Our client is a ministerial department of Her Majesty’s Government, seeking to digitally transform extant ways of working and processes and to benefit from the rapid pace of change and innovation from the latest technological developments.
Our client couldn’t get their customers, partners and suppliers to collaborate towards solving mission critical problems at the pace required.
Our client’s aim was to:
- link customer problems to suppliers’ cutting-edge R&D resources
- allow customers and suppliers to work more closely
- allow suppliers to collaborate more easily in a safe environment
- securely hold sensitive data and systems
The existing situation meant suppliers, partners and customers travelling to a fixed location to work from dedicated PCs. We were asked to help design and deliver a solution that provided easy to use access to a secure, collaborative and productive environment to support research and development against potentially sensitive UK data. As such, the client had stringent security requirements for storing data of significant sensitivity.
And notably our client wanted to “make it real’ within twelve weeks.
Despite some of the challenging security requirements we wanted to “shoot for the moon” and provide a solution that would really help our client deliver against their vision. Our solution to bring technology closer to their users was a centralised system with a gateway to secure, pop-up environments. This system was designed and built on top of AWS. In addition to many of the security features AWS provide out of the box such as Nitro and the Key Management Service, we implemented three factor authentication, dual level protective monitoring and advanced controls to prevent packet sniffing of data sent over remote connections, the use of a private, locked-down instance coupled with encrypted tunnelled links also allows users to securely access resources yet still prevent unwanted data exfiltration.
Our approach throughout the project could really be described as DevSecOps, and we avoided some of the classic anti-patterns we still see in this space.
Early and Regular Engagement : from day one we worked closely with the client and their security accreditor. A two way conversation describing the security requirements with potential mitigations continued throughout the delivery. Delivering security at speed was a key element of this task. It is well documented that traditional paper based review methods don’t scale, but the need to reassure stakeholders that risks are known, whether mitigated or not, is still vital. In doing so, we avoided the anti-pattern ‘Tell Don’t Ask’ where often security accreditor engagement looks like – “here’s our system, take a look and accredit it”.
Focus on Security from the Start : one of our biggest technical challenges in the twelve week timeframe available was to ensure we not only built something securely, but that it was properly engineered as well. For us, proper engineering must include treating everything as code. So all the infrastructure, all the compliance and security is baked into the codebase and re-deployable at the touch of a button (thanks to Hashicorp’s Terraform), therefore reducing compliance ‘lead time’ by embedding security into the complete software development lifecycle. Thus avoiding the anti-pattern ‘build first, secure later’.
Make Security a Feature : we prioritised security stories in our backlog alongside functional stories to meet our security requirements and deliver business value. And so we addressed the anti pattern where ‘security is not considered a feature’.
Challenge Everything : any good DevSecOps approach should ensure every control is clearly aligned to the risk it is mitigating. This helped avoid the anti-pattern ‘we’ve always done it this way’, i.e just because you used to build certain controls to mitigate risk it doesn’t mean that they will always be relevant.
Throughout the engagement we worked closely with our partners AWS, who were incredibly supportive and provided access to some of their most influential security team (including the General Manager of the AWS Key Management Store and the Vice President of AWS Cryptography) who helped provide guidance throughout. The support we received from AWS helped us build a solution that was as secure as could be whilst still being easy to use.
|In Order To||Previously||Now|
|link customer problems to suppliers’ cutting-edge R&D resources||co-locate partners on the client site||partners access collaborative environment remotely|
|allow customers and suppliers to work more closely||sharing of systems and data across customer’s privately hosted network||Prototypes, systems, data and ideas quickly shared across centralised, R&D environment|
|reduce time taken to initiate new projects||time to set-up environments from which partners could work took months||automated on-boarding of new organisations occurs within hours, and new users within minutes|
|securely hold sensitive data and systems||environments would be torn down and destroyed after research and development completed||environments can be persisted and reused at a later date|
|reduce time taken to start new projects and scale existing projects||provision of new servers and virtual machines took months||provision of new servers and virtual machines takes minutes|
This environment now enables vital research and development work contributing to help make the UK a safer place.
(The client was so pleased with our work that we also won an award for delivery).