Secure by Design: A reusable pattern for seamless interoperability & cross domain collaboration
The problem
The UK Government collects extensive data from citizens and through its Task Force Data Collection at the OFFICIAL level.
In certain instances, this aggregated data needs to be preserved within higher security or trust boundaries. If such data were to fall into malicious hands, it could pose a risk of reputation damage or significant national security risk. When consolidated, this data can offer invaluable insights to adversarial state entities, necessitating that the aggregated data be housed within SECRET/High Trust domains.
The CDHA Framework offers a solution that not only secures data at the OFFICIAL level but also facilitates controlled transactions, allowing portions of a record to be safely shared within the OFFICIAL domain.
What is the CDHA Framework?
The challenges and risks associated with data aggregation are not exclusive to the UK Government but also extend to our collaboration within the Five Eyes (FVEY) intelligence alliance.
Acknowledging this significant challenge and its associated risks, Acubed.IT has collaborated with the NCSC for more than three years. Together, we have developed a framework, established a design pattern, and crafted a product that empowers HMG to create applications spanning multiple security and trust boundaries, all while adhering to the ‘Secure by Design’ principles.
With CDHA, applications can achieve an optimal balance: superior usability and performance at the OFFICIAL level, while ensuring data storage at the SECRET/Higher Trust tier. CDHA represents a ground-breaking technology that could redefine the way the UK government conceptualises and develops secure applications in the coming years. The potential of CDHA to revolutionise governmental operations is immense.
CDHA revolutionises data security by seamlessly bridging trust boundaries. With robust encryption and secure data transfer, CDHA empowers organisations to confidently manage and process sensitive data across diverse security classifications.
CDHA is secure by design, meaning any application developed with it inherently integrates security measures. CDHA ensures robust protection against emerging threats through various layers of security features, including:
-
Data Encryption and Signing: Unique row-level AES encryption with user-specific keys for unparalleled security of data at rest and in transit.
-
Endpoint Security: ECDH and ECDSA protect data transmission, ensuring encrypted and signed data at the client browser level.
-
Authentication and Verification: Stringent identity verification and signature validation guarantee legitimate data transactions.
-
Access Control and RBAC: Multi-layered defense with Role-Based Access Control and Two-Factor Authentication (2FA) to prevent unauthorised access.
-
Validation: High Assurance Gateway decrypts and validates incoming payloads, ensuring data integrity.
-
Export Control: Thorough checks on outgoing data for compliance and security standards.
CDHA employs the STRIDE model to mitigate various security threats, ensuring data integrity, confidentiality, and availability.
The CDHA Framework is strategically preparing for the quantum computing revolution by planning to incorporate Post-Quantum Cryptography (PQC) methods like Kyber and Dilithium, in collaboration with Edinburgh Napier University, to future-proof against quantum threats. This shift will enhance CDHA’s resilience beyond current cryptographic methods like ECDH and ECDSA. In parallel, CDHA’s roadmap includes researching homomorphic encryption to enable secure data operations without compromising privacy. Furthermore, Attribute-Based Encryption (ABE) will facilitate controlled data sharing across trust domains, ensuring data access aligns with user roles and security clearances. CDHA’s future development also includes AI and ML-driven export control mechanisms to strengthen data transfer security across domains, setting a new benchmark for secure, adaptable application frameworks.
Using the CDHA Framework to Modernise Government Security
-
Zero Trust Architecture: Shifts government security from perimeter-based models to a focus on data security.
-
Modern Security Approach: CDHA supports secure communication across trust boundaries, enabling safe cross-domain interaction.
-
Built with a focus on 'Secure by Design,' the CDHA Framework enables seamless and secure communication between systems across different security levels.
-
User-Specific Data Protection: Encrypts data uniquely for each user, ensuring only the creator can access it, preventing it from becoming a vulnerability or an attractive target for malicious actions.
CDHA Benefit
Enhancing CNI Protection with Advanced Cross-Domain Solutions
- IT’s CDHA secures Critical National Infrastructure (CNI) against emerging cyber threats, meeting new regulatory standards like NIS2 and the UK's Cyber Security and Resilience Bill.
- Robust Encryption: Protects CNI data with strong cryptography, ensuring security during transit and at rest, aligned with upcoming UK regulations.
- Secure Information Sharing: Enables safe data exchange between regulators and operators, maintaining high-trust protocols for data integrity and confidentiality.
- Compliance and Adaptability: Assists organisations in staying compliant with evolving cybersecurity laws.
- Operational Efficiency: Streamlines data handling and reduces complexity, enhancing performance and simplifying regulatory compliance.
Conclusion
As the Cyber Security and Resilience Bill shapes the future landscape of cybersecurity in the UK, Acubed.IT’s CDHA Framework is designed to meet these challenges head-on. Protect your critical assets with a framework built for the future of CNI protection, ensuring your operations are secure, compliant, and resilient.