The client owned a mature, large-scale web application that housed vast amounts of sensitive information. One part of this application was accessible from the internet, while the other was used within government infrastructure, which had a low tolerance for risk.
Due to its business-critical nature, the client sought the expertise of Tom Burton, a Cyber Security specialist at Cambridge Management Consulting, to update the application to meet new opportunities and modern network requirements.
Thank you for requesting this Case Study.
You can download the full Case Study here > Secure by Design Case Study
Uh oh, there was an error with your request.
Please try again later
The client needed to integrate a new third-party SaaS web service into the existing application to enhance business efficiency and process speed.
This SaaS environment was subject to compliance with some UK Government security standards, however they could not apply conventional, direct assurance and accreditation activities because of the third-party's SaaS shared delivery model.
The client needed the final solution to recognise this uncertainty while managing risk, security, and business benefits.
To resolve their challenges, Tom and his team adopted an approach based on the principles of 'Secure by Design', working with the client's business and engineering representatives to jointly develop the optimum integration approach and security controls before implementations started.
The lack of assurance meant that the integration needed to treat 3rd party SaaS as largely untrusted. The client had several architectural options, each with different implications in their cost, timescale, risk profile, business efficiency, and future flexibility. Tom iterated the design with the client, helping them to select the best, most viable solution, reconsidering risk, compensatory controls, and benefits at each stage.
Adopting a risk-driven approach, Tom identified the inherent risks that the change would introduce regardless of the integration approach as a first critical step. These risks were understandable to the non-security and non-technical communities. Getting stakeholder agreement on them ensured that all parties would recognise the constraints the solution would have to live within. The client proposed their preferred solution architecture, enabling Tom to assess the residual risk that the change would present, and propose additional security controls to bring that risk down to an acceptable level.
As Tom's work progressed, the client adjusted the solution architecture in response to address options that became unviable or inefficient. Alternative options and their implications were discussed. When changes had been decided, Tom quickly reviewed and updated the risks and security controls, introducing fast feedback into the design process, and ensuring that his architecture design was built with future flexibility internalised. The inherent risks did not remain static either, and were reviewed on each iteration, adding new risks that arose, and retiring redundant ones according to the proposed solutions characteristics.
If security had been considered late in the change process after implementation, it is likely that the solution design would have needed significant rework, retrofitted inefficient controls with a negative cost and operational impact, and/or a higher level of risk accepted. Tom and his team avoided these costly and unnecessary effects by getting early agreement on the risks that needed to be treated, and quickly iterating to an optimal solution with the client.
Long Lasting Solutions
This approach also aligned with the principles of embedding continuous assurance and making changes securely because all controls can be tied back to the risks that they are addressing; future changes will be able to refer to these dependencies and build on them rather than undermine the existing security.
The Government end-client was delighted with the thoroughness of the analysis and documentation, had no concerns about the risk or mitigations proposed, and saw significant benefits in the collaborative approach that had been adopted.
We are a highly collaborative team of senior-level executive professionals able to adapt to any challenge, however niche & challenging.
+44 (0)1223 750335
info@cambridgemc.com
Thank you for contacting us.
We will get back to you as soon as possible
Uh oh, there was an error sending your message.
Please try again later
Our team has had the privilege of partnering with a diverse array of clients, from burgeoning startups to FTSE 100
companies. Each case study reflects our commitment to delivering tailored solutions that drive real business results.
CASE STUDIES
Cambridge Management Consulting is a specialist consultancy drawing on an extensive global network of talent. We are your growth catalyst.
Our purpose is to help our clients make a better impact on the world.
ABOUT CAMBRIDGE MC