Sam Hehir shares what it’s like to be a security architect at DWP Digital, providing a deeper insight into the world of security in the largest government department.
I’ve worked in security for around 12 years, having started my career as a Java programmer working on integrations for service orientated architectures. It seems funny to me now, but a lot of the principles I learned then, are coming back to haunt me now. That is in terms of security considerations in a move to a microservices, event-driven architecture.
My life is a busy one. I share custody of my 2 young children, so achieving a healthy work-life balance can be difficult. In my spare time I like to compete in triathlons, so balancing work, spending time with the kids and getting out for a bike ride or a run is challenging! I’m also a Newcastle United supporter, so I’m used to disappointment in that area of my life!
I joined DWP Digital 2 weeks before the first lockdown, working in the Health Product Delivery Unit. To say I had a baptism of fire is an understatement. However, the technology enabling me to work from home has been nothing short of amazing.
Having worked in central government previously, I was aware that some tools such as Slack and Microsoft Teams might be off limits, but this isn’t the case in DWP Digital. I’ve found that collaborative working across the team has been equivalent to my time in a startup and my team are incredibly supportive. I feel as if I have access to some of the best brains in the business.
What does a security architect do?
I help design and review controls for a system and review how likely it is to be attacked. It’s about proportion and implementing security controls that are cost effective. You have to have various skills and a broad knowledge. I might be talking about a quantitative risk assessment in one meeting, scoring the risk, then moving to another to discuss how best to secure some microservices via mutual Transport Layer Security (protocols designed to provide communications security over a computer network). Or I might be advising on what risk to accept when a new vulnerability has been found in a Docker base image. So it’s really important for me to keep up to speed with changes and innovations in security.
The National Cyber Security Centre (NCSC) advise that we should work to 4r key design principles:
- making compromise difficult
- making disruption difficult
- making compromise detection easier
- reducing the impact of compromise
And in summary that’s what my job is!
What does a typical day look like?
Security has always had the ‘bad guy image of saying “no” to everything, but I’ve found this to be the opposite in DWP Digital. We’re trying to move our applications to a DevSecOps approach, a methodology that works within an agile framework to break projects into smaller chunks. We’re deploying continuously and looking to shift left with our security functions, closer to the application code in a hybrid/multi cloud environment.
Typical activities might be:
- looking at field level encryption for a No SQL DB
- scoping IT health checks
- performing a risk assessment on a new collaboration tool
- reading documentation on how best to move the security architecture forward. For example: Is gRPC more secure? Why? What does a zero trust model mean for us? How are we going to go about implementing it?
- how are we patching? What is our vulnerability status? How do I communicate that?
- presenting to a Design Authority that the solution is proportionally secure
- making sure that no personal information is out there in our open code
What makes security in DWP Digital different?
From a security perspective, the technology we’re using is leading-edge. Containerisation, continuous integration (CI) and continuous delivery (CD) pipelines, Gitops and multi/hybrid cloud all present new security challenges and paradigms.
I like to think of it as the Netflix of citizen-based services. If you can order a movie on demand you should be able to do the same with our services. We want to make claiming equally simple, transparent and secure.
Join us!
I can’t recommend working in security at DWP Digital highly enough. There’s a great balance of challenge and support. I’m not sure that joining any other organisation so close to a national lockdown would have been so easy! The support I’ve had from my line manager and team was amazing and the equipment I’m provided with has enabled effective remote working over the last few months.
I can manage my work-life balance well and explore leading-edge technology from a security perspective. I feel DWP Digital really has a startup mentality and an agile and innovative approach – but on a massive scale.
If you know your CISSP from your CRISC, your GDPR from your CVSS, your AWS from your Azure, aren’t afraid of typing “kubectl” into a command line and want to push the security boundary of what is possible, have a look at our latest vacancies and come join us!