You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Following on from the NCSC reviews there are a number of recommendations that we need to further explore.
Admin and Developer Devices
AWS accounts hosting the Modernisation Platform are accessed using standard issue MoJ devices. The security posture of these devices was not discussed, however, if these devices render untrusted content through on-device internet browsing or email access, they could be at a higher risk of compromise. Due to this, using a standard issue MoJ device for Administrators and Developers could present an undue risk to the Modernisation Platform and the services it hosts.
NCSC Recommendation: Implement technical controls to ensure that AWS accounts are only accessed from devices with a known good security posture.
MoJ Response: The normal access route is via MoJ MACs, which are managed, including logging of actions - eg attempted removal of security features. But it is possible to access via personal machines. Action: We could limit access to MoJ devices only (potentially allowing read-only access from other devices. How would this work for collaborators who might not have an MoJ device?)
This ticket is to look at our suggested action (We could limit access to MoJ devices only (potentially allowing read-only access from other devices)), and to understand whether this would address their risk, whether it would have disadvantages and to get agreement as to what to do
Value / Purpose
Potentially reduces the platform risk
Useful Contacts
No response
Additional Information
No response
Proposal / Unknowns
Hypothesis If we... [do a thing] Then... [this will happ]
Proposal A proposal that is something testable, don't worry whether it works or not, it's a place for ideas.
Unknowns Potential pitfalls that could cause the story to expand beyond its original scope. Ideally this section will remain blank.
Definition of Done
Possible option to reduce this risk, including any negative impact to the service we provide
Agreement on whether to action
If required, ticket raised to implement
The text was updated successfully, but these errors were encountered:
SimonPPledger
changed the title
Spike: Additional security for Admin and Developer Devices
Spike: NCSC - Additional security for Admin and Developer Devices
Apr 10, 2024
User Story
Following on from the NCSC reviews there are a number of recommendations that we need to further explore.
Admin and Developer Devices
AWS accounts hosting the Modernisation Platform are accessed using standard issue MoJ devices. The security posture of these devices was not discussed, however, if these devices render untrusted content through on-device internet browsing or email access, they could be at a higher risk of compromise. Due to this, using a standard issue MoJ device for Administrators and Developers could present an undue risk to the Modernisation Platform and the services it hosts.
NCSC Recommendation: Implement technical controls to ensure that AWS accounts are only accessed from devices with a known good security posture.
MoJ Response: The normal access route is via MoJ MACs, which are managed, including logging of actions - eg attempted removal of security features. But it is possible to access via personal machines. Action: We could limit access to MoJ devices only (potentially allowing read-only access from other devices. How would this work for collaborators who might not have an MoJ device?)
This ticket is to look at our suggested action (We could limit access to MoJ devices only (potentially allowing read-only access from other devices)), and to understand whether this would address their risk, whether it would have disadvantages and to get agreement as to what to do
Value / Purpose
Potentially reduces the platform risk
Useful Contacts
No response
Additional Information
No response
Proposal / Unknowns
Hypothesis If we... [do a thing] Then... [this will happ]
Proposal A proposal that is something testable, don't worry whether it works or not, it's a place for ideas.
Unknowns Potential pitfalls that could cause the story to expand beyond its original scope. Ideally this section will remain blank.
Definition of Done
The text was updated successfully, but these errors were encountered: