You may have spotted some attention-grabbing headlines recently, talking about how “Operating System Z is the only one approved for secure use in government!” or “Operating System Y is the most secure OS for government ever!”
It’s not true. The reality is government’s security arm, CESG, doesn’t “approve” operating systems for use, nor do they rank things in terms of “most” or “least” secure. Their platform guidance allows you, the customer, to make informed choices about which operating systems and devices and services are best for your organisation, based on your IT needs and security requirements. And they objectively clarify what operating systems and products can and can’t do from a security perspective out-of-the-box. That’s all.
As the CESG guidance introduction states, “Modern end user devices provide users with great flexibility and functionality - coupled with security technologies to help protect information. The aim of this guidance is to harness these security technologies in a way that does not significantly reduce this functionality. Different devices will expose organisations to different risks and in different ways - by exacerbating existing risks to corporate assets, or introducing new ones. Careful consideration of these risks is important to maintaining information security.”
The latest CESG guidance is simple and easy to navigate. It examines operating systems and devices and services against 12 security principles. If you haven’t seen them yet, take a look and judge for yourself. And you can do that because, unlike the old Government Assurance Pack for Windows, the guidance is transparent, publicly available and concise.
We aren’t CESG and we can’t speak for them. But we can say that, in our experience, mislabelling operating systems and devices as “approved and “most secure” is not helpful for the customer, in an era where government strives to make objective information available and encourage people to take a balanced decision.
As you might expect us to say, we feel Microsoft products continue to be industry leaders when you evaluate what they can do “out of the box” against CESG criteria. And this is important given government has a goal to “make optimum use of native security functions, avoiding third-party products wherever possible”. In our opinion, Windows 8.1 Enterprise has the least number of residual risks when compared to other platforms on which guidance is provided. And that’s not to mention the lowest total cost of ownership.
But what do you think? Does this match up with your experience? Reach out to us on Twitter and let us know how you’re getting on at @MSUKINGOV.