary stores of data within the service.
6. Encrypt partially completed forms under a key held by the user.
7. Regularly rebuild components that would have considerable access to data over a long period of time.
8. Avoid displaying unnecessary or bulk data to users.
9. Data model design should allow for tokenisation.
10. Throttle access to data in line with the role and the requirements of the user.
11. Make it easy to recover following a compromise.
12. Design the service to support separation of duties.
13. Beware of creating a ‘management bypass’.
IV. Making compromises easy to detect
1. Ensure that all relevant security events and logs are collected for analysis.
2. Design simple communication flows between your components.
3. Detect and prevent malware command and control.
4. Separate your event analysis systems from the core components of the service.
5. Make it difficult for attackers to attempt to detect your security rules through external testing.
6. Use transaction monitoring to provide additional security for high-risk transactions in digital services.
7. Make it difficult for attackers to probe security-monitoring rules by not stopping transactions immediately on suspicious activity.
CESG, Security Design Principles for Digital Services