When it comes to building modern, containerised applications, cloud technology has made it easier for governments to easily store and access data, and build such applications faster.
Such capability, however, invites a few considerations such as: What are the opportunities available to public sector institutions to modernise their applications? Given the technology requirements and unique limitations applicable to public sector organisations, is there a way to modernise applications without adding complexity?
For a detailed discussion on the avenues available to public sector institutions in Singapore to modernise their applications, senior IT experts and government executives gathered for a roundtable titled “Modernising Applications for the Public Sector,” hosted by Red Hat, the global open-source software company, and F5, a multi-cloud application services and security company focusing on application security, delivery and availability. The event was organised by Jicara Media.
According to Guna Chellappan, General Manager, Singapore, Red Hat, the paradigm shift in network security created new challenges for a lot of government agencies and institutions. “Earlier, organisations dealt with legacy and traditional security to secure their network, data, and applications. But now, since they have started looking at the cloud, we see many things coming into play with automation projects,” he said.
“Many of our very mature cloud customers in the government can develop an application in weeks, but it takes them six weeks to open a firewall port. Therefore, you cannot roll out an application into production instantly. How do you then ensure the buy-in of the CISO, for example? There’s just a lot of justification involved,” Chellappan added.
Journey so far
For plenty of government organisations in Singapore, data security dictates their approach to digital transformation. One state-owned company, for instance, maintains a cautious approach in migrating its apps to the cloud. It is currently reviewing the classification of its data assets to determine which of them can be migrated first.
“A lot of our apps are classified as confidential, which means that you cannot move anything out. But because of the recent mandate to review our applications and see what is confidential about our data, we have determined which of our data points are confidential and need to be located internally. As for the rest, we should move them to the cloud,” said one of the company’s senior IT leaders.
Aside from cloud migration, one of the key challenges that the state-owned company currently faces is the integration of its apps before they can be moved to the cloud.
“As there are pockets of information that are more critical than others, if we can classify them and see how we need to deal with them, we can make plans on how to successfully integrate and migrate them,” the senior IT leader shared.
Meanwhile, Gabriel Liow, Deputy Director for Digital & Corporate Transformation at the Ministry of Defence, noted that the IT talent crunch across the industry may be taking a toll on planned transformation projects. “We may have a solution to our modernisation issues, but there are not enough people to implement them,” he said.
In addition to the talent crunch, another challenge is to design an app that can distinguish which data should move to the cloud, and which should be retained on-premises. Further, making such apps user-friendly for their employees can be quite challenging, Liow remarked.
Seeing that most of the issues faced by the public sector IT are centred around systems and app integration, experts recommended focusing on an integral security component which is often overlooked.
“The de-facto standard today for integrating applications are APIs, especially now when you go into a distributed cloud, multi-cloud scenario. That comes with new security parameters, because how do you secure those APIs? How do you make sure that you have visibility?” said Lim Chin Keng, Senior Director of Strategy, F5 ASEAN.
Just this year, Optus, Australia’s second largest telco, suffered a data breach. Most cybersecurity experts pointed at poor API security as the reason behind the incident. As a result, around 10 million customers’ personal data, such as names, dates of birth, phone numbers, email addresses, postal addresses, and ID document numbers, might have been compromised.
While the Optus data breach is a classic case of exploiting weaknesses of internet-facing APIs, Lim revealed that 80% of organisations’ APIs are actually internal.
“It’s basically intranet, workload-to-workload communication between a public cloud and on-premises infrastructure. And these internal APIs don’t go to the internet and come back in again. Typically, when you think about API security, you may be thinking of SaaS, but that won’t apply here,” he pointed out.
To make sure organisations have visibility into the internal or east-west APIs and can correlate them with the internet-facing or north-south APIs, F5 is using AI and ML to predict vulnerabilities.
Meanwhile, as with other sectors, such as banking, or healthcare, the challenge in the government sector is to break all of the monolithic applications over time, Red Hat’s Guna Chellappan said.
“You need to start looking at how to modernise the more complicated applications especially, otherwise, your pen test will take as long as one development cycle,” he said.
To remedy this, Red Hat is leveraging automation so that the app doesn’t get jammed at the testing phase.
With all of the challenges the public sector is dealing with just to get an application up and running, institutions are maintaining an open mindset about getting help from SaaS providers.
“Most of the SaaS providers have done their own best practices, and they know what the industry needs. They know what’s good for you,” noted a senior IT leader from a state-owned company.
Gabriel Liow from the Ministry of Defence agrees. “You do not need to build everything from scratch. You can actually save time and money by looking at what’s already available out there, which you can use to build your applications,” he suggested.
In the end, it all boils down to careful planning between government entities and service providers in order to tailor right fit solutions according to the unique needs of the organisation.
Key to the success of modernising government applications are an emphasis on security, particularly API security, and ensuring the seamless integration of multiple apps of various compositions and security parameters. This is where technologies such as automation, AI, and ML are playing integral roles in ensuring that organisations do away with time-consuming tasks and processes and instead focus on improving their core services.