Transforming the Department for Business, Energy & Industrial Strategy

Back Office Digital Transformation and Solutions

Enabling access from cloud-based commodity service desktops to legacy applications in elevated security domains.

The Challenge

The Department for Business Energy and Industrial Strategy had its current Information Services delivered and hosted on the Public Services Network (PSN) where the Network itself was a secured “Official” environment. This provided a safe transport system which allows data to traverse the network in an unencrypted state. The department engaged with Visionist to design and develop a Digitally Transformed service, adopting a Cloud based solution consisting of loosely coupled services where the bearer network utilises the Internet as a cheaper readily available means of connectivity.

Core services such as identity management and web security are hosted out of Amazon Web Services (AWS) and Microsoft Azure. To maintain security, this model utilises the principle of securing the endpoints rather than the bearer network.

However, the department required access to a multitude of Business Applications which sit on the secure bearer network (hosted in multiple data centres) and rely on this for their security model. This creates a problem in that the business will still need access to these applications both through transition and once the staff are working on the new IT system. This ultimately requires that users migrated to the new service have the ability to ‘reachback’ into the legacy secure networks to authenticate and consume services.

I was reminded today of how efficient and effective Visionist are in the work they undertake.

Programme Director – The Department for Business, Energy & Industrial Strategy

The Process

The problem space requires mechanisms to deal with both ‘client to system’ and ‘system to system’ communication services. The former is the communication between the end user device and the service to consume services, while the latter is the communications between the legacy service and the new services to conduct user authentication and access services. To enable these communications, Visionist established a route from the cloud-based AWS environment to the encrypted PSN environment, which involved extending our secure Virtual Private Network (VPN) into the AWS environment terminating in a Virtual Private Cloud and establishing inter-VRF routing between the unencrypted and encrypted networks.

By creating this linkage, we can create ‘system to system’ communications to allow Active Directory Trusts to enable the authentication of users trying to consume services between the Directory services in the new AWS environment and the legacy application Directory Services in the PSN domain. To enable user traffic, we needed to ensure that the traffic from the end user device over the internet is secured up to the point where it interfaces with the AWS reach back VPC. To achieve this, we utilised the capabilities of the ZScalar Private Access product. This uses a combination of policies to establish a dynamic secure connection from the End User Device to the termination point in the AWS-PSN VPC; this is a ‘VPN-like’ capability with the advantage that it is created across the internet dynamically providing a more flexible solution over tradition ‘static’ VPNs.

I for one am delighted with my new Cirrus kit. I’m still learning how to get the best from it but to be able to function close to 100% from day one is remarkable in my experience of IT projects.

Programme Director – The Department for Business, Energy & Industrial Strategy

The Outcome

Having designed, developed and deployed the End User Devices we have been able to provide a service to the department’s staff which allows them to continue to access their Business Critical Applications through a secure ‘reachback’ mechanism which appears seamless to the user.

This has enabled the department to migrate from its legacy service to a new cloud-based service in their required timelines, but with the ability to have access to their business applications in the legacy PSN environment, at the same time as maintaining the appropriate security controls around the disparate services. This solution has allowed the department to leverage the invest to save benefits of replacing their expensive legacy IT infrastructure with a modern and capable infrastructure for the future, with an £8million positive NPV.