Mapping out the transformation of a major public service IT network

We carried out a detailed review of DWP’s present IT network to capture current state services (WAN, LAN, WiFi, network connectivity, Internet and remote access gateways), technologies, architecture, performance and support arrangements: Whilst assessing what changes were needed to meet the requirements of the future and build a roadmap for a five year programme of improvement and transformation.

This strategic roadmap was in fact needed at any early stage of the project, so we began with an intensive piece of work to produce it. The roadmap was approved at a senior leadership level, providing DWP and us the guiding vision to develop our detailed recommendations.

Having gained agreement on the strategic vision, we engaged with DWP’s key stakeholders and subject matter experts to inform and shape the specific elements of DWP’s network. We focused on a number of key areas:

• MPLS WAN (wide area network) – DWP’s present network, built on private connections and MPLS (multiprotocol label switching) technology, connects individual sites together and to DWP’s private data centres. Its network includes a gateway to the internet, providing protection for the private network, connectivity to external networks and access to internet-based resources, services and applications for DWP users. We recommended that DWP migrate towards internet transport services with local internet breakout to augment the premium MPLS connections and provide more direct access to the cloud-based services that its users are increasingly consuming.
• LAN (local area network) – DWP operates two LANs today: a wired LAN to provide connectivity for desktop PCs and thin client terminals, and a separate wireless network to support roaming laptops, guests and visiting citizens. We recommended bringing these disparate networks together to simplify the architecture, making data flow much more efficient and enhancing the user experience. The Network Access Control service on the wired LAN would be extended to the wireless network to further enhance security.
• SD-WAN (software defined WAN) – Aligned to the plan to transform to a hybrid WAN, the roadmap included the introduction of SD-WAN to provide an overlay which would include a centralised portal offering total visibility and control of the network. The SD-WAN would provide dynamic control of application traffic flow across the hybrid network and would provide greater insight into the performance of applications as experienced by users. Additionally, the SD-WAN appliances would provide advanced firewall capability, further enhancing security and reducing dependency on the centralised gateway.
• Cloud First – DWP is committed to hosting application on cloud computing platforms, where appropriate and the use of SaaS.  Consumption of cloud-hosted services will change the way that data flows across the network, so we made detailed recommendations about how this could be facilitated.
• Operating model – DWP currently utilises a fully outsourced service under which a specialist telecoms service provider performs all network operations and support activity. DWP has an objective to perform more of the routine network changes and actions in-house to improve agility and provide the ability to support other Digital programmes. We carried out a SWAT analysis of the different operating model options available for the new network services, which could include a greater amount of in-house management and control of network services.
• Zero Trust model – With the boundaries between private and public networks becoming increasingly blurred through the greater use of internet-based resources, the current model of applying inspection and control via a centralised gateway service is becoming ever more challenging and a new model is required. The introduction of a zero-trust architecture will allow DWP to distribute their security boundary while maintaining central visibility and control. The future-state network will no longer be implicitly trusted by applications and devices, with authentication, inspection and control being performed natively by the services and devices that the users consume. All of our recommendations were rooted in the need to ensure that rigorous security controls were maintained and that citizen data and DWP resources were protected at all times.

Our five-year roadmap was divided into four main stages. Foundational measures which would produce immediate tactical fixes and ‘quick wins’; Transitionary arrangements such as the procurement of new required services; Transformational steps such as the introduction of hybrid WAN and SD-WAN; and the Zero Trust model which would be the target state.

Outcome

DWP now has a detailed roadmap to move its IT network into the digital, cloud-enabled future. It has a clearly articulated high-level strategy and vision, and a set of specific steps and measures to enable it to achieve that.

We consulted widely with senior leadership and key IT stakeholders in DWP to ensure we understood their priorities and engaged with them throughout as we developed the strategy.

The strategy has now been approved and work can begin to implement the key milestones in the journey.