National Cyber Security Centre builds IT system in-house

Agency emphasis ‘Cloud First’ approach and avoiding complex relationships with other IT systems

The National Cyber Security Centre (NCSC) has developed its own IT system to underpin its coordination of national efforts supporting cyber resilience.

blogpost by the centre’s chief architect, known simply as Richard C, says it took the decision because no existing systems designed for information with an OFFICIAL security ranking fitted its needs.

Cyber security on screen“Nor did they strike the right balance of security, usability and functionality required by our new mission,” it says. “So we had to build something new.”

The system has been built using the Government’s Technology Code of Practice and a ‘Cloud First’ approach that involves software-, platform- and infrastructure-as-a-service, keeping the on-premise infrastructure to a bare minimum. No details of the cloud provider are included.

Users will have a choice of devices, with customisation kept to a minimum as it would make them harder to maintain, and the emphasis will be on accessing the system through web apps rather than a thick client.

The devices will also be configured to use the IPSEC protocol for protecting information as it travels across less trusted networks.

Aggressive patching

NCSC plans to patch the system, including servers, “aggressively and automatically” to maintain security, and avoid creating complex trust relationships with other IT systems. This should make it possible to retain control of its own risk decisions without affecting users from other departments that it works with.

It is also plans to stick to its own guidance on securing enterprise technology. This takes in areas such as network encryption, cloud security and how to manage a ‘bring your own device’ approach.

The system was created by a multidisciplinary team from experts in various fields across the organisation, using a few commercial partners to fill gaps in their skills, and representative of the Common Technology Services team in the Government Digital Service.

The project involved an agile approach for some aspects, although the blog says it was not appropriate for all as the procurement of commercial services and equipment is a poor fit with methodology.

Sensible risks

“It’s entirely possible to build good, secure tech using an agile approach,” Richard C says. “What’s different is that you evolve the system over time, taking risks in sensible ways while you build new functionality or security into the system.

“So, on day one, we were running a relatively high risk in some areas while we were comfortable with the controls we had in place elsewhere.”

NCSC went operational in October of last year, taking up the role of the UK’s lead authority on cyber security issues for the public and private sectors. It has already provided a stream of guidance on good practice in the field, including advice on password expiry policies and firmware.

Its plans include working closely with local government and developing a Domain Name System resolution service.

Image: Harland Quarrington/MoD, Open Government Licence v1.0 through Wikimedia