Our Public sector client was embarking on their cloud strategy and engaged Deloitte to develop and manage an AWS landing zone as the foundation for hosting their cloud hosted workloads, the first of which is a content management system and public facing website that provides guidance and access to their online services. The nature of the information processed, and the role played by the body in delivering public services imposes mandatory regulatory requirements on the contractual arrangements they can engage in, and data protection requirements on their workloads which both our technical solution hosted on AWS and the managed services we deliver must abide by. To provide the highest level of citizen information privacy the body wished to host their own video streaming service and web analytics solution as part of the web hosting workload rather than use the typical cloud solutions popular with most organisations. To achieve their goals our client was seeking a partner that could accelerate their cloud journey combining deep AWS solution best practice, service management, workload migration, cloud governance and digital sovereignty expertise.
Using our Deloitte Solution Development Methods and Best Practices methodology we initiated the project, evaluating the project environment and the functional and non functional requirements identifying associated risks and constraints from an operational, business and compliance perspective. A key element was the gathering of information security and digital sovereignty requirements used as input to the subsequent architecture design, AWS product and service selection, and requirement validation step to ensure that constraints were adhered to and appropriate controls included to eliminate or reduce residual risk to an acceptable level. Using our Deloitte Solution Development methodology we defined the risk management and deliverable governance model (which undergoes our Quality and Risk Management framework review processes) and established appropriate review boards and record keeping for the project execution.
With the requirements and constraints understood and the architecture design and data privacy and information security controls agreed, our delivery started with establishing an AWS Landing zone. The goal of the landing zone was to provide a foundation for the hosting of both planned and future workloads that provided the detective and preventative controls necessary to achieve the information security and data privacy posture requirements. This included the need to ensure that all information stayed within the EEA (and ideally Ireland), provided appropriate BCP capability including the interfaces with the on-premise services, and which had a support and management function with the necessary technical and organisational measures to meet data protection requirements and a clear and practical exit strategy should it be needed. Using the AWS Landing Zone accelerator combined with AWS Control tower enabled us to automate the implementation of the detective and preventative controls backed by third party audit attestations available from AWS Artefact and implemented using the AWS Well Architected best practice. This approach ensures the ongoing compliance foundation for both the migration work completed and future workloads using a centrally managed and enforced set of guardrails (built upon an AWS Control Tower managed AWS organisation, with Cloudtrail, Service Control Policies, Network Firewall, Guardduty and Security Hub enabling the ability to define policy based controls to enforce a common set of mandatory controls (such as preventing the use of unapproved AWS regions) with role based policies used to provide environment specific guardrails.
The next phase of the project was to migrate the website to AWS and establish new data privacy compliant video streaming and web analytics services. These solutions inherit the policy and network compliance measures of the landing zone, implementing appropriate encryption at rest and in transit using AWS Key Management Service (KMS) and AWS Certificate manager and providing the required level of fault tolerance and automatic performance scaling using multiple AWS availability zones in the Ireland region and a Disaster Recovery / BCP capability in an approved European region. The ongoing management and operation of these workloads (for example the management of vulnerabilities using AWS Inspector and building of updated deployment images) is provided by the Deloitte Ireland Cloud Managed Service with a service catalogue specifically tailored to our Client’s digital sovereignty information security and data privacy requirements.
Our public service client now has complete digital sovereignty of its cloud and on premise hosted platforms and has been able to safely migrate the Web site to the cloud platform and establish its own compliant data sovereign video streaming and web analytics services. The governance and ownership afforded by the AWS landing zone, backed by a compliant service management solution provided by Deloitte have enabled the client to safely accelerate its adoption of cloud and implement additional workloads taking advantage of the automation, elastic and innovative nature of AWS services whilst maintaining its Digital Sovereignty.