Digital Sovereignty: Geospatial Systems Case Study
The Problem:
While there is a tremendous amount of geospatial data available today, it can be very difficult for all but the largest enterprises to use and extract business value from that data. Standard tooling to manipulate these large datasets and create useful visualizations is expensive and requires specialist skills that most business or organisations simply don’t have access to. The customer set out to change that by democratising access to geospatial data by developing a cloud-native geospatial platform that enables a variety of people to work collaboratively to solve problems using geospatial analysis and AI. Their Platform-as-a-Service offering seeks to enable businesses and government to leverage open-source technologies in a safe, secure, and supported way.
CyberCX was engaged by the customer to assist with the implementation of their geospatial data platform to be offered as an AWS cloud-native SaaS solution, making it available to anyone, anywhere.
“This is the first cloud-native Geospatial Platform that uses AI to help improve business efficiency, democratise data and enable solutions to be created that benefit both people and planet.” – customer website quote
This platform on AWS would provide near real-time geospatial intelligence that enables their customers to make informed decisions. This data, combined with advanced modelling and visualisation tools, would allow organisations to model and analyse their data to optimise processes.
The CyberCX Digital Sovereignty Practice first applied our Risk Management Process to understand the customer’s Digital Sovereignty requirements. Like most enterprises working with customers in regulated industries and the public sector, they also had several requirements aligned with Digital Sovereignty. These include:
- Compliance with regulatory requirements
- Assurance of (auditable) locality of data
- Manage access to data
- Encryption in transit and at rest
- Business continuity
The Solution:
CyberCX are established as a trusted AWS Premier Tier Services Partner in the New Zealand market and were chosen by the customer to help them modernize their platform into a multi-tenanted SaaS solution. This solution follows security best practices and is deployed in an automated way to allow CI/CD of all components.
Following AWS services are at the core of the platform to allow them to scale and maintain tenant isolation.
- Control Tower
- Transit Gateway
- Network Firewall
- EKS
- RDS Aurora for Postgres
The heart of the solution runs on an EKS cluster which makes use of Karpenter as an auto-scaler to rapidly launch right-sized ec2 instances in response to changing application load. The AWS multi-AZ Aurora cluster provides automated failover to standby instances, relying on Aurora RTO/RPOs. The EKS cluster is also AWS managed which ensures multi-AZ availability and automatic recovery. The pods are deployed across 3 AZs. The customer chose EKS because it would allow them to use K8s and if one of their customers required an on-prem installation, they could use EKS Anywhere to achieve this.
Many considerations (such as one account per customer, one VPC per customer, etc.) have been processed to isolate the tenants that are using the service. Ultimately, CyberCX decided to use a combination of Kubernetes namespace and resource types which includes 3rd party plugins and AWS services to achieve tenant isolation. Infrastructure deployment is fully automated and the platform’s cloud native architecture allows the customer to automatically scale their operations. We have also considered the commonly observed issue of limited IP address space in multi-tenanted SaaS solutions that utilise Kubernetes and resolved this through dual-stack Ipv4/IPv6 implementation.
“The Platform passed the AWS Foundational Technical Review. What does this mean I hear you ask… it means that the Platform follows best practices for security, reliability and excellence as defined by AWS. This journey was started late last year and has required a lot of time and effort to achieve. I would like to thank our partners at CyberCX – Nitin Yadav, Ginelle Cocks, Geoff Loh and Nick Yager. This is a huge achievement, I am super proud of what we have achieved and how we go about doing it.” – Customer Head of Product and Customer Success
As their trusted partner, we’ve also conducted a number of Well-Architected Reviews for the customer which we have completed with the assistance of AWS Software Partner, nOps, allowing ongoing maintenance and improvement of the platform from a performance, reliability and security point of view. To ensure costs remain optimised, we also have been engaged to provide an additional FinOps based service for the customer.
The Result:
In the process of designing and implementing this complex solution for the customer, CyberCX stayed true to the Digital Sovereignty requirements identified during requirements gathering and our Risk Assessment. These included:
- Compliance with regulatory requirements – AWS CIS Foundations Benchmark was enabled in Security Hub as directed by the customer
- Assurance of (auditable) locality of data – the solution is designed to be able to be deployed anywhere so they can take their Geospatial offering global, but the customer wants to maintain control of where data is deployed for specific customers, and we allow them to control this using a combination of SCPs and resource policies.
- Manage access to data – using CyberCX best practices for IAM
- Encryption in transit and at rest – all data is encrypted in transit and at rest using TLS, S3 policies, KMS, RDS and AWS Certificate Manager.
- Business continuity – this is achieved by the multi-AZ architecture and the AWS native backup regime
CyberCX’s relationship and collaboration with the customer has been extremely successful and resulted in some great outcomes. One local Council is an example of a tenant that has seen the benefits of utilising their data on the platform. The customer was frustrated by their inability to visualise and share the data they were collecting on people and freight within the region. Fortunately, the customer’s Geospatial Platform was able to solve the limitations they faced and revolutionise their data handling capabilities. By hosting both data storage and the application on the secure AWS cloud infrastructure, the Council gained a cloud instance of the “flow of people and freight” tool, empowering multiple users to explore and query data. This project has showcased the transformative power of AWS Cloud and the customer geospatial technology, demonstrating how organisations can unlock unparalleled data insights.
The customer geospatial data platform is a complex, multi-tenanted SaaS solution that makes use of modern technologies and development practices. There are many components in the solution and several vendors and 3rd party tools are involved. Whilst it can be quite daunting at times, CyberCX has adapted to this environment extremely well and is actively involved in large scale collaborations between the customer and their customers.