How We Helped Secure UK Test & Trace and UKHSA

NCC Group supported the UK’s COVID-19 pandemic response, securing the UK Department for Health and Social Care ‘Test & Trace’ cloud-based technology platforms and ‘mega lab’ facilities.

The mission? To break the chain of COVID-19 infection  

Within unprecedentedly tight timescales, NCC Group delivered a full spectrum of Cyber Security services for the Test & Trace (T&T) program securing its digital platforms and mobile applications. This included securing the design, build, migration, and deployment of cutting-edge cloud solutions, which included Infrastructure as Code (IaC) and a security control framework tailored to the unique threat profile of the platform and mobile T&T app.

We also supplied monitoring, alerting, detection, and responses to shield critical government and National grade personal data from opportunistic or nation-state threat actors who saw T&T as a major target. 

Our contribution resulted in delivering some of the highest-ranking secure scores for cloud environments when measured by the AWS Well-Architected Framework, and by Microsoft using their Cloud Assessment Framework. 

What was the challenge? 

The UK Government and the NHS were met with a national-scale challenge to set up an emergency program in response to the COVID-19 pandemic, with the mission of breaking the chain of infection. 
 
NCC Group was approached to advise on real-time design, build, monitoring, and assurance activities to protect the platform’s cloud environment and ‘Mega Lab’ testing facilities. This involved working with a range of systems integrators to secure the creation and operation of a unified digital platform, a cloud-hosted mobile application for recording infection testing, and the consolidation of national response critical solutions. 

A key objective was to prevent the leaking of public health data while safely making it available to trusted entities such as government departments, policymakers, and research organizations.

The sharing of data was essential in aiding research and informing science-based, data-driven decision and policy making, whilst preserving the public's privacy concerns.
 
Another vital objective was maintaining operational security and resilience in a dynamic policy landscape while ensuring continuous breach readiness to optimize defense against threat actors looking to capitalize on government spending and masses of highly sensitive data.

What were the results? 

The unprecedented nature of this project pushed our teams to apply their security expertise and develop new ways of working that achieved incredible results meeting urgent and profound deadlines.

By looking beyond the obvious and evolving established assumptions, our team moved through unnecessary complications with clear, direct, and flexible thinking. We found new answers and harnessed the potential of a truly collaborative set of professionals across the Test & Trace (T&T) family. Using the highest-level agile project discipline to coordinate and orchestrate across a full spectrum of Cyber Security skill sets and interface seamlessly with systems integration partners.

Within 12 months, we secured the hosting of hundreds of workloads across AWS. Microsoft and Google Cloud environments, with no significant data leaks or exposure, which was the first true multi-cloud national collaborative achievement. This was achieved while providing secure access to over 15,000 users made up of third parties, contractors, civil service teams, and government departments. 

A testament to the quality of the fast, agile work came following independent assessment of the Test & Trace cloud environment by the platform vendors themselves: it achieved some of the highest-ranking cyber security scores across both the AWS Well-Architected Framework and Microsoft Cloud Assessment Framework.  

After quickly becoming the backbone security team for the program, NCC Group was invited to participate in the security steering advisory for the newly formed UK Health Security Agency (UKHSA). We’re looking forward to putting that gained cyber security experience into practice to provide the same high standards of dynamic and outcome-focused assurance across the UKHSA cloud environments.