09. Create a secure service which protects users’ privacy
Evaluate what data the service will be collecting, storing and providing
Actively identify security and privacy threats to the service, and have a robust, proportionate approach to securing information and managing fraud risks
The team has held several meetings to identify the risks posed by bad actors. Some key steps taken to mitigate these risks are:
- We completed a DPIA and concluded that our service will handle very little personal data (names, emails and phone numbers), however, we will be handling OFFICIAL data from the UKSA orbital analysts and ephemeris data from operators.
- Our service has been designed to ensure it is secure:
- The use of Auth0 makes the service secure for users.
- The logging of all information relating to log ins, set up of accounts, modifying of accounts, deletion of accounts and the upload and download of any information to and from the service.
- An activity log will be available in the user interface for administrators and orbital analysts to see any information uploaded to the site, and any changes in user permissions.
- A user permissions model provides different permissions to operators and government users, ensuring appropriate privacy levels across the service.
- We conducted a ‘bad actor’ tech spike at the start of the project to identify and plan a mitigation for any security threats to the service.
- We have taken the required steps to build a secure service:
- Penetration testing conducted three times throughout the private beta in December 2021, and February and March 2022. We will test again in early 2023 before going live.
- All endpoints are encrypted in transit
- Database configuration is encrypted
- S3 storage is encrypted by default
- DB plan will be encrypted
- All data is stored in a secure manner
Have a plan and budget that lets them manage security during the life of the service
- This will be part of the ongoing responsibility of the maintenance team.
- We rely on well-respected products such as GOV.UK PaaS to ensure good practice of security patches.
Collect and process users’ personal information in a way that’s secure and respects their privacy
Monitor Space Hazards has Terms and Conditions that references the way in which user information will be used.
- Users’ personal data will be used if:
- They choose to use the web-interface and hence need to log-in using their email addresses.
- They opt-in to receive notifications in relation to conjunction events; notify them of any changes to the service or if a UKSA orbital analyst needs to contact them regarding a conjunction event.
- We ask that any information from MSH is not shared outside of your organisation without written permission. This, therefore, protects user’s data as some event data will be based upon their ephemeris.
- Information will be classified as ‘official’.
- UKSA will not share any information submitted to MSH outside of HM Government - this includes personal data, communications and ephemeris data.
- While giving demos to potential new users, the ‘demo’ environment is used which has anonymised dummy data to maintain operator data privacy.
MSH have also completed a Data Protection Impact Assessment (DPIA) screening form. The service will collect individuals’ first name, surname, their work email address and work phone number. This data is already collected by the UKSA and CAA for key contacts at satellite operator organisations and used for comms when necessary. This service will likely involve collecting this data for more individuals at these organisations, if the organisations choose to use the service.
Initially, UKSA SST team (internal) will have access to this data in order to contact operators directly about an event or about the service.
As the service is developed further, this data will be shared with:
- Civil Aviation Authority (external to UKSA).
- Emergency response team (external to UKSA).
- We will share operator contact details with other operators when they are involved in the same conjunction event, with the permission of the users, in order to enable them to communicate with one another about the event. Users will be able to opt-in or out of this functionality.
Use an approach to identity assurance and authentication that balances the risks in a proportionate way (for services that need identity assurance or authentication)
MSH uses Auth0 for user authentication. Auth0 is an increasingly common authentication mechanism, as it provides:
- A well established, secure system for two factor authentication. Two factor authentication is currently disabled but we hope to enable it before going live.
- Streamlined external authentication, reducing cyber security risks.
- A solution to problems with magic links, which were previously used, expiring before the user can access them.
Alternative methods of authentication were considered and some may be used in future:
- Simple passwords are the most common methods of authentication. However passwords are prone to phishing attacks and bad hygiene that weakens effectiveness. They are described as “low quality” security by the Government Design Service.
- Multi-Factor Authentication (MFA) requires two or more independent ways to identify a user. MFA is good against most hacks, but comes with its own pitfalls such as lost phones, SIM cards etc. Orbital analysts will not have access to mobile phones while working so MFA involving smartphones cannot be the default for all user groups. However, we have had 1 request for this functionality and expect to offer MFA through Auth0 when we go live in 2023.
Role-based access control (RBAC) is also used in the service. An RBAC catalogue has been created to ensure that all users have access to the correct information, and that no users see information that they should not.
Work with business and information risk teams (for example, senior information risk owners (SIROs), information asset owners (IAOs) and data guardians) to make sure the service meets security requirements and regulations without putting delivery at risk
- Monitor Space Hazards have completed a Data Protection Impact Assessment (DPIA) screening form. This was done in collaboration with the UKSA Data Protection Practitioner, who had to approve the screening form.
- Risks have been monitored throughout with risk storms and risk logs to ensure we have captured the best knowledge throughout the teams involved and mitigated against any problems.
Carry out appropriate vulnerability and penetration testing
- Penetration testing for MSH took place in the December 2021 and February and March 2022.
- All issues from the first and second test are resolved.
- Auth0 was implemented in response to the second test findings.
- We will carry out another penetration test in early 2023 before we take the service live.