Professional Documents
Culture Documents
EUD Security
EUD Security
The selected standards aim to optimise for technology and security assurance, low cost and
complexity, minimal 3rd party software, good user experience, wider competition and choice,
and improved alignment to the consumer and commodity IT market.
This document defines standards for a mobile laptop with a “thick” operating system installed,
such as Linux, Windows or MacOS X. Forthcoming guidance will cover thin client devices,
smartphones and tablets but is not expected to vary significantly from the key principles of
this guidance.
The scope of this document is central government departments, their agencies and related
bodies. Wider public sector organisations can use this security framework as part of their
broader compliance with the Public Services Network (PSN) codes of connection.
Security
IT Reform strategic goals for a security framework are to:
• make optimum use of native security functions, avoiding third party products
wherever possible
• make better use of controls around the data and services where they can often be
more effective, rather than adding additional complexity to devices
• allow greater user responsibility to reduce security complexity, maintaining user
experience for the majority of responsible users
• logging and audit preferred over prevention and control, to maintain user
experience and flexibility for the majority of responsible users
• develop a single and sufficient specification for accessing OFFICIAL including
OFFICIALSENSITIVE, recognising much of the controls will be at the service side
• enable transparency and clarity to widen a correct understanding of the security
requirements, widening the market of potential suppliers, and driving down over
specification of security
• enable informed risk management and justification of security controls through
traceability between threats, their methods of attack and suggested mitigations
• enable greater interoperability of IT systems through a more common and
consistent approach to securing OFFICIAL information
1 / 20
End User Device Strategy: Security Framework & Controls
v1.2 February 2013
CESG provides detailed guidance for the design and configuration of each of the elements of
this high level architecture, for example the Walled Gardens For Remote Access Architectural
Pattern.
CESG provides detailed guidance for the design and configuration of each of the elements of
this high level architecture, for example the Walled Gardens For Remote Access Architectural
Pattern.
2 / 20
End User Device Strategy: Security Framework & Controls
v1.2 February 2013
3 / 20
End User Device Strategy: Security Framework & Controls
v1.2 February 2013
Assured datain Requirement: An IPsec client which is Protecting data as it travels across Native IPsec clients exist for
transit protection assured under the CESG CPA scheme unprotected bearers between the device and Linux, Mac OS X and Windows 7.
against the IPsec VPN for Remote an enterprise network is of critical importance.
Working Software Client security Independent formal assurance is required due
characteristic, configured in accordance to implementation errors and vulnerabilities Linux and Windows 7 have been
with the PSN EndState IPsec profile: often introduced despite vendor assertions to demonstrated to function as
IKEv2, X.509, AES128 etc. the contrary. required. Work is underway to
demonstrate the native Mac OS X
PSN Interim IPsec profile (acceptable
client functions.
until 2015): IKEv1, X.509, AES128 etc.
PSN profiles were developed in conjunction
http://www.cesg.gov.uk/servicecatalogue/ with the National Technical Authority for
CPA/Pages/Security Information Assurance’s leading cryptographic CPA assurance of a cross
Characteristics.aspx experts to provide an appropriate level of platform open source IPsec client
cryptographic security for the PSN and is underway (January 2013). CPA
connected systems and in line with industry assurance is currently required
good practice. for the native Mac OS X and
Windows clients.
4 / 20
End User Device Strategy: Security Framework & Controls
v1.2 February 2013
Assured dataat Requirement: Data stored on the device Implementing strong dataatrest protection Currently, CPA assurance is
rest protection is satisfactorily encrypted when the requires more than simply selecting a strong required for the native Linux, Mac
device is in its “rest” state. For alwayson set of encryption algorithms. Independent OS X and Windows 7 disk
devices, this is when the device is assurance against the Security Characteristic encryption technologies.
locked. Formal assurance of this function results in enterprise confidence that the
The use of TPM is not mandatory,
against the appropriate CPA Security department’s obligations to protect information
but can enable an elegant
Characteristic is necessary. are being adequately met.
solution to protecting disk
encryption keys. The case for
requiring TPM will improve
http://www.cesg.gov.uk/servicecatalogue/ The requirement set out in the Security
significantly when it has become
CPA/Pages/Security Characteristic in relation to the use of a
widespread in consumer
Characteristics.aspx ‘simple’ or ‘smart’ token for the protection of
commodity markets.
the Key Encryption Key, is not currently
achievable in all native disk encryption Where use of a smart token,
components. Such techniques allow shorter simple token or TPM is not
passwords for users reducing likelihood of possible with a particular dataat
forgotten passwords. rest encryption component or
product, a perproduct or
component decision as to
A Trusted Platform Module (TPM) can be whether the product could be
used in place of a token, making the user used with a longer passphrase as
experience smoother whilst providing a similar a cryptographically sound interim
degree of cryptographic strength to the Smart option. This decision would need
Token method. to be informed by cryptographic
experts based on an
understanding of the product in
question.
5 / 20
End User Device Strategy: Security Framework & Controls
v1.2 February 2013
Authentication: Implementation:
user to device
Implementation method will depend on
the platform and design of the dataat
rest encryption protection. The
authentication of the user to the device
may be inherent in the user’s ability to
unlock the device from its at rest state, or
alternatively it may be the device’s native
login screen.
6 / 20
End User Device Strategy: Security Framework & Controls
v1.2 February 2013
Authentication: Implementation: For some services, simply the fact that the The use of web authentication
user to service user is accessing the service from an does not preclude singlesignon
Authentication of user to services should
enterprise device which they have user experience. This can be
be implementable with standard browser
authenticated to will be enough to grant the achieved through client side
based functionality. This could be as
user access to the service, but for others it will “keychain” mechanisms as is
simple as HTTP forms, HTTP Basic
be necessary for the user to authenticate to increasingly common in operating
authentication, or make use of open
the service. Often it will be necessary for the systems and browsers, or through
standards and services for passing
service to audit which users accessed which the establishment of interservice
identity assertions between services on
data within the service, meaning that a strong trust relationships making use of
behalf of a user, SAML for example.
identity assertion must be made to the service identity and trust brokers as
Services which contain or operate on on behalf of the user. envisioned by the PSN
sensitive data may require a stronger programme.
authentication of the user, for example,
using a smart card or 2nd factor of
authentication, as long as these conform The use of client side user
to interoperability standards above. certificates can make this process
even smoother and transparent to
the user once an employee PKI
has been established.
Authentication: Implementation: The requirement for device to service It is not expected that any service
device to service authentication (and service to device) is met should require additional device
X.509v3 device and gateway certificates
through assured IPsec client and gateway authentication beyond the mutual
which are validated as part of the IPsec
configured in the assured configuration. authentication established by the
IKEv2 mutual authentication handshake.
IPsec IKE exchange.
7 / 20
End User Device Strategy: Security Framework & Controls
v1.2 February 2013
Secure boot Requirement: An unauthorised entity The enterprise and user will know that when Different platforms protect their
should not be able to modify the boot their device is turned on that it boots into a boot chain in a variety of ways.
process of a device, and any attempt to secure state and provides a degree of The most appropriate mechanism
do so should be detected. confidence that it has not been compromised for the platform will be identified
if it has been outside of the user’s care. in platformspecific guidance.
Platform Requirement: The device can continue The ability to sandbox an application and The common operating system
integrity and to operate securely despite potential constrain the capabilities of the platform access and permission controls,
application compromise of an application or exposed to it means that confidence can be such as user or file based
sandboxing component within the platform, and there built in the platforms ability to protect process permissions, can meet
is an ability to restrict the capabilities of applications processing enterprise data from this requirement if well
applications on the device. less trusted applications. implemented.
The extent to which the intrinsic integrity and This requirement does not require
application sandboxing capabilities of a that the Windows, Linux or Mac
platform can be relied upon will depend upon OS X operating systems require
the extent of any platform assurance additional 3rd party application
activities. sandboxing tools.
8 / 20
End User Device Strategy: Security Framework & Controls
v1.2 February 2013
Application Requirement: The device can continue Constraining the applications able to run on The common operating system
whitelisting to operate securely despite potential the device to an authorised set significantly access and permission controls,
compromise of an application or reduces the ability for malicious code to such as user or file based
component within the platform, and there execute. Only allowing a whitelist of controls, can meet this
is an ability to restrict the capabilities of applications to run, as opposed to using requirement if well implemented.
applications on the device. techniques which blacklist known malicious
applications avoids the race to update the
blacklist in response to a newly detected
malicious application.
9 / 20
End User Device Strategy: Security Framework & Controls
v1.2 February 2013
Malicious code Requirement: The device can detect, Preventing code known to be malicious from Risks relating to malicious code
detection and isolate and defeat malicious code which reaching or executing on a device is a will be mitigated in different ways
prevention has somehow become present on the mitigation which has been employed on on different platforms and the
device. enterprise devices for some time. Such requirement for third party tools
techniques are typically only a subset of will be affected by the strength
modern security suites, and techniques such and configuration of other
Example methods for implementing this as URL reputation (where any file received controls.
requirement are likely to include a from a knowncompromised server is
combination of the following: presumed to be malicious) provide good
supplementary protection. This requirement could be met
• Antimalware tools
using network level gateway
• Behavioural monitoring of
controls, implementing malware
applications and platform
The requirement to implement this control detection and content reputation
• File and URL reputation within the device should be considered on a filtering, requiring no additional
perplatform basis, taking into consideration controls at the device.
the use of application whitelisting and the
strength of the native platform integrity and
application sandboxing capabilities. It is good practice to provide
defense in depth and implement
light but effective controls for
It is also worth noting that the architecture those operating systems where
assumed within this standard, whereby all evidence indicates a higher risk
untrusted traffic passes through enterprise from malware. Native tools are
controls, provides the ability for this control to not excluded from such
be employed at an enterprise gateway rather implementation, there is no
than on the device. specific requirement for 3rd party
tools.
10 / 20
End User Device Strategy: Security Framework & Controls
v1.2 February 2013
Security policy Requirement: Security policies set by Just because a security policy mechanism This requirement does not imply
enforcement the enterprise are robustly implemented exists within a platform it does not necessarily that a 3rd party security suite is
across the platform. The enterprise can need to be switched on, as doing so can necessarily required over and
technically enforce a minimal set of impair the user experience. Therefore, only above a platform’s native multiple
securitycritical policies on the device the necessary security controls within the device administration tools.
and these securitycritical policies cannot platform will be enabled.
be overridden by the user.
11 / 20
End User Device Strategy: Security Framework & Controls
v1.2 February 2013
External Requirement: The device is able to One of the most likely attack vectors against This requirement does not imply
interface constrain the set of ports (physical and the device is malicious content delivered to that a 3rd party security suite is
protection logical) and services exposed to the device through a path which does not required.
untrusted networks and devices and any transit the defences within the enterprise.
exposed software is robust to malicious Such an attack could be borne by physical
attack. devices such as removable media connected
directly to the platform, or remotely attack
through a wired or wireless interface.
Implementation:
12 / 20
End User Device Strategy: Security Framework & Controls
v1.2 February 2013
Device update Requirement: Security updates can be Applying security patches to devices for This requirement does not imply
policy issued by the enterprise and the known vulnerabilities is necessary to keep that a 3rd party security suite is
enterprise can remotely validate the those devices from being vulnerable to attack. required.
patch level of the device estate.
13 / 20
End User Device Strategy: Security Framework & Controls
v1.2 February 2013
Event collection Requirement: The device reports There is a general preference for collecting It is important to apply
for enterprise securitycritical events to an enterprise audit events from the enterprise services proportionality to event logging.
analysis audit and monitoring service. The user is wherever possible and only collecting In addition to user session
prevented from tampering with the securitycritical events from devices which logging, only exceptional security
reporting of events from the device. cannot be collected elsewhere. related events or alerts are
required to be logged. That is,
events which indicate a breach of
Implementation: Events should be fed into an enterprise audit security policy or triggering of a
and monitoring service designed in security control or mitigation.
Only securitycritical events which can
accordance with CESG Good Practice Guide
only be collected from the device are
13 (GPG 13).
required to be logged and reported to an
The emphasis on event logging
enterprisebased audit service. Such
should be at the remote service,
events will include:
This standard makes no provision for auditing not at the device. Logging of the
• User log in and log out for legal compliance or evidential requirement. same events should not be
• Local security alerts from third Where such a requirement exists it will need duplicated between a device and
party tools or platform to be considered by the implementer. elsewhere.
components such as alerts from
antimalware, hostbased firewall,
platform integrity checks which
fail.
14 / 20
End User Device Strategy: Security Framework & Controls
v1.2 February 2013
Incident Requirement: The enterprise has a plan This requirement can be met
response in place to respond to and understand entirely using procedures and
the impact of security incidents, such as actions that do not require
the loss of a device. This should be additional software or tools to be
supported by appropriate functionality implemented in the device. For
within the devices and the enterprise, example, revocation of access
such as sending a wipe command to the and authentication privileges can
device and revoking credentials. and should be undertaken at the
backend.
Implementation:
This requirement does not
A response plan should be in place to
necessarily imply that a user’s
deal with loss or compromise of the
login is disabled locally at the
device in line with the advice set out in
device, nor does it imply that a
GPG 13. Such a response plan should
device must be remotely wiped. It
include revocation of the device
is sufficient to revoke access
certificates and user credentials.
privileges to all enterprise
services and information.
15 / 20
End User Device Strategy: Security Framework & Controls
v1.2 February 2013
Security Scenarios
Scenario Outcome
Loss of laptop in public place. The user reports their laptop as missing as soon as they notice by calling their IT helpdesk. The helpdesk follows the
Incident Response Plan. Lock or kill message sent to device. The device certificate is revoked.
User account is locked and audited to ascertain if departmental services have been compromised.
Since dataatrest protection was assured against the CPA Security Characteristic then cryptographic attacks to recover
the disk encryption key, even using largescale computing resources is impractical.
The principle of limiting data stored locally on the device will help to reduce potential impact of laptop loss.
A malicious document is received Incoming email is scanned through enterpriseclass mail scanning service where most known malware can be detected
as an attachment to a socially and removed.
engineered email.
In the event that the email reaches the user, they have been trained to be suspicious of receiving unexpected email
from unknown sources so do not open the attachment.
The IT helpdesk follows their Incident Response Plan to perform any postincident analysis.
16 / 20
End User Device Strategy: Security Framework & Controls
v1.2 February 2013
Scenario Outcome
A malicious document, intended to The reputation of the server which the document is stored on is flagged as untrustworthy within the browser.
compromise the desktop
If the file is not flagged as suspicious due to its source, then as it is downloaded it will pass through enterprise
application which renders it, is
gateways.
downloaded from the Internet. The
exploit payload attempts to Running the latest version of the clientside application software is the strongest defence against exploitation from
exfiltrate files from the device to a known vulnerabilities.
remote location.
Other platform integrity measures or application sandboxing will also limit the impact of a compromised application.
A user receives a link to a malicious Enterprise gateways will prevent access to sites known to be part of such ‘phishing’ attacks. This measure may be
site, masquerading as a legitimate augmented by in browser reputation based filtering.
site. Banking, shopping, social
media and email are amongst target
sites for such ‘phishing’ attacks.
User is personally threatened to Device access is compromised by attacker and access to OFFICIAL information is obtained.
extract device login credentials.
The user reports the incident to their helpdesk which follows the incident response plan.
Access to sensitive data requires the user to utilise a 2nd factor of authentication not available to the mugger, so the
impact is limited and enterpriseside auditing allows the department to ascertain the extent of the information
compromised.
17 / 20
End User Device Strategy: Security Framework & Controls
v1.2 February 2013
Scenario Outcome
Some public Internet web The corporate gateways proxy the SSL connection allowing the traffic to be inspected to ensure the device is not
applications require access over compromised through the encrypted tunnel and that OFFICIAL information is not being leaked from the device over the
SSL or TLS. This has the potential encrypted tunnel.
to undermine enterprise protection
of the devices.
Employee wishes to use the EUD to The proxying of the SSL/TLS tunnel is bypassed for a whitelist of banking sites, subject to departmental risk
undertake personal online banking.. management where it is thought that the service present minimal risk to the departmental devices.
The department wishes to allow the
employee to verify that they have
an endtoend encrypted session
with their bank.
Aggregation of OFFICIALSENSITIVE material on the EUD is mitigated by a combination of (1) periodic removal of
application caches on the device, and (2) use of remote viewing which minimises transfer of content to the EUD, (3)
local storage limits for EUD devices, (4) server side rate and quantity limiting access.
18 / 20
End User Device Strategy: Security Framework & Controls
v1.2 February 2013
Traceability for Threat, Attack Method and Mitigation for OFFICIAL Information
The following schematic provides traceability between threat actor objective, means of attack, and mitigations, as appropriate for mobile devices
accessing OFFICIAL information. This transparency is useful for:
19 / 20
End User Device Strategy: Security Framework & Controls
v1.2 February 2013
Windows 7 Windows 7 native client Windows 7 native and 3rd party Configuration guidance available
products assured from CESG (Government
CPA assurance requires sponsorship
Assurnce Pack)
Apple Mac OS X Native VPN client not capable of IKEv2 Filevault native tool Subject to prioritisation by CESG
needs update from Apple.
CPA assurance requires
IKEv1 permitted as an interim mechanism, but sponsorship
still requires CPA.
Linux Open Source IPsec client CPA underway. dmcrypt/LUKS native tool Subject to prioritisation by CESG
Platform assurance will result in further operating system specific configuration guidance from CESG, likely enabling further flexibility in the use
of such devices. Until that has been delivered, devices with operating systems that have not yet received platform assurance, should only used
to access uncaveated OFFICIAL information.
20 / 20