Embracing Secure by Design: building resilient government services
The principles aim to shift-left the responsibility of security. Changing it from an afterthought to a fundamental part of the project design
A new government framework called Secure by Design was announced earlier this year which requires organisations to embed core security initiatives into their system design from the beginning.
What is Secure by Design?
The framework contains 10 principles that delivery teams responsible for building digital services must adhere to. It forms an essential part of designing robust, quality systems.
The principles aim to shift-left the responsibility of security. Changing it from an afterthought to a fundamental part of the project design. Traditionally system design has had a “fix-it-later” approach to security, whereas now a proactive approach is expected. Cybersecurity is no longer an “add-on” or checklist item.
At its core, Secure by Design helps organisations to anticipate and prevent security vulnerabilities before a product or service ever reaches the user.
Who does it affect?
Cybersecurity is no longer the sole responsibility of engineers and developers. Senior leadership roles, product and delivery managers, user-centered designers, developers and security architects are expected to work collaboratively to identify security risks throughout the design, development and launch of any new or existing digital service. Security becomes a shared responsibility.
Key security takeaways
A number of the key principles of Secure by Design are already well recognised by dxw’s ISO27001 accreditation. We’re committed to incorporating Secure by Design principles into all our projects. We believe that by building security into the foundation of our digital services, we can create a more secure and resilient digital future for everyone.
The most important requirements of any secure system should include:
- Principle of least privilege: A user, program, or system should only have the bare minimum permissions necessary to perform its function. This limits the damage that can be done if it is compromised.
- Defence in depth: Implementing multiple layers of security controls, so that if one layer fails, others are still in place to protect the system.
- Minimising the attack surface: Reducing the number of potential entry points for an attacker by disabling unnecessary features, ports, and services.
- Proactive threat modelling: Actively anticipating potential threats and attacks and designing defences against them from the outset.
- Secure defaults: Ensuring that the default configuration of a system is the most secure option, requiring a user to deliberately choose a less secure setting.
Ultimately, Secure by Design represents a crucial evolution in the development of public services, moving cybersecurity from a final checkpoint to the very foundation of creation. By embedding principles like least privilege and defence in depth from the outset, and by fostering a culture where security is a shared responsibility across all roles, we can build the next generation of government digital services.
These services will not only be more efficient and innovative but also inherently resilient, securing critical data and building a lasting foundation of trust with the public they are designed to serve.