Request review of updates to domain requests

[warmanaMOJ]

Hello @L-Crosby

Please may I request a review of some updates to the Domain Name Policy and General Apps guidance?

Following feedback from OST and Hosting teams, a proposed update has been added, highlighting that any requests from 3rd parties for MoJ-like domain names must first be approved by security.

Previews of the updates may be seen here (a new policy statement POLDOM010-220406) and here (adding the fact that the 'Request a Security Review of a third-party service' form can be used to request MoJ Domain Names for 3rd Party services).

Many thanks.

[L-Crosby]

Approved.

[L-Crosby]

As an aside, not necessary for policy approval but who will be responsible for the approvals (OST or the central security team)? Has this been agreed?

[osinghMOJ]

I would consider the central security team to be responsible for approvals as I imagine these will come from the project teams. This has not been agreed.

[cybersquirrel]

My first instinct was to agree that the central team should be responsible for the approvals, but on consideration I wonder if this should be managed by the domains team (as they are the ones who have to live with the consequences, and who are best-placed to address the problem?

[L-Crosby]

Where do the domains team sit?

[cybersquirrel]

Platforms & Architecture

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: L-Crosby @.> Sent: Wednesday, April 20, 2022 6:54:12 PM To: ministryofjustice/security-guidance @.> Cc: jonathan.lawrence @.>; Comment @.> Subject: Re: [ministryofjustice/security-guidance] Request review of updates to domain requests (Issue #331)

Where do the domains team sit?

— Reply to this email directly, view it on GitHubhttps://github.com/ministryofjustice/security-guidance/issues/331#issuecomment-1104245973, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AH4WSHRKB74WL6GZR3MNZZDVGBAEJANCNFSM5SV2J3LA. You are receiving this because you commented.Message ID: @.***>

---

This e-mail and any attachments is intended only for the attention of the addressee(s). Its unauthorised use, disclosure, storage or copying is not permitted. If you are not the intended recipient, please destroy all copies and inform the sender by return e-mail. Internet e-mail is not a secure medium. Any reply to this message could be intercepted and read by someone else. Please bear that in mind when deciding whether to send material in response to this message by e-mail. This e-mail (whether you are the sender or the recipient) may be monitored, recorded and retained by the Ministry of Justice. Monitoring / blocking software may be used, and e-mail content may be read at any time. You have a responsibility to ensure laws are not broken when composing or forwarding e-mails and their contents.

[cybersquirrel]

Hi - saw the request to approve publication, but before I click 'approve' I realised that my question https://github.com/ministryofjustice/security-guidance/issues/331#issuecomment-1102310486 doesn't appear to have been answered?

[cybersquirrel]

What would the criteria be for ISAT to approve such a request, if we handle this centrally?

[warmanaMOJ]

Hello, the proposed update focuses on the cyber security perspectives around a domain request. I think we would be interested in whether a proposed domain poses any problems from a security perspective, such as reputational issues or scope for ambiguity or misuse by bad actors. That's why a security approval for a domain is needed first. If and only if there are no security objections to a domain would the process proceed to the mechanics of registering and enabling the domain - and that's where the operations engineering team take over. I felt that the proposed content for POLDOM010-220406 did reflect that, but we can certainly revisit.

[AntonyBishop]

Hi @warmanaMOJ,

What problem are you trying to solve with this addition? I see that this comes from “feedback from OST and Hosting teams”. What feedback? I not aware of any feedback and am part of the Hosting Team.

All requests come via Operations Engineering who already enforce the domain naming standards. We wouldn’t delegate ownership of domains to 3rd parties. We wouldn’t give 3rd parties ownership of justice.gov.uk domains for email or similar services. All 3rd part domains would be managed by Operations Engineering. That's not to say that there are some historic issues made in how domains have been managed and issued prior to Operations Engineering taking over management of the domain estate e.g. allowing suppliers to register .com domains or domains that don't adhere to naming standards/service manual.

Requests for new Gov.uk domains have a huge amount of rigour around obtaining them and have a whole bunch of requirements and governance before they can be issued. I’m not sure what value having this additional approval will provide on top of what is already in place.

I would also question how you define “requests for 3rd Party services”? I have a view of what that means, but I haven’t written the policy so not sure of the intent, which goes back the the question of what problem are we trying to solve?

The process also assumes that domains are registered and managed via one route. That isn’t the case. It very much depends on when the service is being hosted, or how a service has been contracted. I would say that vast majority of (what I call) 3rd party services do come via Operations Engineering, however as there is the potential for demand to come via other routes how would you envisage this policy change being enforced?

If there is a problem to be solved here then I would recommend that any security approval become part of the Operations Engineering change process which is already an established route, rather than creating parallel processes.

[warmanaMOJ]

Hi @AntonyBishop - I'll reply with relevant details by email. Thank you.

[AntonyBishop]

@warmanaMOJ thanks for providing the context. I think that this was misunderstood. This is a question about gaps in the policy around what domains can be used for, hence the question that was raised.

I think the better option would be to look at addition of policy around appropriate use of domains by 3rd parties, which is what is missing. Question: Is that a Security or Operational policy?

For example "justice.gov.uk email domains must not be issued for campaigns or marketing material". I would say that this specific example actually applies to both internally managed and 3rd party managed services.

It's a similar type of case such as - https://technical-guidance.service.justice.gov.uk/documentation/standards/naming-domains.html#non-gov-uk-domains -i.e. you must not use non-gov.uk for government services.

Perhaps the list of appropriate uses should be extended?