Skip to navigation Skip to main content Skip to footer

How We Helped Secure UK Test & Trace and UKHSA

Agile cloud cyber security for a rapid pandemic response

22 August 2022

Summary: Test & Trace case study

NCC Group supported the UK’s COVID-19 pandemic response, securing the UK Department for Health and Social Care ‘Test & Trace’ cloud-based technology platforms and ‘mega lab’ facilities.

Project Scope: 

  • Sectors- Healthcare & Public
  • 7k-15k users
  • National, population-level impact
  • Major target for threat actors
  • Huge public visibility 

Technology involved: 

  • Cloud-first strategy
  • Microsoft Azure (XDR)
  • AWS
  • Google
  • Microsoft 365 

The mission? To break the chain of COVID-19 infection  

Within unprecedentedly tight timescales, NCC Group delivered a full spectrum of Cyber Security services for the Test & Trace (T&T) program securing its digital platforms and mobile applications. This included securing the design, build, migration, and deployment of cutting-edge cloud solutions, which included Infrastructure as Code (IaC) and a security control framework tailored to the unique threat profile of the platform and mobile T&T app.

We also supplied monitoring, alerting, detection, and responses to shield critical government and National grade personal data from opportunistic or nation-state threat actors who saw T&T as a major target. 

Our contribution resulted in delivering some of the highest-ranking secure scores for cloud environments when measured by the AWS Well-Architected Framework, and by Microsoft using their Cloud Assessment Framework. 

Challenges, response, results: Test & Trace case study

What was the challenge? 

The UK Government and the NHS were met with a national-scale challenge to set up an emergency program in response to the COVID-19 pandemic, with the mission of breaking the chain of infection. 
 
NCC Group was approached to advise on real-time design, build, monitoring, and assurance activities to protect the platform’s cloud environment and ‘Mega Lab’ testing facilities. This involved working with a range of systems integrators to secure the creation and operation of a unified digital platform, a cloud-hosted mobile application for recording infection testing, and the consolidation of national response critical solutions. 

A key objective was to prevent the leaking of public health data while safely making it available to trusted entities such as government departments, policymakers, and research organizations.

The sharing of data was essential in aiding research and informing science-based, data-driven decision and policy making, whilst preserving the public's privacy concerns.
 
Another vital objective was maintaining operational security and resilience in a dynamic policy landscape while ensuring continuous breach readiness to optimize defense against threat actors looking to capitalize on government spending and masses of highly sensitive data.

How did NCC Group respond? 

Of course, as this real-world scenario had never occurred before, it presented a range of unique operational cyber challenges to the teams involved.

Working across live multi-cloud platforms at scale, with diverse vendors and suppliers, huge public visibility, and national urgency required diligence and discipline to operate and deliver at speed and flexibility – with no previous blueprint to follow.

As the UK government made fast legislation changes, we evolved new dynamic ways of working and managing risk in support of real-time security posture changes and testing that could support change cycles in a matter of hours - instead of the more familiar days, weeks, or even months.

Using accelerated agile methodologies, NCC Group delivered a full spectrum of cyber security services, including Infrastructure as Code (IaC) and an adaptive risk-based security control framework.

Our breadth of experience in supporting digital transformation allowed us to guide program decision-making to instill dynamic security governance, at all stages of the build, design, authority, and change control processes. We applied ‘Zero Trust’ principles to instill trust and confidence at an operational level for all entities that needed access to the platform and created a low friction but also secure end-user experience using continuous adaptive risk and trust assessment principles of end-user access.

In addition to advisory support, we performed hands-on configuration and deployment of security tools, and provided continuous monitoring, alerting, and incident response across the native cloud security tooling. This enabled a proactive approach in conjunction with the National Cyber Defence Operations Centre to counter endless cyber-attacks from both individual threat actors and organized crime.

What were the results? 

The unprecedented nature of this project pushed our teams to apply their security expertise and develop new ways of working that achieved incredible results meeting urgent and profound deadlines.

By looking beyond the obvious and evolving established assumptions, our team moved through unnecessary complications with clear, direct, and flexible thinking. We found new answers and harnessed the potential of a truly collaborative set of professionals across the Test & Trace (T&T) family. Using the highest-level agile project discipline to coordinate and orchestrate across a full spectrum of Cyber Security skill sets and interface seamlessly with systems integration partners.

Within 12 months, we secured the hosting of hundreds of workloads across AWS. Microsoft and Google Cloud environments, with no significant data leaks or exposure, which was the first true multi-cloud national collaborative achievement. This was achieved while providing secure access to over 15,000 users made up of third parties, contractors, civil service teams, and government departments. 

A testament to the quality of the fast, agile work came following independent assessment of the Test & Trace cloud environment by the platform vendors themselves: it achieved some of the highest-ranking cyber security scores across both the AWS Well-Architected Framework and Microsoft Cloud Assessment Framework.  

After quickly becoming the backbone security team for the program, NCC Group was invited to participate in the security steering advisory for the newly formed UK Health Security Agency (UKHSA). We’re looking forward to putting that gained cyber security experience into practice to provide the same high standards of dynamic and outcome-focused assurance across the UKHSA cloud environments.

Learn more about Cloud Infrastructure security.

Curious to see what industry-leading protection looks like? View our solutions or contact a cyber security expert to learn how to take control of your business's cloud environment.