Ministry of Justice
Security baseline in the Public Cloud
All the Cloud
The MOJ are big users of public and private clouds to operate over 800 different technology systems ranging from internal IT tools/solutions (device management for laptops, WiFi etc) to case management solutions used for administering over £1 billion a year in legal aid, as well as brand new digital services.
Cloud is secure as you make it
Providers like AWS create powerful tooling and services that you can use to keep systems and data safe in the cloud (often safer than in a private datacentre where you have to do everything yourself, and likely do it worse) -- but you have to actually use those tools and services to benefit from them.
Our baseline for our AWS accounts
We have over 120 AWS accounts and counting, and for good operational reasons they can be configured differently. We wanted to ensure they all met a common baseline… so we wrote one.
We believe ‘security’ can work in the open so in addition to publishing the MOJ’s IT policies, as part of a cyber security guidance microsite, we have published how our security baseline for MOJ Amazon Web Services accounts.
Why we did what we did
AWS have a lot of services and you can leverage their platforms in a great number of ways. We wanted to set the baseline at a good level, while catering for diverse architectures and applications, without creating unreasonable high-effort tasks for teams but ensuring we avoid common bad practice missteps like leaky S3 buckets.
We chose generally accepted good practices (for example, encryption); things that are a mixture of security and operational for good account/resource management (tagging); and leveraging powerful AWS platforms that offer a lot of security with minimal effort (AWS GuardDuty).
We included ‘monitoring’ and ‘resolution/escalation’ to catch any regressions and court correct. We preferred automated resolution over escalation to humans but worked to ensure that humans are involved where they should be, to make decisions that are not always black/white and thus easily programmable.
Journey over destination
The baseline is our current minimum security posture for our MOJ AWS accounts - not what we think is a gold standard. This helps set a bar but gives teams latitude for doing things differently when they need to.
Do the hard work to make it simple
The 4th government design principle is “do the hard work to make it simple”so we did exactly that: over 120 unique ways of implementing the new baseline didn’t make any sense, so we wrote and published a whole load of CloudFormation to help our colleagues implement the baseline quickly and easily.
AWS SecurityHub is fairly new so we’re going to continue helping teams rollout our baseline and then take stock of where to see if we can make the baseline a little easier to implement, or whether we’re ready to raise the bar even higher because our MOJ colleagues already do a great job managing our systems safely in the Cloud.
All the Clouds
As mentioned above, the MOJ also uses other public cloud solutions including Microsoft Azure and Heroku. Like we have for AWS, we will write security baselines for those as well, publishing as part of our cyber security guidance microsite.
Don't forget to sign up for updates
Psst, we are also hiring! If you’re interested in working in a fun, expert, diverse team keeping the very heart of the Justice system safe then have we got a URL for you to click!
Latest News from
Ministry of Justice
Smarter sentences, safer streets: David Gauke speech18/07/2019 17:05:00
Speech by Rt. Hon David Gauke MP, Secretary of State for Justice, calling for an evidence-led approach to sentencing to tackle reoffending.
Justice secretary urges evidence-led approach to cut crime18/07/2019 15:51:00
Justice Secretary David Gauke today called for an “evidence-led” approach to tackling reoffending in order to crack down on crime and reduce the number of victims.
New rights for victims of crime18/07/2019 13:15:15
Victims of crime will receive greater support under government plans to boost their rights at every stage of the justice system.
“Landmark moment” as Domestic Abuse Bill introduced to Parliament16/07/2019 15:22:00
Domestic Abuse Bill to receive first reading in the House of Commons.
Criminal record reform to help ex-offenders into work16/07/2019 10:15:00
Rehabilitation of offenders to be boosted by removing barriers to employment.
Lord Chancellor announces new discount rate for personal injury claims15/07/2019 14:47:00
The Lord Chancellor yesterday (15 July) announced a change to the way personal injury compensation payments are calculated – setting the Discount Rate at minus 0.25%.
First generation of Unlocked prison officers graduate as scheme expands to north15/07/2019 13:15:00
The first ever cohort of Unlocked graduate prison officers celebrated the success of the scheme with the Justice Secretary and the Prisons Minister on Tuesday afternoon (9 July).
Fairer prisoner incentives to encourage rehabilitation12/07/2019 13:15:00
A new prisoner incentives system was launched yesterday (11 July 2019), aiming to improve relations between offenders and officers, encourage rehabilitation and allow governors to deal with local challenges.