UKA correspondentThursday 23 February 2017

NCSC builds IT environment on SaaS and IaaS

National Cyber Security Centre points to use of Office 365 as main productivity tool

The Government’s cyber security body has placed a strong emphasis on software-as-a-service (SaaS) and Infrastructure-as-a-Service in creating its IT architecture, and highlighted the choice of Office 365 as its productivity tool.

Cyber security on computer screenThe National Cyber Security Centre (NCSC) has outlined the move in a blogpost, following on from its earlier announcement that it had decided to build its IT system in-house.

Chief architect Richard C says office productivity has been the area in which it is most comfortable using SaaS, as it could fully understand the security properties and articulate the risks.

The NCSC chose Office 365 because it believed it to be the best for the context in which it is working – emphasising it is not an endorsement for all purposes – and that it has required significant work to configure the software.

It has chosen other SaaS products for purposes in which the data is less sensitive, such as project planning collaboration tools for publishing content.

Security roles

The blog says it has opted for IaaS services for underpinning security, for roles such as device management, user identity and the trust infrastructure.

“In those cases we chose to use IaaS services where we could rely on a strong security boundary – the hypervisor,” it says. “Here we didn’t pick just one cloud provider, we chose to build across two different IaaS offerings.”

Another decision has involved limiting the choice of devices for most users to either a laptop or tablet running Windows 10, although those confirmed to have a specific need can also use a smartphone running Apple iOS.

“We were careful in our initial choice of devices to ensure the hardware based protections we wanted were available and easy to configure,” the blog says, adding that there are plans to open up the infrastructure to other devices and platforms.

The Windows and Apple devices are subject to individual mobile device management systems.

A further element has been the creation of a metro app for Windows devices to communicate outside the virtual private network. As soon as the user is online the app closes and the VPN comes up automatically.

Image: Harland Quarrington/MoD, Open Government Licence v1.0 through Wikimedia