top of page
Updated Logo_White_Logo.webp

The DfE has multiple cloud environments that have evolved over years and incurred technical debt due to the ever-changing government landscape and cloud evolution. The result is a lack of effective governance and control, especially on provisioning and ownership of resources, lack of security model & expertise in the cloud, identification of risks/vulnerabilities, ensuring compliance, lack of consistent management across the different clouds and tenancies etc. This is coupled with the inherent weaknesses of the cloud, such as vulnerable APIs, compromise of credentials, broken authentication, etc.

 

Talent was brought in to assess the client’s security posture against industrial benchmarks; we provided a strategic roadmap that covers identified risks covering all security domains, architectural guidelines, and compliance dashboards to help promote continued visibility and progress overtime. Working alongside the CSO, Talent also provided an assessment on their working practices and a to-be security model with special emphasis on identity and access management of their users in the cloud.

Understanding the current security state

One of the objectives of the cloud security assurance initiative was to provide an insight into the client’s current security posture across their tenancies in Azure, against best practices. To achieve this, we’ve performed the following:

  • Assessed the current as-is Identity and Access Management (IAM) operating model for each of their 7 Azure tenancy

  • We’ve conducted stakeholder interviews to understand the processes & workflows; how user access is managed (JML), how permissions are elevated, use of MFA, etc.

  • Reviewed current Azure AD structures to identify whether management of all tenancies is centralised through automated processes, and to collect evidence to support risk identification.

  • We uncovered areas of security and financial risks associated with cloud identity relevant threats, compliance threats, and provide a strategic roadmap that is tailored to the client’s organisation to improve their cloud security posture.

MoJ 1

  • Leveraging common industrial frameworks like the Center for Internet Security (CIS), we helped our clients understand their cloud security risk posture and compliance status and provided architectural guidance for improving cloud security's governance and cyber resilience.

  • Provided prioritised and actionable next steps to help the client make decisions and build strong defence against cyber risks

  • Created several security and compliance monitoring dashboards to help the client visualise their current state across all tenants, which covers

  • Presented the compliance results over few months period in a Power Bi report to allow the client to maintain an overtime view of their compliance the overall security score in Azure against tenancies and subscriptions, and associated recommendations for each tenant/subscription.

  • The health status of resources vs security recommendations

  • Assessed their documented policies, as well as those implemented in Azure

  • Reviewed 27 documented security policies to understand customer requirements and to ensure that Azure policies align with customer policies

  • We uncovered gaps and misalignments in both documented policies and Azure policies, and the risk associated with inconsistent policies.

Ongoing security consultation

As part of ongoing efforts to improve the client’s security posture, Talent also provides on-demand consulting advise on many aspects of security; examples include but are not limited to

  • performing Security Design Assurance on projects (e.g. network designs, cloud economics, etc.)

  • performing investigations on potential exposure of risks due to risky configuration, such as lack of security logging and ways to cost and enable logging; reviews of public IP address usage along with recommendations of appropriate controls to minimise the risk of exposure; etc.

  • Performing security application scanning where needed (e.g. to discover presence of vulnerabilities such as log4j.

Man Using Smart Tablet
Life on the project

Collaborating to solve challenges
 
The team collaborated to develop 'Book a Secure Move’ – ensuring the service was desirable for users, viable for the business and technically feasible. Solutions were prototyped, ready for research with real users in real environments. Research findings were synthesised to identify trends and insights, which were shared and prioritised with the wider team to inform the next iteration. We quickly adapted during the pandemic to minimise disruption, switching to remote working.
 
Identifying potential service gaps to mitigate risk
 
Due to the nature of the environment and people involved throughout the service, we developed ‘stress cases’ - in which we considered people who might fall outside of the parameters of common use cases (for example, transgender). This helped us identify gaps within the service that may lead to failure, which we investigated further to identify the root causes so that we could plan for the worst-case scenarios in our solution, helping us mitigate the risk of failure.

Juggling multiple streams of work
 
One early challenge our team faced came from having multiple streams running at the same time, each trying to deliver functionality, user needs, and benefits on the service.
 
A decision was taken early on in the development lifecycle that meant there needed to be both a frontend application for Ministry Of Justice staff and others to request and manage moves, as well as an API for suppliers to integrate with.

Using analytics to further refine our solutions
 
Once live, we used analytics to refine solutions. For example, we identified a serious performance problem at the same time every week – further investigation revealed the cause being multiple people downloading reports simultaneously which, combined with database performance issues, was affecting the site. We addressed this by optimising the database queries and changing the design of the page to reduce load time.

riaima_03179_httpss.mj.run5CvHkoAiGNI_httpss.mj.runzCLX5zs6xFs__aaef176d-7899-4f18-a284-ad

Overall, Talent helped the client achieve security visibility across its multiple Azure tenants and provided visual aids to help the client maintain an overtime compliance view.

This allows the client to benchmark its security maturity against leading industry standards & frameworks. The proposed security operating model for IAM, which allows a smoother move to a single tenancy was accepted and a roadmap for this change was reviewed and communicated to Senior leadership teams. The client is now progressing with remediations and identified risks as agreed in the roadmaps, with continued support from Talent. Reports generated since the initiative began in November 2021 enabled leadership to make informed cyber risk-based decisions, improve deployment of policies, and identify ROI on cloud security investments.

Cloud security assessment to help the client identify its security posture, devise a roadmap to address risks and continuously monitor compliance state against industrial frameworks

Department for Education
DfE 1

Our services

Advisory &
Discovery

Whether you're starting afresh or need to enhance existing systems, we provide expert guidance to help you define the right strategy from the outset.

Read More

Digital
Transformation

We take a holistic approach, seamlessly integrating technology, business strategy, and user needs to create digital solutions that work.

Read More

Agile Project
Delivery

We ensure that your projects are completed on time, within budget, and with a focus on flexibility, collaboration, and continuous improvement.

Read More

Training &
Upskilling

We empower your teams with the knowledge and tools they need to upskill and keep you better equipped for long-term success.

Read More
bottom of page