How do PoliceBox & Quvo help us comply with the Cloud Security Principles?

The National Cyber Security Centre (NCSC) expect that cloud systems which are in the cloud are developed, configured, and used in a secure way. How do PoliceBox & Quvo help us comply with the 14 Cloud Security Principles?

Introduction

It is our responsibility to ensure that both PoliceBox and Quvo help your organisation protect itself and its staff, by ensuring the integrity of your Information Assets.  Part of this means demonstrating how these platforms have been designed, developed, and configured in accordance with the 14 Cloud Security Principles.  

How to use this article?

We will look at each principle in turn, and provide details about how these platforms are assistive.   Where relevant to some of the items we discuss, we have provided links to external web sites at the end of this article.

Terms we use.

  • Whether you are using, or plan to use, PoliceBox or Quvo, we refer to you as 'You', 'Your', or as 'the Customer'.
  • Where we refer to 'the platform' we are equally referring to PoliceBox and Quvo.
  • Where we refer to 'Us', 'We', or 'Our', we mean Coeus Software Ltd, trading as the PoliceBox brand.

Implementing the Cloud Security Principles in PoliceBox & Quvo

Principle 1 - Data in transit protection

  • Accessible components of the platform have data in transit protected with encryption using AES256
  • AES256 encrypted data is passed between endpoints using HTTPS TLS 1.2
  • The Integration Server provides a ‘gateway’ to back-end systems which ensures that network communications 'originate' within the Customer's secured scope. The Integration Server works to protect back-end systems, where those systems may not be able to communicate using HTTPS TLS 1.2.
  • Platform web services endpoints are secured by integration with the Customer's Azure Active Directory or Google Cloud Identity Platform, affording zero trust in terms of authorisation and Least Privilege (access control) in terms of authentication.

Principle 2 - Asset protection and resilience

  • The platform supports the use of Mobile Device Management (MDM) solutions (including Microsoft Intune, Blackberry BES) which forms part of an overall approach to managing and securing equipment and information assets.  As the Customer you will need to supply the MDM platform and ensure that your devices are protected.
  • Information Assets are encrypted using AES256 when at rest, both on the Device and when residing in the PoliceBox or Quvo cloud environment. Encrypted data safeguards against unauthorised access or use. It also safeguards against seizure by non-UK authorities.
  • Public Sector Information Assets are subject to the GSC marking scheme. Whatever marking scheme is used, it can be defined at the Task design level in the App Designer.  Business rules in the platform prevent inadvertent copy & paste.
  • As the Customer, you have full control of the Task design process through the App Designer and can control where data from completed Tasks are sent (back-end systems).
  • Users can ‘park’ Tasks, in the platform's cloud environment, to resume (later) on another device, which can safeguard information against loss if a device fails.
  • The platform's cloud environment benefits from a full Disaster Recovery and Business Continuity regime which includes backup of data for Information Security (event of data loss) purposes.
  • The platform's cloud environment can be configured to operates in ‘store and forward’ mode, depending on the Customer's risk appetite. Information is removed as soon as it has been delivered to the back-end system. 'Store and forward' mode means that your Information Assets are held in the cloud environment only for a minimum amount of time.
  • The platform applies digital forensic protection to all business processes so that data collected, irrespective of the business proces.  The same applies to audit logs, which can be checked for tampering or corruption.
  • Where Tasks contain a manuscript signature, the data from the signature is bound to the fields in the Task to which it refers. This assures against non-repudiation.

Principle 3 - Separation between users

  • Tasks are autonomous pieces of work, which allow a user to Collect information. Task metadata describes the lifetime of the Task (User, Device, Timestamps, location data if available).   Metadata also describes how the platform will process the collected information.
  • Users (and their Task data) are managed individually within the platform so that Users cannot impact upon each other.
  • The Identity Access Model is integrated with your Azure Active Directory or Google Cloud Identity Platform, and you can closely or loosely couple with user-groups.
  • User access is role-based:
    • Frontline workers have the ‘AppUsers’ role and allocated to groups according to their duties within Your organisation (perhaps by regional team / operational unit / sector / specialism).
    • Staff responsible for managing business processes (e.g., designs of Tasks such as Witness Statements, VDRS forms etc) possess the ‘Designer’ and ‘Publisher’ role(s).
    • Separation of roles in the App Designer allows certain members of staff to have supervisory oversight of business processes before they are published to users.
    • There are separate roles for managing PoliceBox on a day-to-day basis as well as Auditing, the latter of which might go to professional standards colleagues.

Principle 4 - Governance framework

  • We supply the Customer with a COTS platform, it acts as your Mobile Application.  We develop and maintain the platform on your behalf, the governance framework both these aspects:
    • Product development and business operations are governed by corporate policies which start with the Information Security Policy.
    • The Product Owner/Architect for PoliceBox is the PoliceBox Chief Technology Officer (cto).
    • The Operations Manager is responsible for
      • Secure and compliant provision of the PoliceBox service, including the provision of the PoliceBox Service Desk.
      • Management of security incidents
    • The Chief Executive Officer (ceo) is responsible for:
      • Overall compliance and security of the PoliceBox platform.
      • Overall control of commercial matters
    • The Finance Director is responsible for contractual matters.
    • Each of the responsible officers stated above report to the company board of directors.
    • Separation of concerns exist between PoliceBox Development and PoliceBox Operations teams. The Development team are afforded no access to live environments.
  • The platform is to be governed as follows:
    • Where required, and with appropriate additional safeguards implemented, it will be accredited to OFFICIAL with OFFICIAL – Sensitive.
    • With appropriate risk assessment and mitigations applied
    • The System Operating Procedures (SyOps) are to be applied
    • The COTS platform is governed by a product roadmap (and associated Change Management which is owned by the Us, working in consultation with our Customers using a Customer Success Model which involves User Groups.
    • The Customer will have total control of its use of the platform which includes:
      • Dedicated tenancy in the PoliceBox or Quvo cloud environment
      • Development, testing and approval of business processes and platform behaviour, through the App Designer, in accordance with the SyOps. Note: It is possible for the Customer to engage with suitable third parties for professional services, to analyse requirements for and develop business processes for the Customer.
    • Our Service Desk will integrate with your own Service Desk for service management purposes.
  • We will provide supporting documentation, outling processes relating to Incident Management.

Principle 5 - Operational Security

  • The Customer will have control over the following:
    • Role based access to business processes via the App Designer.
    • Access granted to Authorised Users, via integration with Your Azure Active Directory or Google Cloud Identity Platform.
    • Management of Information Assets, at the Task design level via the App Designer. The Customer will be able to apply its own change management for business processes it issues for frontline/operational use.
  • We will ensure operational security due through:
    • The use of configuration management (and release management) for platform components, which will be assisted by automation (including the use of DevOps pipelines) wherever possible.
    • Release notes are provided as standard
    • Technical measures (such as Encryption), to ensure that the platform remains available and Information Security is managed through business continuity and disaster recovery measures.
    • Protective monitoring of the platform's cloud environment which will work to safeguard against cyber attacks.  We are capable of assisting your own SOC/NMC in provision of SIEM diagnostic information.
      • With respect to Customers using PoliceBox, this additionally includes compliance with blueprints of the National Enabling Programme.
    • Vulnerability management - comprising a mix of vulnerability scanning, and research with NCSC CISP (and other partners) - which will ensure that the platform and its software components do not expose the Customer to undue cyber or information security risk. Depending on the risk, upgrades to platform components, or advice on systems hardening, may be issued to the Customer via Our Service Desk (Service Bulletin and Knowledgebase).
    • Provision of, and compliance with, a security incident management process. The process:
      • Provides for immediate reporting of incidents
      • Is compatible with Our corporate Whistle Blowing Policy.
      • Is outlined in supporting documentation that we will provide to you.
      • Can rely upon provisions made in the Business Continuity & Disaster Recovery plan which will safeguard against data loss event owing to occurrences of ransomware.
    • The platform will be subject to routine IT Health Checks which will identify vulnerabilities in the platform for immediate or prioritised action.

Principle 6 - Personnel security

  • We routinely screen our staff. All staff are vetted to Non-Police Personnel Vetting (NPPV3) with SC.
  • Our employees are bound by Corporate Policies, including the Information Security Policy.
  • Our Policies are promulgated to staff through training and enforced through technical and environmental measures.
  • We expect the Customer to have similar policies and procedures in place.

Principle 7 - Secure development

  • Our platforms have a product owner, who is responsible for secure development.
    • Software artifacts are built to well defined User Stories within an Agile development methodology.
    • User Stories consider the outcomes associated with any development with regard to the potential impact on the privacy of individuals. Risks mitigated in the technical solution and the exit criteria.
    • Software is written using a SOLID development approach, where a (common) core codebase ensures business logic is reliable and repeatable. Business Logic is written on the basis of Least Privilege and stood up on the basis of Zero Trust.
    • Third party libraries (software dependencies) are screened to ensure they come from a reputable source.
    • Unit testing and Automated (Cloud) functional testing ensures that new or revised features comply with the exit criteria of the User Story.
    • PoliceBox software components are held in a source control repository, which is enhanced with a codebase branching mechanism.  Branching mechanism permits rapid development of new features while allowing routine product support (defect repairs) for the version of the platform currently in use.
    • Factory Testing is conducted by Our operations team and acts as a pre-release assurance mechanism.
    • It is Our policy to supply software components that have been digitally signed so that they are known to be genuine.

Principle 8 - Supply chain security

  • We are a partner-first company.  Our philosophy is to make use of partners in the supply chain where their expert knowledge can be applied to the rapid and better delivery of products and services to the Customer.
  • We choose from carefully selected suppliers who fulfil our minimum certification requirements.
    • Where a supply chain partner provides software components (e.g. integration middleware) it is expected that Our Service Desk will act as the point of contact for those components.  We will liaise with the supply chain partner.
  • Supply Chain partners are:
    • Provided with sufficient information about the Project (e.g. integration specifications, business processes to be implemented) to allow them to provide an effective service.
    • Sometimes provided access to test environments, to ensure successful development outcomes.
    • Not permitted to access live environments under any circumstances.
    • Occasionally provided with anonymised benchmarking data, for the purposes of appropriate scaling and reliability of provided components. Benchmarking data will only be supplied under explicit authority of the Customer on a case-by-case basis.
    • Expected to provide software components that are digitally signed so that they are known to be genuine.
  • We ensure our selection of Cloud provider is best of breed and is known to be compatible for use with your requirements.

Principle 9 - Secure user management

  • Users are separated by role-based access.
  • Separate software products are provided depending on function,
    • Client App which only allows access by frontline workers
    • App Designer which only allows the configuration and maintenance of business processes.
    • "Web” Portal provides role-separated functionality which includes:
      • Day to day platform management (system log review, user on-boarding etc)
      • Auditing of user activity (allowing monitoring by professional standards or other supervisory personnel)
      • Dashboards showing high-level statistics and summaries of Tasks being completed in near real-time.
    • An “admin” portal exists which enables system log reviews by Our Service Desk. System log reviews can happen:
      • As part of routine system health monitoring
      • As part of triage or response to a service ticket.
    • Users must be on-boarded to the platform to ensure they are:
      • Authorised, and
      • Have a User Licence.
    • Your Service Desk staff will be given access to Our online Service Desk resources.  They will be issued with individual account credentials.

Principle 10 - Identity and authentication

  • The Customer has complete control over Identity and Authentication for their PoliceBox platform. PoliceBox will be integrated with:
    • Federated Authentication - Azure Active Directory or Google Cloud Identity Platform
    • Mobile Device Management - Such as Microsoft Intune or Blackberry BES.
  • Our Service Desk staff will have individual identities for authentication to the “admin” portal and other support tools (e.g. DBA tools, DevOps) that we use to deliver the service.

Principle 11 - External interface protection

  • All external interfaces are protected using HTTPS TLS 1.2
  • Endpoints are protected by OAuth2 tokens which are integrated with Azure Active Directory or Google Cloud Identity Platform.
  • The Integration API, which is used for two-way integration, is secured using an API Key (which is linked to Our Azure Key Vault) and an additional ‘strong key’ which is based on the Customer's use of the platform.
  • Routine IT Health Checks (ITHC) will help identify vulnerabilities in the interfaces exposed by the platform, for immediate or prioritised action.

Principle 12 - Secure service administration

  • The Customer is responsible for the secure administration and management of the PoliceBox platform using the “web” portal.
  • Our Service Desk is responsible for the delivery of the PoliceBox service, which includes the cloud environment.
    • Our Service Desk will access the administrative portal for the cloud environment from Our premises on company issued devices.
    • The administrative portal is used to access diagnostic information and tune resources to ensure availability and business continuity.
    • To access the administrative portal, Our corporate policies will be applied, which requires multi factor authentication, and imposes role-based access controls, so that staff do not have high levels of privilege.

Principle 13 - Audit information for users

  • The platform's “Web Portal" provides role-separated functionality which includes:
    • Auditing of user activity (allowing monitoring by professional standards or other supervisory personnel)
  • A warning statement can be applied can be applied in your Azure Active Directory or Google Cloud Identity Platform "branding" screen.  The branding screen is shown when a user attempts to login via the ‘browser surface’.   The warning will make it clear that use of the system is audited for monitoring of compliance to SyOps and other policies and procedures

Principle 14 - Secure use of service

  • PoliceBox app supports the use of Mobile Device Management (MDM) platforms (Microsoft Intune) which can be used to harden the device against loss or theft.
  • The Integration Server will be housed in a secured location within the Customer's own secured scope.

External Resources

For more information on some of the items discussed in this article, click on the relevant link.  They will take you to external websites that are not controlled by Us.