Guidance

End User Devices Security Principles

Published 5 March 2015

This guidance was withdrawn on 9 June 2016

This content has been moved to the CESG website: https://www.cesg.gov.uk/eud-guidance

The EUD Security Framework describes twelve principles for security controls for devices, each of these principles should be considered when deploying a particular solution.

These security principles are the fundamental properties which are used by CESG when assessing and providing configuration guidance for a wide variety of end user device platforms. The portfolio of end user device security guidance can be found at https://www.gov.uk/cesg/device-guidance.

1. Assured data-in-transit protection

An IPsec client which is assured to Foundation Grade against the IPsec VPN for Remote Working ­Software Client Security Characteristic, configured in accordance with the PSN end-state­ IPsec profile or PSN interim IPsec profile.

2. Assured data-at-rest protection

Data stored on the device is satisfactorily encrypted when the device is in its “rest” state. For always-­on devices, this is when the device is locked. Formal assurance of this function to Foundation Grade against the appropriate Security Characteristic is strongly recommended.

3. Authentication

Three types of authentication are recommended:

• User to device: the user is only granted access to the device after successfully authenticating to the device.

• User to service: The user is only able to access enterprise services after successfully authenticating to the service, via their device.

• Device to service: Only devices which can authenticate to the enterprise are granted access.

4. Secure boot

An unauthorised entity should not be able to modify the boot process of a device, and any attempt to do so should be detected.

5. Platform integrity and application sandboxing

The device can continue to operate securely despite potential compromise of an application or component within the platform, and there is an ability to restrict the capabilities of applications on the device.

6. Application whitelisting

The device can continue to operate securely despite potential compromise of an application or component within the platform, and there is an ability to restrict the capabilities of applications on the device.

7. Malicious code detection and prevention

The device can detect, isolate and defeat malicious code which has somehow become present on the device.

8. Security policy enforcement

Security policies set by the enterprise are robustly implemented across the platform. The enterprise can technically enforce a minimal set of security­ critical policies on the device and these security­ critical policies cannot be overridden by the user.

9. External interface protection

The device is able to constrain the set of ports (physical and logical) and services exposed to untrusted networks and devices and any exposed software is robust to malicious attack.

10. Device update policy

Security updates can be issued by the enterprise and the enterprise can remotely validate the patch level of the device estate.

11. Event collection for enterprise analysis

The device reports security ­critical events to an enterprise audit and monitoring service. The user is prevented from tampering with the reporting of events from the device.

12. Incident response

The enterprise has a plan in place to respond to and understand the impact of security incidents, such as the loss of a device. This should be supported by appropriate functionality within the devices and the enterprise, such as sending a wipe command to the device and revoking credentials.