https://mojdigital.blog.gov.uk/2019/06/14/security-baseline-in-the-public-cloud/

Security baseline in the Public Cloud

All the Cloud

The MOJ are big users of public and private clouds to operate over 800 different technology systems ranging from internal IT tools/solutions (device management for laptops, WiFi etc) to case management solutions used for administering over £1 billion a year in legal aid, as well as brand new digital services.

We mainly use Amazon Web Services (AWS) and Microsoft Azure for commodity public cloud hosting.

Cloud is secure as you make it

Providers like AWS create powerful tooling and services that you can use to keep systems and data safe in the cloud (often safer than in a private datacentre where you have to do everything yourself, and likely do it worse) -- but you have to actually use those tools and services to benefit from them.

Our baseline for our AWS accounts

We have  over 120 AWS accounts and counting, and for good operational reasons they can be configured differently. We wanted to ensure they all met a common baseline… so we wrote one.

We  believe ‘security’ can work in the open so in addition to publishing the MOJ’s IT policies, as part of a cyber security guidance microsite, we have published how our security baseline for MOJ Amazon Web Services accounts.

Why we did what we did

AWS have a lot of services and you can leverage their platforms in a great number of ways. We wanted to set the baseline at a good level, while catering for diverse architectures and applications, without creating unreasonable high-effort tasks for teams but ensuring we avoid common bad practice missteps like leaky S3 buckets.

We chose generally accepted good practices (for example, encryption); things that are a mixture of security and operational for good account/resource management (tagging); and leveraging powerful AWS platforms that offer a lot of security with minimal effort (AWS GuardDuty).

We included ‘monitoring’ and ‘resolution/escalation’ to catch any regressions and court correct. We preferred automated resolution over escalation to humans but worked to ensure that humans are involved where they should be, to make decisions that are not always black/white and thus easily programmable.

Journey over destination

The baseline is our current minimum security posture for our MOJ AWS accounts - not what we think is a gold standard. This helps set a bar but gives teams latitude for doing things differently when they need to.

Do the hard work to make it simple

The 4th government design principle is “do the hard work to make it simple” so we did exactly that: over 120 unique ways of implementing the new baseline didn’t make any sense, so we wrote and published a whole load of CloudFormation to help our colleagues implement the baseline quickly and easily.

Onwards

AWS SecurityHub

AWS SecurityHub is fairly new so we’re going to continue helping teams rollout our baseline and then take stock of where to see if we can make the baseline a little easier to implement, or whether we’re ready to raise the bar even higher because our MOJ colleagues already do a great job managing our systems safely in the Cloud.

All the Clouds

As mentioned above, the MOJ also uses other public cloud solutions including Microsoft Azure and Heroku. Like we have for AWS, we will write security baselines for those as well, publishing as part of our cyber security guidance microsite.

Don't forget to sign up for updates

Psst, we are also hiring! If you’re interested in working in a fun, expert, diverse team keeping the very heart of the Justice system safe then have we got a URL for you to click!

Sharing and comments

Share this page

Leave a comment

We only ask for your email address so we know you're a real person

By submitting a comment you understand it may be published on this public website. Please read our privacy notice to see how the GOV.UK blogging platform handles your information.