The lowdown on low-side working

Solution Architect at BAE Systems Applied Intelligence Read time: 4 mins
Secure government organisations have traditionally maintained their networks within air-gapped, siloed environments. But it doesn’t have to be this way, as Andy Brown explains
The lowdown on low-side working blog I’m actually writing this in the office. While there are a few colleagues dotted about, the usual hustle and bustle has been replaced by the quiet hum of the nearby photocopier – something you couldn’t hear back in 2019 BC (Before Covid).
 
The pandemic’s impact on working practices has been well documented, but it’s also coincided with a shift amongst secure government organisations. Even those with protectively marked networks are increasingly seeking to implement a new operating architecture by sharing operations between a secure, ‘high-side’ network, and a network of lower security classification – a ‘low-side’ network where users have a wider range of new digital technologies.
 
Under this new architecture, classified work is still conducted on the high side under the strictest of policies, but depending on the risk appetite of an organisation, a significant percentage of daily operations and the development and support of applications can be conducted on low-side networks.
 
As a result, such organisations can gain greater access to new technologies, as well as faster development times. They can also enjoy lower costs and have access to more staff as high-side environments require suitably trained and vetted staff with appropriate clearances.
 

From innovation to impact 

Such factors have helped propel the shift to more low-side working. For example, in September 2019 one of our clients wanted to use public cloud and ramp up low-side working to ease the pressure on high-side resources – freeing up desk space and highly cleared staff to concentrate on mission critical tasks.
 
One of the biggest challenges teams face is how to quickly and securely move the code they have developed and tested on the low-side to the high-side. This needs to be fast and efficient as well as secure so we set about developing a tool to do this.
 
The tool included all of the assurance features needed to gain accreditation. We have since enhanced this to include transfer of documentation using Confluence, and planning information via Jira. This has enabled teams to work on the low-side and quickly get their assets imported to the high-side, with all the documentation and history that goes with it, enabling easy collaboration between low and high teams, or even low-side teams to deploy hands-off.
 
Many of the client’s teams and their suppliers had very little public cloud experience and didn’t want to have to build and secure all of the DevOps tooling they need to build new applications efficiently and securely.
 
And so we built a suite of DevOps tools that we host as a shared service to enable teams to quickly establish their DevOps pipelines and concentrate on the development of their systems where their skills lie, rather than the nuts and bolts of DevOps tooling. We took care of making sure these tools were deployed securely and had these assured by the client’s security architects.
 
We now had an assured set of CI/CD tooling, including build and deployment automation, static code analysis and secure secret storage, providing agility to teams transitioning to the low-side, as they already had made set of tools and patterns with all the assurance in place to start building their code following best practices. Teams can quickly start delivering features to their users and these transferred to the high-side, without having to take out the first few sprints just building their development and testing infrastructure.
 

Lockdown bites

Within a few months, the use of services were gradually ramping up with around 20 teams on-boarded. These teams were mix of clients, our teams and other suppliers. Then, news of the first lockdown forced the client to accelerate the move low-side at breakneck speed.
 
Thankfully we had followed good cloud principles, such as containerisation, auto scaling, and automated deployments when building our services and these scaled easily to meet the sudden increase in demand.
 
Meeting the challenge for accelerated support was met by quickly implementing a service desk request based support service so that we could keep track of the increased number of requests. Later, we analysed the support ticket stats and identified which requests could be automated and made self-service, improving the responsiveness of the service and reducing our support overhead.
 

Onwards and upwards

We are continuing to improve our offering, we are currently working on assurance reporting tools which will enable teams to use our components in their custom pipelines to independently provide assurance that they have performed all the necessary checks. We are also working with a number of other teams to add features such as high-side observability from low and container syncing.
 
We now have over 220 teams from our clients, our teams and other suppliers, and over 2,000 users currently using one or more of our services on the low-side and have successfully made 13,000 transfers from low to high.
 
At this scale, and with the good FinOps principles (metrification, right sized infrastructure, and automated scaling) and automation we have used, the service is extremely cost effective as we are pooling AWS infrastructure to ensure maximum utilisation and minimising any manual effort from our support team.
 
A future of even more low-side working now awaits. Stay tuned.
 

About the author
Andy Brown is a Solution Architect at BAE Systems Applied Intelligence
Government Insights Promo Block Image

Explore Government Insights

Stay up to date with the latest thinking, trends, technologies and projects from our Government team
Find out more

Recommended reading:

  • Don’t go chasing waterfalls. Hannah Green says adaptability and mindset are all crucial when it comes to the ever-evolving field of software development
  • How I stopped patching and made my system more secure. Andrew Stock says that of the many benefits arising from serverless technology, removing the need for continuous patching is surely front and centre
  • Bringing data to the party. Caroline Bellamy is on a mission to transform how the UK Ministry of Defence uses data. She tells Mivy James about her 30-year career in industry and why data holds the key to smarter and faster decision-making across Defence
  • It’s a numbers game. Engineers nowadays have to be even more multi-faceted than in previous generations. Andrew Stock explains why cost optimisation now ranks high among engineering disciplines
  • Delivering data dividends. Mivy James examines what needs to be done to help the military be more data centric
top
Andy Brown Solution Architect at BAE Systems Applied Intelligence 17 June 2021