Ministry of Justice
Security baseline in the Public Cloud
All the Cloud
The MOJ are big users of public and private clouds to operate over 800 different technology systems ranging from internal IT tools/solutions (device management for laptops, WiFi etc) to case management solutions used for administering over £1 billion a year in legal aid, as well as brand new digital services.
Cloud is secure as you make it
Providers like AWS create powerful tooling and services that you can use to keep systems and data safe in the cloud (often safer than in a private datacentre where you have to do everything yourself, and likely do it worse) -- but you have to actually use those tools and services to benefit from them.
Our baseline for our AWS accounts
We have over 120 AWS accounts and counting, and for good operational reasons they can be configured differently. We wanted to ensure they all met a common baseline… so we wrote one.
We believe ‘security’ can work in the open so in addition to publishing the MOJ’s IT policies, as part of a cyber security guidance microsite, we have published how our security baseline for MOJ Amazon Web Services accounts.
Why we did what we did
AWS have a lot of services and you can leverage their platforms in a great number of ways. We wanted to set the baseline at a good level, while catering for diverse architectures and applications, without creating unreasonable high-effort tasks for teams but ensuring we avoid common bad practice missteps like leaky S3 buckets.
We chose generally accepted good practices (for example, encryption); things that are a mixture of security and operational for good account/resource management (tagging); and leveraging powerful AWS platforms that offer a lot of security with minimal effort (AWS GuardDuty).
We included ‘monitoring’ and ‘resolution/escalation’ to catch any regressions and court correct. We preferred automated resolution over escalation to humans but worked to ensure that humans are involved where they should be, to make decisions that are not always black/white and thus easily programmable.
Journey over destination
The baseline is our current minimum security posture for our MOJ AWS accounts - not what we think is a gold standard. This helps set a bar but gives teams latitude for doing things differently when they need to.
Do the hard work to make it simple
The 4th government design principle is “do the hard work to make it simple”so we did exactly that: over 120 unique ways of implementing the new baseline didn’t make any sense, so we wrote and published a whole load of CloudFormation to help our colleagues implement the baseline quickly and easily.
AWS SecurityHub is fairly new so we’re going to continue helping teams rollout our baseline and then take stock of where to see if we can make the baseline a little easier to implement, or whether we’re ready to raise the bar even higher because our MOJ colleagues already do a great job managing our systems safely in the Cloud.
All the Clouds
As mentioned above, the MOJ also uses other public cloud solutions including Microsoft Azure and Heroku. Like we have for AWS, we will write security baselines for those as well, publishing as part of our cyber security guidance microsite.
Don't forget to sign up for updates
Psst, we are also hiring! If you’re interested in working in a fun, expert, diverse team keeping the very heart of the Justice system safe then have we got a URL for you to click!
Latest News from
Ministry of Justice
Digital form quicker and easier for separated parents applying to see children19/02/2020 16:05:00
It will be quicker and easier for separated parents to apply to see their children thanks to a new online service launched by HM Courts and Tribunals Service (HMCTS).
End to automatic early release of terrorists12/02/2020 13:15:15
Emergency legislation will end the automatic early release of terrorist offenders, as the government takes decisive action to protect the public and keep our streets safe.
How to be more mindful about your online safety11/02/2020 15:15:15
Blog posted by: Luke Crosby, 11 February 2020 – Categories: cyber security, Our services.
Rape victims to benefit from government funding boost07/02/2020 15:15:15
Victims of rape and sexual assault across England and Wales will be helped by a 50 per cent funding boost for specialist support services, the government has announced.
Service design at the MoJ: 'Designing for people in crisis'07/02/2020 10:15:00
Blog posted by: Jeffrey Allen, 6 February 2020 – Categories: collaboration, Design, Recruitment.
My experience as a cyber security apprentice05/02/2020 13:33:00
Blog posted by: Kayleigh Acourt, 4 February 2020 – Categories: apprenticeships.
Government response to the Streatham incident04/02/2020 15:15:15
The Lord Chancellor yesterday (03 February 2020) gave an update in the House of Commons about the Government response to the Streatham incident.
Appointment of new Vice Chair of the Parole Board03/02/2020 15:15:15
The Secretary of State has announced the appointment of a Vice Chair of the Parole Board.