Service NSW has overhauled its cloud security and networking architecture, centralising threat detection and connectivity within its AWS environment.
The agency implemented AWS Security Hub alongside Amazon GuardDuty and Amazon Inspector to improve visibility and response across “a complex mesh” of over 200 virtual private clouds (VPCs).
Service NSW then centralised its networking layer using AWS Transit Gateway to simplify connectivity between its on-premises infrastructure and VPCs, thereby reducing the number of security controls needed and minimising its attack surface.
Speaking during the AWS Public Sector Symposium in Canberra in August, Service NSW cloud platform manager Kamaljit Bhardwaj said “security in the cloud is not just about firewalls and encryption; it is also about building a continuous vigilance culture with a proactive risk management.”
Service NSW manages services for over 70 NSW government agencies, including Transport for NSW and Driver and Vehicle Services across multiple AWS accounts.
In 2021, it began operating its digital products entirely on the public cloud provider’s infrastructure.
However, according to AWS senior technical account manager Pranav Gothadiya, who co-hosted the session with Bhardwaj, Service NSW’s security data was completely fragmented and siloed.
“This creates a whole lot of problems. For example, their detection and response could be delayed,” Gothadiya said.
“They need to do manual compliance; the audit risk could be increased because this data is not strictly managed.”
After centralising its data in AWS Security Hub and implementing AWS’ cloud-native tools, GuardDuty and Inspector for incident detection and response, the agency undertook a review of its entire infrastructure to identify gaps and compliance issues.
It then applied security and compliance frameworks such as PCI DSS, CIS Benchmarks, and AWS Foundational Security Best Practices to strengthen its cloud security posture against future threats and compliance risks.
One control introduced as a result of these frameworks is a restriction on developers using deployments from the AWS Marketplace.
“We have created guardrails, not roadblocks,” Bhardwaj said.
“We understand you might have a requirement to test for high availability in a normal product, so a process [has been] created; you can follow that process since your environment will be good.”
Multiple virtual gateways
Another core component of Service NSW’s cloud transformation program focused on addressing the “operational complexity” of its networking infrastructure and security model.
“There was no central security control, and the cost was high,” Gothadiya said.
“They had multiple virtual gateway interfaces. If a number of VPCs wanted to have communication with their on-premises network, they used multiple virtual gateways, which connected to the [AWS] Direct Connect gateway and then to on-premises.”
This fragmented setup led to multiple internet exposure points, creating two key challenges for the agency.
First, it required multiple NAT gateways per VPC. Second, it demanded duplicated security controls within each VPC, a setup that was difficult to manage and scale.
“It adds to the complexity of VPC tiering,” Gothadiya said. “There were 200-plus VPCs… [it appeared] as a weird complex mesh.”
To remedy this, Service NSW implemented AWS Transit Gateway to act as a centralised routing hub for all its VPCs.
In addition, it is now using Transit Gateway Management for routing logic and policy management, serving as a central connection point between the AWS Direct Connect gateway and the agency’s on-premises data centre.
This, Gothadiya said, has significantly reduced the agency’s costs as it no longer requires multiple individual network links between each VPC and its on-premises environment, known as virtual tunnel attachments (VTAs).
A culture of smart spending
At the heart of Service NSW’s cloud transformation was a cost optimisation program, supported by a dedicated FinOps function and comprehensive change management across its teams.
Reflecting on these efforts, Bhardwaj said: “We were able to save a significant amount of money through technology transformation and by changing the ways of working.”
Sharing his key takeaways from the program, Bhardwaj advised that a “culture of smart spending where each team takes the responsibility of their cloud usage” is essential.
“Cost awareness should be part of the delivery process, not an afterthought. Enable your teams with tools, dashboards and self-service reports so they can take actions on behalf of their teams instead of FinOps or SecOps.”
The agency achieved this following a comprehensive assessment of its cloud costs and usage, during which it identified inefficient resources and recognised the need for better visibility through “proper reporting,” according to Gothadiya.
“If you have better visibility, you can always control your costs,” he added.
As a result, each technology team now has its own dashboard to monitor workload costs and take proactive steps to reduce them if they begin to spiral.
These efforts were further supported by wider initiatives in database and storage optimisation, alongside automating backup and restore processes.
Eleanor Dickinson attended AWS Public Sector Symposium in Canberra as a guest of AWS.
Source link
