Image source: istock.com/Blue Planet Studio
Government organizations have been encouraged to take a “default allow, explicit deny” approach to authorizing recipients when sharing data with each other through cloud systems.
This stems from a collaboration between the National Cyber Security Center (NCSC), the Central Digital and Data Office (CDDO) and Microsoft to build an intergovernmental collaboration plan for the public service through a project running from September 2021 to May 2022.
An NCSC blog post explained that the approach means a user is allowed to share access to data when using cloud services as long as they are not covered by a “deny list”.
He acknowledged that there is always a risk of a malicious insider, but said this can be reduced without hampering collaboration by good security practices such as using secure mobile devices.
He claimed that ‘default-allow, explicit-deny’ can increase efficiency by allowing users to continue their work, maintain confidence in security through activity audits, and reduce management overhead because administrators don’t need to maintain ‘explicit-allow’ lists.
Security and usability
“Sometimes you have to choose between more security and better usability. Fortunately, in this case, we believe organizations can have both,” said James L, cloud security researcher at NCSC.
The guidance – published by Microsoft in the form of a policy document and a technical guide – is also aimed at organizations that wish to maintain an allow list approach due to their specific technical architecture or threat profile and their risk assessment.
It also said it complies with NCSC guidelines on the zero-trust approach to cybersecurity.
A government spokesperson added: “Seamless digital collaboration across government is fundamental to enabling a more effective and efficient public service.
“The Central Digital and Data Office has brought together government organizations and Microsoft to produce new guidance on how to configure Microsoft 365 for better collaboration within the public sector.
The NCSC added that it plans to release guidance soon on securing the use of a software-as-a-service application.