Cyber Essentials is an increasingly important security standard within the UK that allows organisations to demonstrate to their customers that they operate their business in a secure and trustworthy manner. Achieving the Cyber Essentials certification helps businesses win new customers and stand out amongst their peers. It is a requirement for any company that seeks to sell their services to the UK Government. Cyber Essentials Plus brings an extra level of assurance, where an accredited auditor verifies the security controls and issues a certificate demonstrating compliance.
Cyber Essentials is based around five areas of technical controls:
- secure configuration
- security update management
- user access control
- malware protection
The scheme also requires a scope of applicability to be defined: how much of an organisation’s IT systems should be covered.
To help organisations meet security requirements such as Cyber Essentials (CE), we have created Ubuntu Pro, a subscription service that brings security and compliance to regular Ubuntu. In this post we will cover how Ubuntu Pro can be used to meet CE requirements.
Defining the scope and tracking assets
The first step in the CE process is to define the scope, and work out how much of your IT infrastructure should be covered, taking into account servers, laptops and mobile devices, as well as cloud services and web apps. Once the scope has been agreed, it’s recommended to manage these assets, something that CE considers to be a core security function.
Landscape is the enterprise systems management tool for Ubuntu. It gives admin and security teams the superpower to manage all Ubuntu machines remotely, verify package versions at scale and report in real-time on the CVE status for each machine. Landscape can also act as the single source of truth for software by managing repos instead of pointing Ubuntu machines to the public-facing repos. Landscape is available both on-premise and as a cloud service as part of an Ubuntu Pro subscription.
Security update management
Security updates are a fact of life these days, and here Ubuntu Pro has all bases covered, giving 10 years of security patching to all the software within the Ubuntu ecosystem, ensuring full lifetime security coverage for Critical, High and selected Medium vulnerabilities across the widest range of applications and infrastructure. Using Landscape, Ubuntu security fixes can be applied automatically, enabling a hassle-free security maintenance process with full control and automation.
Cyber Essentials requires that organisations fix High and Critical vulnerabilities, which have a CVSS v3 score of 7 or above, and this is fully covered by Ubuntu Pro’s Extended Security Maintenance guarantees. Administrators can use Landscape to roll out the updates across their Ubuntu estate and demonstrate that they have met the CE requirements.
Regular Ubuntu provides security fixes to the core operating system (around 2,500 packages) for five years. But the whole ecosystem of software available with Ubuntu is far wider – over 25,000 packages, covering applications, databases and runtimes. Ubuntu Pro provides patching coverage for all of this software, which matches up directly with the CE requirements; regular Ubuntu only offers best-effort patching for the most critical software packages. Learn more about Ubuntu Pro in this FAQ.
Secure configuration requirements
This requirement is all about removing insecure or weak default configurations and locking systems down, which admittedly sounds rather dry and uninteresting. Here, Ubuntu Pro can help by providing the Ubuntu Security Guide, which is a tool that automatically applies a known secure configuration to an Ubuntu system in order to simplify the hardening process. The most widely adopted security hardening standards are published by the Center for Internet Security (CIS), and the Ubuntu Security Guide includes CIS profiles for servers and desktops, enabling you to securely configure Ubuntu systems with one command, or apply the configuration remotely using Landscape.
User access control requirements
Keeping track of user accounts is one of the trickiest parts of the administrative burden to keep on top of. Given that organisations using Linux almost always have an Active Directory server managing user access to emails and other company resources, it makes sense to re-use this existing infrastructure where possible. Ubuntu Pro includes ADsys, a fully featured Active Directory client that connects Linux systems into existing Windows domains, simplifying user access control and unifying policies and procedures.
Malware protection requirements
This requirement is aimed at restricting the execution of malware and untrusted software. Canonical provides Ubuntu users and developers with one trusted source of software, from infrastructure to applications, and Docker containers to Virtual Machines, which minimises the risk of malware infection by installing software from untrusted sources.
Ubuntu Pro is Canonical’s enterprise subscription service for security and compliance, and it includes a powerful set of features that help to meet all the requirements of Cyber Essentials – from 10 years of security maintenance to patching automation, asset management and secure configuration. Ubuntu Pro ensures you have trusted provenance for all software packages within the ecosystem. Access control and identity management features are also available through the ADsys integration.
We are the trusted partner on open source security for thousands of security teams, and with Ubuntu Pro we have a turn-key subscription service to help you achieve CE compliance. More and more companies looking to bolster their security capabilities turn to Canonical for support.
Are you considering the Cyber Essentials requirements, or perhaps you’ve started your journey to achieving it already? Talk to us so we can help you with Ubuntu Pro.