1. What is this guidance?
This security guidance describes how devices such as smartphones, laptops and tablets can be configured to meet the Government’s End User Device Security Framework. The purpose of this guide is to:
- Provide advice to system administrators deploying devices, helping to balance user needs and expectations with security recommendations and good practice.
- Highlight for risk owners any areas where the platform does not meet the Security Framework, and identify key items for consideration when deploying devices in their systems.
2. Guidance aims
Modern end user devices provide users with great flexibility and functionality - coupled with security technologies to help protect information. The aim of this guidance is to harness these security technologies in a way that does not significantly reduce this functionality. Different devices will expose organisations to different risks and in different ways - by exacerbating existing risks to corporate assets, or introducing new ones. Careful consideration of these risks is important to maintaining information security.
This guidance can also be used as a starting point for other security configurations for different devices such as desktops and servers. System administrators should consider how applicable the recommendations are in such scenarios and customise the guidance accordingly. Following this guidance may therefore help you fulfil your obligations as a data controller.
3. Philosophy of the approach
This guidance builds upon the strategic goals described in the End User Device Strategy: Security Framework & Controls document, which are to:
- make optimum use of native security functions, avoiding third-party products wherever possible
- make better use of controls around the data and services where they can often be more effective, rather than adding additional complexity to devices
- allow greater user responsibility to reduce security complexity, maintaining user experience for the majority of responsible users
- logging and audit preferred over prevention and control, to maintain user experience and flexibility for the majority of responsible users
- develop a single and sufficient specification for accessing OFFICIAL, including OFFICIAL SENSITIVE, recognising many of the controls will be at the service side
- enable transparency and clarity to widen a correct understanding of the security recommendations, widening the market of potential suppliers, and driving down over-specification of security
- enable informed risk management and justification of security controls through traceability between threats, their methods of attack and suggested mitigations
- enable greater interoperability of IT systems through a more common and consistent approach to securing OFFICIAL information
Each platform in this guidance has been considered as part of an enterprise deployment to see how effectively it is able to protect OFFICIAL information as part of an enterprise managed network. The guidance is holistic - it is not simply about applying settings to a device, but is also about making informed network architecture decisions; providing appropriate guidance and training for users; and performing operational maintenance, monitoring and defence of the network.
4. Who is this guidance for?
This material is for UK Public Sector organisations, their agencies and suppliers who are considering deploying different types of devices for mobile or remote working at OFFICIAL.
The guidance is written for system administrators and information risk owners to help them:
- manage the risks associated with different types of end user device;
- make informed decisions about the configuration, management, and use of these platforms.
5. How will the guidance be updated?
End user devices evolve rapidly. When newer versions of the platforms are released, organisations should determine whether the technical controls from this guidance are still supported. CESG will continue to assess new versions of the platforms as required and, if necessary, update this guidance to ensure it remains relevant. However, CESG does not intend to publish updated guidance for every subsequently released version.
Minor errors may be corrected as they are found and reported. If you become aware of any errors or inconsistencies then please let us know at the e-mail address firstname.lastname@example.org.
6. How will the devices be used?
The primary situation this guidance is for is a mobile knowledge worker (as defined in the EUD documentation). In this, a knowledge worker uses a corporately managed device to access their OFFICIAL email, calendar, collaboration tools, and other enterprise services, whilst in or out of the office.
It is expected that these devices will be personally-issued, meaning only a single user account will be present on each device. Whilst this guidance does not preclude multi-user devices, consideration must be given as to how to customise the configurations detailed in this documentation for multi-user scenarios.
The guidance does not cover the use of these devices in physically high-security environments - or for use at higher classifications. It is recommended that organisations carefully consider the particular risks from allowing OFFICIAL end user devices into such high-security locations.
This guidance also assumes that:
- users will use the device to access various Internet-based services, both for official and limited personal use
- users will be made aware of the appropriate use of the system prior to receiving the device
- some devices will inevitably be lost or stolen (though precautions in this guidance should help ensure that data loss is minimised)
- devices will connect to a range of trusted networks to access OFFICIAL information
- networks will be provided by the enterprise, telecoms networks, third-parties (e.g. home, hotel or coffee shop Wi-Fi)
- any networks that the device connects to will not necessarily be trustworthy, and so protection of the data in transit on these networks is important
- the device will be deprovisioned when the device no longer needs access to OFFICIAL information
- when deprovisioned, any sensitive information will be removed and the device’s ability to connect to the enterprise network will be revoked. The device can then be reused, recycled or returned to its owner
Although devices are expected to be corporately managed, the ownership model is not particularly relevant to the remainder of this guidance. The critical aspect is that the enterprise takes over the management of the device via a device provisioning process and is able to control all relevant aspects of it throughout the time it accesses OFFICIAL information.
7. Bring Your Own Device (BYOD)
Whilst enterprise ownership of a device makes many information security aspects much simpler, it is not a prerequisite of this guidance. What is necessary is that the device is placed under the management authority of the enterprise for the complete duration it is permitted to access OFFICIAL information.
To ensure information security when using devices not owned by the enterprise, the enterprise must take control of device management at the point of provisioning, ensuring that the device is placed into a ‘known good’ state prior to allowing it to access OFFICIAL information. Limitations of current technology mean that a ‘health check’ or ‘device status’ check is not sufficient to verify ‘known good’ - malware can easily subvert such a check. If possible, consider returning to an understood state such as by a firmware reinstall or wipe to factory state and replacing any existing configuration on it.
For further information on the risks associated with BYOD, see the Bring Your Own Device guidance.
8. Summary of recommended actions
To get the most from this guidance, you should:
- read the guidance for your selected device(s) in full and consider how applicable the usage scenario and recommendations are with your intended use
- set up a pilot of devices in a non-operational environment before deployment. Try to simulate as far as possible the environment where the devices will be deployed
- determine the business functions that devices need to perform before deciding on the final configuration, and apply security configurations to the device or supporting infrastructure where applicable, based on this guidance.
- read and assess the security checklist to track and record the chosen settings for each security task and note which settings are changed to secure the device. This information can be helpful when developing an organisational security standard for mobile devices.
- produce security operating procedures, user education packages and training documents to help staff to keep information secure on mobile devices.
- establish a helpdesk facility to respond to the loss or theft of devices by performing remote lock or wipe, and revoke their ability to access enterprise information.
- prepare a system management plan to deal with security critical updates and patches which will be released by the vendor during the lifecycle of the deployment.
When business or operational needs require deviation from this guidance, these deviations should be evaluated to help determine any additional security risks. Measures should be taken to help monitor or mitigate these risks.
Deployments of multiple device types should also be supported by this guidance, although CESG have not tested this at the time of writing. Rather than having multiple instances of the recommended network architecture for each device type, it is recommended that system administrators merge the suggested networks together to form a single system.