Digital transformation has been a top priority for the UK government for some time now, but do you think they’re paying enough attention to cybersecurity?
The big conversation about government digital transformation started in earnest after 2010, and since then discussions have focused on two goals: reducing costs by retiring legacy systems, and improving the citizen experience. Cybersecurity hit the national agenda as a standalone topic later, in around 2015. Although government has made significant progress on cyber since then, there has been a lack of strategic connection with those broader digital transformation programmes – which are big, slow and hard to turn around once moving.
As a result, cybersecurity is still often seen as an afterthought for many government authorities today, often leading to a reactive, delayed approach when responding to imminent risks or data breaches. Yet, as the number of cyberattacks on UK government institutions continues to rise, IT and Security leaders must reassess how they respond to this growing crisis and begin developing more long-term, proactive strategic approaches that put identity-centric cybersecurity at the heart of all new digital services and architectures.
Over the past decade there’s been a lot of rhetoric within the UK government around cloud adoption. Considering this, do you feel that the cloud is playing an important enough role in digital transformation today, and has the UK government stayed true to its word?
There was a lack of precision early on about the goals of cloud adoption. There were many worthy but very different ambitions in the mix: enabling cost-effective legacy retirement by moving workloads off-premises; using commodity services rather than expensive solutions bespoke for government; adopting more flexible pay-as-you-go pricing models; increasing competition by working with nimble Small to Medium Enterprises (SMEs) rather than a few giant systems integrators. The way in which G-Cloud was presented reinforced that ambiguity. Many didn’t realise that it was a procurement framework, not a government cloud – and although G-Cloud has been extremely successful in channeling government tech spending to SMEs, the overwhelming share of that spend has been on consultancy rather than cloud services.
Over time it’s become easier to see how those different ambitions have played out. Government has succeeded in increasing competition in its supplier base and made progress on legacy retirement. Much cloud adoption has been private or hybrid, which is to be expected given low risk tolerance and the sensitivity of some workloads. But government bodies continue to build many new services from scratch, rather than using commercial off-the-shelf Software as a Service (SaaS) and Platform as a Service (PaaS). The risk is an inevitable build-up of technical debt, and the creation of tomorrow’s legacy systems – as happened with GOV.UK Verify – which has been criticised by bodies including the National Audit Office (NAO).
Is our government trying to fix its legacy problems by simply standardising on Microsoft technology? If so, is this a good idea given how much time and effort government has spent over the years trying to reduce its reliance on a small number of tech suppliers?
Given the strength of the government’s early ambition to reduce its dependency on the ‘oligopoly’ of tech giants, it’s interesting to see how reliant the public sector remains on a limited group of market leading players. Though large tech suppliers can look attractive from a short-term cost perspective, as the government found with the large outsourcers a decade ago, such growing reliance is a strategic weakness and increases long term cost by locking out both competition and innovation.
Of course CTOs face tough choices: after all some areas of the IT estate, notably the desktop, are inherently dominated by Microsoft. But it is possible, desirable and preferable to create a best-of-breed enterprise architecture that delivers cost, performance, flexibility and resilience without relying on all-Microsoft components.
Current solutions
Whilst cloud is the first choice for new digital services, what can be done when applications are too old to transfer to new infrastructure?
The business case for retiring old systems can sometimes look less attractive than continued running, particularly in government where annual funding cycles may work against sound long term planning. However, CTOs should also consider that many older legacy applications with weak, outdated security are a primary target for cybercriminals to attack. Meanwhile, the increasing maintenance costs that grow as the pool of appropriately skilled and knowledgeable staff shrinks will only continue driving up IT expenses even further in future.
That said, there are some great cloud-centric options for CTOs to make significant iterative improvements to legacy on-premise systems. Tackling the complex web of on-premise identity and access management systems that many large organisations have developed over the years is one. From a cybersecurity point of view it’s far better to create a single source of truth for identity: the typical mishmash of identity stores, overlapping profiles and business rules that characterises many complex environments increases risk. It’s also possible to layer modern, advanced security over on-premise systems that use legacy protocols.
Yet, moving to the cloud doesn’t always mean cloud only. And with a modern cloud solution, like Okta, for example, CTOs within government organisations get the best of both worlds, giving them the flexibility to make incremental changes across both cloud and legacy technologies as and when needed.
If you liked this content…
New Okta exec talks identity’s role in securing trust, personalisation
Balancing security and user experience – how can councils get digital identity right?
The troublesome issue of identity within the public sector
What the delegates said about the Think Data for Government conference
Getting data governance right
The National Audit Office report states that simply moving legacy systems into the cloud without other improvements will not resolve all the complexity, costs, and risks associated with legacy systems. Considering this, what other improvements must be addressed for full ROI?
The National Audit Office is absolutely right: without changes to the way in which government plans, funds and assures major transformation projects, it will be difficult to achieve their potential benefits.
Traditional funding models can sometimes mean that government departments build new digital services without the funding to maintain them in the future: that’s not just a waste, it’s also a significant risk to future service quality and resilience. Ideally both capital and resource funding would be ringfenced far in advance, but even then there’s a danger of locking in the details of huge projects that are far too ambitious to deliver, and quickly become outdated. NAO also described the government’s tendency to over-specify technical details as a weakness, decreasing its commercial options and reducing space for evolution and innovation. Dividing big goals into smaller, manageable chunks greatly improves agility, and goes a long way to de-risk projects.
But even more fundamentally, reflecting on the most appropriate delivery model – buy or build – is a crucial part of assuring a return on investment. In this we agree with NAO that government would “benefit from being a fast follower of innovation in the private sector”. Rather than building new bespoke infrastructure, it can be much more effective for departments to buy already proven, off-the-shelf technology where it exists.
Okta solution
While developing their own SSO, MFA and other identity solutions is an option for many government organisations, what advantages could they gain by looking externally to specialist technology providers rather than building it themselves?
Using commercial, off the shelf technology from a specialist provider dramatically reduces the risk and time to deliver a working solution, since it is already available and proven in the market. This option is also more financially sustainable for government organisations, since everything – including security and performance upgrades, and a full product feature roadmap – is baked into the operating cost from the start.
One perennial challenge for government organisations that develop software in-house is the lack of access to skilled technical resources, due to differences in pay and conditions with the private sector. Add to the general lack of expertise and experience most in-house developers have in building complex identity and security solutions, and it’s clear to see how working with an external provider that’s better positioned to recruit, retain, and invest in highly skilled technical staff can allay this concern.
The same principle applies when it comes to cybersecurity. As NAO notes, “cloud providers can use economies of scale and concentration of expertise to offer a level of security that would be economically or operationally difficult for many organisations to provide on their own”. We believe that a significantly higher level of cyber assurance is a particularly important benefit of working with external providers.
How do you feel an agile cloud identity solution like Okta fits into the digital transformation strategies that government organisations are adopting today?
Government organisations that intend to take NAO’s advice and work with commercial technology providers, rather than building their own infrastructure from scratch, will be reassured to see Okta’s credentials. As well as being the world’s #1 Identity and Access Management solution, as validated by Forrester, Okta is trusted by 13,000 customers worldwide, and our technical, operational, and financial strength means that we can offer a level of cyber assurance around risk, resilience, and the future roadmap that’s simply not possible with DIY.
Moreover, as a cloud-native company, Okta can deliver immediate value to organisations no matter where they are in their digital transformation journey, and regardless of whether their existing systems are in the cloud or on-premises.
As we’ve seen, large and complex digital transformation programmes can take many years to deliver, and the government just can’t afford to wait before mitigating legacy cyber risks. Okta is supporting many organisations tackling those problems in a pragmatic way, for example by retiring legacy directories, or extending single sign-on to new services and applications for citizens and workers. But for those which have incorporated cybersecurity into their overall strategy and enterprise architecture, Okta is a fundamental enabler of zero trust. Our solutions provide a single view of identity across all applications, vendors, devices, users, roles and networks, enabling granular risk-based authentication.
