Government Digital Service (GDS)
Hackney Council’s approach to moving to a cloud-first model from the PSN
Find out how Hackney Council moved services to the internet and lessons learned from the migration.
This case study is part of guidance on moving to modern network solutions and away from legacy networks.
The London Borough of Hackney wanted to migrate as many of its services as possible from the Public Services Network (PSN) to the internet. Hackney wanted to use the internet to provide:
- an easier and a more convenient user experience
- a more secure and cost effective way of sharing data with other organisations
- its IT team with a way to constantly monitor compliance and network security to manage issues instead of waiting for scheduled checks like penetration tests
The migration included moving email to Google’s G Suite.
Hackney used the PSN to:
- let staff connect to the Joint Asset Recovery Database (JARD) - a national database used by financial investigators, prosecutors and enforcement staff
- let staff send email using gsi.gov.uk addresses
- run the Domain Name System (DNS) to support JARD and email
- access Department of Work and Pensions (DWP) services
- provide onward connectivity to the NHS Health and Social Care Network (HSCN)
Hackney still uses the PSN to access JARD and services like Blue Badge.
How Hackney moved to the internet
The council moved away from government .gsi email domains and implemented Transport Layer Security (TLS) in response to the securing government email guidance and upcoming decommission of the GCSx email service.
Hackney’s IT department has around 100 staff, supporting 3,500 users across the council, and occasionally uses third-party suppliers. The team had lots of experience so all migration activity was carried out in-house.
Hackney now forces a TLS connection to all the main public sector domains (gov.uk, police.uk, nhs.net, mod.uk, cjsm.net). If an email fails to deliver, the sender would get a non-delivery report, but the IT team has not seen this happen. Hackney staff know they should contact their internal service desk if this happens so they can get help to try again or use a different route.
The IT team is now working to further enhance their security practices through introducing a ‘red team’ approach. The team will proactively scan the external interfaces of services and imitate the steps a hacker might take to gain access to identify risks so that mitigating actions can be taken swiftly.
Hackney also uses the National Cyber Security Centre’s (NCSC’s) Mail Check and Web Check tools, which help increase security across government by providing additional assurance against services that Hackney presents externally.
Hackney is also working to provide access to on-premise services, such as their intranet, service desk portal, and finance system, using the internet, via any standard browser. This will allow users who authenticate themselves successfully to access services from anywhere. If a corporate service presented over the internet allows offline access, then users will require a trusted device.
Challenges of migrating to the internet
One of the biggest challenges of migrating to the internet is managing a centralised identity and authentication approach. Hackney would like to encourage interoperability. However, this is only possible with systems that are designed to work with open standards.
For example, Hackney would like to help staff access legacy applications from anywhere with a single sign-on with Microsoft Internet Information Services (IIS) over the web.
Hackney introduced a reverse proxy to:
- present a previously ‘internal only’ call logging service externally
- ensure secure connections between users and the internal service
Before plugging any service into its Security Assertion Markup Language (SAML) authentication solution, the team first have to add the service to their identity provider to authenticate users. In some cases, this procedure will only work if no other backend requests are made through the service using old authentication types. If the service uses old authentication types like NTLMv2, it’s possible to end up with a situation where users can successfully authenticate to what is now a broken service.
The IT team will now require all future services to support the SAML protocol or Open Authorisation (OAuth) for end user authentication and access control. However, many of Hackney’s legacy services do not support these. The council took a couple of approaches to protecting these services while still providing them to the internet by using:
- multi-factor authentication for all internet facing services storing OFFICIAL information
- a cloud identity service to simplify the end user experience
Hackney tried to use a native web application to present legacy applications. If that is not possible they use VMware to present a Windows application, or virtual desktop infrastructure if the application still needs to integrate with other Windows services.
In all cases, the team still present everything through HTML5 so it feels more like a web service to end users.
Benefits of the migration
Since migrating away from the PSN to the cloud, Hackney Council has:
- improved reliability and provided more flexible services for end users
- started to remove PSN-related infrastructure, which is helping to reduce data centre costs and IT administration effort
- improved security through mandating industry standard security controls and NCSC guidance
Lessons learned from the migration
Hackney found it valuable to run planning workshops to help:
- agree key principles
- talk about proposed solutions
- avoid forcing preconceived ideas and plans onto teams
- highlight the benefits of the migration to the cloud
- get buy-in from across the organisation
The team found that getting backing from an impartial source like a Chief Technology Officer or a senior architecture colleague was important. This made sure the project was supported effectively and was not seen as just a security-led activity.
During the migration, Hackney found some suppliers had not yet caught up with the way government now approaches technology and security. The council had to push some vendors to use open standards and provide cloud-based solutions. For example, Hackney wanted cloud-connected printers but found this difficult to explain to some suppliers and is still in the middle of procuring these.
Outcomes of the migration
Hackney switched to a cloud-based email service by following the GOV.UK secure email guidance. This process took about 4 months after the business case and budget was approved. Most of the migration complexity centred on deciding if archive mailboxes and distribution lists were still needed.
Hackney holds a current PSN compliance certificate and will continue to use the PSN for services such as Blue Badge and connecting to DWP for policy updates and queries on revenues and benefits.
The council will continue to migrate to web and mobile technologies as part of its adoption of a zero trust architecture.
For more information on how to migrate to modern networks you can email email@example.com.
Latest News from
Government Digital Service (GDS)
Introducing GOV.UK Accounts23/09/2020 12:25:00
Blog posted by: Jen Allum – Head of GOV.UK, 22 September 2020 – Categories: GOV.UK.
As social media changes, so does GDS’s Playbook21/09/2020 15:20:00
Blog posted by: Vanessa Schneider, 21 September 2020 – Categories: Accessibility, Content design, GDS team, People and skills.
Developers lead cross-government collaboration on GOV.UK Notify18/09/2020 14:10:00
Blog posted by: Liz Catherall, Delivery Manager, Department for International Trade, 18 September 2020 – Categories: GOV.UK Notify, Ways of working.
Leading the digital, data and technology (DDaT) response to coronavirus15/09/2020 13:10:00
The UK government’s rapid digital response to coronavirus (COVID-19) was a result of 10 years of investment in people, governance and technology. The ability to respond quickly and effectively was a result of the existing digital leadership and processes that already existed thanks to the work of the Government Digital Service (GDS).
Promoting gender equality and social inclusion through public procurement10/09/2020 16:20:00
Blog posted by: Iain Boyd, Sabrina Martin, Connie McKimm and Scarlet George, 10 September 2020 – Categories: Global Digital Marketplace.
How we built and ran ‘Introduction to content design’, and how to sign up08/09/2020 15:20:00
Blog posted by: Agnieszka Murdoch, 08 September 2020 – Categories: Content design, People and skills.
Can GOV.UK Notify help the public sector write better emails, text messages and letters?19/08/2020 14:10:00
Blog posted by: Karl Chillmaid, 18 August 2020 – Categories: GOV.UK Notify, User research.
Podcast: The DDaT Fast Stream at GDS30/07/2020 15:20:00
Blog posted by: GDS team, 30 July 2020 – Categories: Digital, Data and Technology, People and skills, Podcast.