The National Cyber Security Centre (“NCSC”) recently shared a whitepaper detailing a new approach for technology assurance. By definition, technology assurance is the process of determining how secure technology is for its intended use.
In today’s hyper-connected world, security is no longer simply about the functionality of security products like firewalls or secure web gateways. Devices like smart fridges, cars and meters must also be considered for their security functionality, even though security is not their primary function. Indeed, the reality is that any internet-enabled device, smart product or piece of software could make a company or individual vulnerable to security incidents if it is designed inadequately, implemented incorrectly or poorly maintained.
Why is the NCSC introducing new technology assurance principles?
In March of this year, the UK Government published its Integrated Review of Security, Defence, Development and Foreign Policy. The government’s ambitions to make the UK a safe place to live and work online, and establish the UK as a global technology leader, are significant themes in the review.
Underpinning these ambitions is a need for robust security. The products and software available in the UK must be secure – and people, in turn, must feel assured that they are safe to use. In line with this, the NCSC has proposed a new approach to ensure software and devices’ security functionality.
Many of today’s security incidents are caused by system vulnerabilities such as missed patches or security updates. The NCSC’s new principles aim to reduce the need for patching in the first place – by addressing the root causes of vulnerabilities in the development process before a product or piece of software is rolled out. This is sometimes referred to as ‘shifting security left’ within the software development lifecycle: addressing issues during the design and development phases rather than waiting until the software has been released.
The principles also emphasise the importance of products and software maintaining resiliency throughout their lifetime. They want organisations and customers who use such products to feel continuously assured that the technologies they use have secure functionality.
What do the NCSC’s Technology Assurance principles mean for UK organisations?
Manufacturers and vendors are the primary audiences of the upcoming principles. However, we recommend that organisations review the whitepaper at a high level to understand how technology assurance is set to change.
Encouragingly, the NCSC is advocating an increased focus on usability when it comes to security. This means that it wants manufacturers of smart products to design them with security and the end-user experience in mind – rather than security being a complex, cumbersome undertaking.
To help manufacturers create such products and solutions, the new technology assurance principles will outline critical security requirements, along with evidence criteria to demonstrate these requirements have been met.
How are the new Technology Assurance principles different to the old ones?
Traditionally, technology assurance has taken a checklist-based approach, focused on ticking certain boxes to validate the security of a device or piece of software. However, the NCSC believes this approach is not fit for today’s landscape.
This is because connected devices vary widely in their functionality and in the context they are used. For example, the checklist for a connected fridge would be very different to that of a connected car. Moreover, technologies are constantly evolving – and so too are malicious actors’ tactics – meaning that the checklists designed yesterday may not fit today’s environment.
To keep pace with the dynamic changes of today’s world, the NCSC is, therefore, now advocating a principles-based approach. Unlike static checklists, principles are more flexible and adaptable – they can be tailored to different situations and are less prescriptive.
Unlike the ‘how’ style of checklists, principles instead focus on ‘what’ needs to be achieved; they focus on the overarching aim rather than on granular instructions that may quickly become outdated.
For example, in securing a laptop, traditional technology assurance would advocate using actions such as password protection, storing it in a locked room, and so on. However, with a principles-based approach, the aim would instead be to ensure the device is adequately protected against both physical and cyber threats that are likely to be seen within its context.
What are the principles?
The NCSC’s Technology Assurance Principles are divided into three sections. These are:
- Design & Functionality: This is concerned with ensuring that security functionality is not bolted onto a product or software at the end of the development stage. Instead, the NCSC advocates that security is woven into design and development from the outset. This section correlates with Article 25 of the United Kingdom General Data Protection Regulation (“UK GDPR”), which mandates data protection by design and default.
- Product Development: The NCSC wishes developers to provide validated assurance to their clients that the products or software they purchase are secure.
- Through Life: The new principles emphasise engineering processes that sustain security throughout a product’s lifetime. This involves continually re-validating assurance, based on up-to-date knowledge of the changing threat landscape.
Thus far, only the principles for Product Development have been published. The NCSC announced intentions to post the complete principles this Autumn, so we expect to see the other two sections published in due course.
Meanwhile, if you are a vendor concerned about our products, we advise you to read our blog on security and privacy by design, which provides a secure software development framework.
Looking to the future
The NCSC has emphasised the importance of its assurance principles being dynamic. As noted in the whitepaper summary, the body will look to further clarify the assurance process for specific technologies and products where needed. It also plans to develop more detailed principles as more historical data around this topic emerges.
If you are unsure if your software development methodology encompasses security and privacy by design, we can help. Our consultancy services will establish how well you manage privacy by design into your software development life cycle.