What does the latest CESG devices security guidance mean for you?

CESG issued its latest End User Devices Security and Configuration Guidance on the 14th of October. The new document is a radical departure from past iterations in some respects. So what do you need to know about the new guidance?

Shorter, simpler guidance: In the past, the CESG would release Government Assurance Packs for individual platforms. These documents could be 90 pages long and set down extremely detailed instructions for correctly implementing a given platform. These instructions were often complicated, could be difficult to implement and didn’t properly address today’s multiplatform IT demands. The new guidance amounts to a handful of pages providing general risk management strategies, and it ultimately leaves decisions about which platforms to use up to individual agencies, departments and authorities.

12 key metrics: The new guidance evaluates individual platforms along 12 different metrics. The points the CESG are looking at are: assured data-in-transit protection, assured data-at-rest protection, authentication, secure boot, platform integrity and application sandboxing, application whitelisting, malicious code detection and prevention, security policy enforcement, external interface protection, device update policy, event collection for enterprise analysis and incident response.

Upgrading has its benefits: When you compare the CESG’s evaluation of all the different platforms, Windows 8 stands tall compared with other platforms in the market, offering significant security upgrades from Windows 7, such as a secure boot feature. No matter how you look at it, it’s the only way to be sure you can use all your essential applications in secure boot environment without having to compromising on some other essential area – like event reporting.

There’s a clear winner for tablets: Windows 8 tablets are, hands down, the most secure tablet devices available. The combination of security policy enforcement, external interface protection and application whitelisting features are unequalled in the market today. If you want to take advantage of all the significant organisation advantages of mobile working in a secure environment, it’s an easy call to make.

Wide availability: In the past, access to CESG devices guidance material was carefully controlled. But this latest iteration is available in its entirety on the CESG website, making it easier for organisations across the UK to quickly consult the guidance and make decisions.

Check out the latest guidance on the GOV.UK site.

Comments (2)

  1. Rob Knight says:

    The use of CPA or assured VPNs still disallows split tunnelling and content inspection measures for web browsing are also required.

    This means that end user devices are still unable to utilise challenged internet connections – i.e. those having a captive portal which requires a user to enter details into the portal before internet access is unlocked.

    Several solutions exist including ConnectSolve WLAN.

    Already on successful trials, it supports a wide range of VPN solutions including X-Kryptor(TM), IPSEC solutions from Cisco and NCP/Juniper (IKEv1 and IKEv2), Microsoft IKEv2/IPSEC (IPSEC client in the guidance), other IPSEC based VPNS and TCP based VPNs such as SSL/TLS etc.

    These low cost, compact units (smartphone size  & <200g in weight) feature 8+ hrs runtime on a full charge, 3G/4G USB dongle support – use compatible dongle to add 3G/4G functionality.

    Operated from a user's personal smartphone, tablet or an optional mini-router over Wi-Fi using the smartphone etc. browser, captive portals are handles on the smartphone and once unlocked, the internet connection can be used by an end-user device.

    End user devices connect over either Ethernet or Wireless (ideal for tablets) and each ConnectSolve unit supports up to 5 end user devices simultaneously.

    ConnectSolve is just like any other internet router – i.e. part of the internet connection and outside of the accreditation boundary – all data leaving the end user device is already encrypted for internet traversal.

    The end user devices are never directly exposed to the captive portal.

  2. NotASoftwareObject says:


    The guidance appears to cover systems up to OFFICIAL only (IL3?).   Do you have any links to the CESG evaluations or guidance on how to deal with MOD systems that require higher integrity level lockdowns (eg, at IL5), particularly stand-alone systems.


Skip to main content