Modernising Australia's government IT
By David Arthur, Security Architect A/NZ, F5 Networks
Tuesday, 07 June, 2022
The digital transformation of government IT, now seen as essential to delivering services faster and more effectively, accelerated dramatically when the pandemic hit. Governments are now expanding cloud environments across multiple platforms in their efforts to innovate.
The increasing use of cloud services, driven in part by the Secure Cloud Strategy, has resulted in complex multi-cloud infrastructures. These multi-cloud environments remain on the rise across Australia, not just in the public sector, and with increased adoption comes an increase in potential attack surfaces.
As government agencies accelerated their digital shift, 2021 saw a number of them fall victim to cyber breaches. Transport for NSW suffered a well-publicised breach, announcing information was taken as a result of an attack on its file transfer system.
In 2020, Service NSW was hit by an attack on its email system — which saw 3.8 million documents compromised, affecting over 180,000 NSW residents. In another example, the publishing of sensitive health and personal information affecting nearly 30,000 people led to the government promising to focus on strengthening data security arrangements.
In terms of the modernisation of services and the transfer of those services into more modern environments, the Australian Government has been somewhat behind other industries, but the transition is now well underway. Arguably the most important consideration is not to lose sight of the challenges to security.
With cybercrime estimated to cost the Australian economy approximately $42 billion per year, it’s clearly on the government radar, with all sides of politics acknowledging that we as a nation cannot afford to ignore cybersecurity.
We’ve seen several different initiatives being discussed to uplift cybersecurity hygiene and posture across all government agencies. However, acknowledging the issue is not enough. Specific challenges must be identified and addressed to ensure protection.
So, what is the best path forward for the government to modernise its IT, balancing cybersecurity concerns while not straining resources or upsetting the user experience?
Complexity is the enemy of security. As government organisations evolve to include modern applications as an integral part of function, while at the same time placing more emphasis on the digital experience of their customers, the level of complexity increases.
Security concerns within complex, multi-cloud environments must be addressed from the very beginning, which means implementing security policy from the start of an app or program, not as an afterthought.
Security deployed in a uniform stack is ideal. Especially so in complex and modern environments, it is also advisable to integrate enterprise-grade and mature security controls, so as to ensure seamless deployment and decommissioning processes.
Lack of visibility and consistency
In multi-cloud environments, each often with their own operating platform, lack of visibility and consistency between cloud platforms is an issue. Integrating new cloud technologies with existing ones makes it considerably more difficult to incorporate a consistent security posture.
IT and security teams need end-to-end visibility and policy control over all apps. If this isn’t considered in the initial stages, it can pose a major risk. The use of a single dashboard to ensure visibility, and a holistic view of the application portfolio, is critical for adequate protection.
Protecting channels of communication
Application programming interfaces (APIs) are the digital gateways to modernisation for legacy apps, and to an ecosystem of innovation for modern apps — a common example is the integration of services like Medicare, Centrelink and the ATO in MyGov. Though hugely beneficial as they allow third parties to interact programmatically with services, the security element is often forgotten.
Security teams have generally been blindsided by the proliferation of APIs and as they are designed to communicate data, they represent a significant risk to sensitive information. Security across API endpoints is a common threat vector. Security controls needed at the API level include continuous monitoring and protection of API endpoints, embracing zero-trust and risk-based security principals, and the ability to react to a changing application life cycle.
When an environment is modern, the security controls and practices must be too.
As digital transformation continues to push modernisation efforts, complex multi-cloud environments are going to become more and more common. But expanded and improved services should not come at the cost of security or complexity. Governments at all levels must be able to maintain visibility and effectively secure all services across all platforms.
One of the growing risks to organisations and government agencies is a workforce that is unable...
Ransomware is just the top of the cybercriminal iceberg. More sophisticated and savvy cyber...
Large or small, any government organisation, school district or higher education institution is...