Sergey Tarasov - stock.adobe.com

GovTech to enhance Government on Commercial Cloud

GCC 2.0 will include improvements in user onboarding and provide single credential access to public cloud services and engineering tools, among other areas

Singapore’s Government Technology Agency (GovTech) is enhancing the Government on Commercial Cloud (GCC) service to make it easier for government agencies to manage and secure their use of public cloud services.

Dubbed GCC 2.0, the enhanced service touts improvements in user onboarding and security, among other areas, according to Kevin Ng, director of Codex (core operations development environment and exchange) at GovTech.

Speaking at GovTech’s Stack-X Cloud virtual conference today, Ng said the enhancements are being made in response to feedback from GCC users and the learnings that GovTech has gleaned from managing the service.

For example, Ng said getting onboard the GCC service requires users to have multiple accounts to access, manage and secure their use of public cloud services from the likes of Amazon Web Services (AWS), Microsoft Azure and Google Cloud.

“There’s a cloud account, a portal account, a virtual private network account and a jump host account just to be able to log in and administrate the system,” said Ng. “It’s a pain and we recognise that.”

In response, GovTech is simplifying things with a single sign-on service called TechPass that provides a single credential for access to cloud management portals, public cloud services and engineering tools in the Singapore Government Tech Stack (SGTS), a set of shared software and infrastructure services for building and testing new applications quickly.

TechPass is part of a broader security suite called Seed (Security Suite for Engineering Endpoint Devices) that pulls the concept of zero trust and other aspects of cloud-based access controls into a secure endpoint device platform. This will ensure that only secure and authorised devices can be used for developing and managing government cloud applications.

Jump host services

Another security-related enhancement in GCC 2.0 is the shift towards the use of cloud-native jump host services from hyperscale cloud providers. A jump host, also known as a jump server, is used to provide access to other virtual machines in the virtual network infrastructure to perform management tasks.

Ng said Azure Bastion, for example, is a hardened jump host with security controls and zero day patching capabilities, while AWS Systems Manager isolates administrative control with AWS’s internal networks and agents, minimising configurations.

“We know for a fact that it’s definitely much better to use native services simply because they are managed by cloud service providers and are more cost effective,” he said. “We also know in practice, from a security standpoint, that they are also more secure because there’s less configuration needed.”

Ng said GovTech has been piloting some AWS workloads on GCC 2.0, adding that general availability will come in the first quarter of next year for AWS services.

It will also pilot Azure and Google Cloud workloads, with general availability expected in the third quarter of 2022 for Azure services and estimated 2023 for Google Cloud services.

Underpinning the improvements in GCC 2.0 is the shift in thinking around cloud as code and software, rather than a different manifestation of on-premise hardware infrastructure.

“Today we still think of cloud as a piece of hardware. We still like to review our architecture diagrams, but it’s also useful to put this architecture into code and deploy it,” said Ng. “And if it is incorrect, let’s tear it down and redeploy again. We no longer need to be constrained by the art of planning in a waterfall manner.”

Read more about cloud in APAC

Ng also urged people to think of cloud as a service, noting that many cloud migration projects still involve moving what’s in on-premise datacentres to the cloud.

“Sometimes we have to seek appliances that do not have ready equivalents on the cloud. As we think more about this, we should adopt cloud more as a service rather than just migrating appliances over.”

From a security perspective, the cloud, being on the public internet, underscores the importance of identity and access management (IAM) rather than perimeter-based security policies. “From an IAM perspective, we consolidate all the accounts into single accounts, and we can associate roles and policies to all the accounts,” said Ng.

In 2018, the Singapore government said it would move the bulk of its IT systems to commercial cloud services in ongoing efforts to deliver citizen services in a faster and cheaper way. It expects to have at least 70% of eligible government systems on commercial cloud services by 2023.

Read more on Platform-as-a-Service (PaaS)