The Department for Business Energy and Industrial Strategy has its current Information Services delivered and hosted on the Public Services Network (PSN) where the Network itself is a secured “Official” environment. This provides a safe transport system which allows data to traverse the network in an unencrypted state. The department is undergoing the replacement of this legacy system and is adopting a Cloud based solution consisting of loosely coupled services where the bearer network utilises the Internet as a cheaper readily available means of connectivity.
Core services such as identity management and web security are hosted out of Amazon Web Services (AWS) and Microsoft Azure. To maintain security, this model utilises the principle of securing the endpoints rather than the bearer network.
However, the department currently utilises a multitude of Business Applications which sit on the secure bearer network (hosted in multiple data centres) and rely on this for their security model. This creates a problem in that the business will still need access to these applications both through transition and once the staff are working on the new IT system. This ultimately requires that users migrated to the new service have the ability to ‘reachback’ into the legacy secure networks to authenticate and consume services.
The problem space requires mechanisms to deal with both ‘client to system’ and ‘system to system’ communication services. The former is the communication between the end user device and the service to consume services, while the later is the communications between the legacy service and the new services to conduct user authentication and access services. In order to enable these communications, we needed to establish a route from the cloud-based AWS environment to the encrypted PSN environment, which involved extending our secure Virtual Private Network (VPN) into the AWS environment terminating in a Virtual Private Cloud and establishing inter-VRF routeing between the unencrypted and encrypted networks.
By creating this linkage, we can create system to system communications to allow Active Directory Trusts to enable the authentication of users trying to consume services between the Directory services in the new AWS environment and the legacy application Directory Services in the PSN domain. To enable user traffic, we needed to ensure that the traffic from the end user device over the internet is secured up to the point where it interfaces with the AWS reach back VPC. In order to achieve this, we utilised the capabilities of the ZScalar Private Access product. This uses a combination of skills to establish a dynamic secure connection from the End User Device to the termination point in the AWS-PSN VPC; this is a ‘VPN-like’ capability with the advantage that it is created across the internet dynamically providing a more flexible solution over tradition ‘static’ VPNs.
Having assured the End User Devices we have been able to provide a service to the department’s staff which allows them to continue to access their Business Critical Applications through a secure ‘reachback’ mechanism which appears seamless to the user.
This has enabled the department to migrate from its legacy service to a new cloud-based service in their required timelines, but with the ability to have access to their business applications in the legacy PSN environment, at the same time as maintaining the appropriate security controls around the disparate services. This solution has allowed the department to leverage the invest to save benefits of replacing their expensive legacy IT infrastructure with a modern and capable infrastructure for the future.