Why application modernisation is an opportunity for greater security and visibility

By Thales

While microservices architecture enables governments to build more agile and scalable applications, they also run unique risks which can be tackled by taking a platform approach to security, said global tech provider Thales’ Melvin Koh.

A secure-by-design approach and microservices architecture enable government applications to be built with flexibility without sacrificing security, said Thales' Melvin Koh. Image: Canva. 

More than 2,700 services, 800 government agencies and businesses, 4.2 million users, and 41 million secure transactions per month.


This is how much Singapore’s national digital identity platform, SingPass, has achieved today.


What is key was that when SingPass was introduced in 2003, it came with a single set of login credentials for residents to access different government portals and services without having to use multiple credentials.


However, not all government applications are built with the same flexibility as SingPass – with the ability to seamlessly integrate additional features over time, all without sacrificing security.


According to leading global technology and security provider Thales’ Sales Engineering Manager ASEAN Melvin Koh, SingPass’ success is due, in large part, to its secure-by-design approach and microservices architecture.


“Microservices is a concept where instead of one application that can do everything, the application is formed by smaller, independent parts – microservices – that can be added or updated without affecting the other parts or the whole application.”


To subscribe to the GovInsider bulletin click here.

On the path to microservices, put security first


Unlike applications such as SingPass or TraceTogether - both of which were built on microservices - legacy or monolithic systems and applications tend to be unwieldy and difficult to update.


“Even making a small change to such applications take a long time to update and deploy,” said Koh. Hence, for many organisations, application modernisation is an inevitable next step if they wish to remain relevant to their stakeholders in the digital age.


With microservices, you can update, add or change one small part quickly, said Thales' Melvin Koh. Image: Melvin Koh's LinkedIn.

“Application modernisation is the re-architecting of old monolithic applications, breaking them down into smaller, distributed microservices that share data via APIs with many other first and third party services.


"In many cases, parts of the legacy applications remain on premise, with newer components being distributed across multiple public and private clouds,” said Koh.


“The advantages of doing this include speed to market and scalability. With microservices, if you need to update or add to your application, you can just change one small part and update it quickly.”


He adds that if a surge in usage is anticipated, an organisation can then scale a microservice by devoting more resources to it.


“Most legacy systems were built to achieve a function, with security as an afterthought. But if you’re undergoing application modernisation, which is a multi-million-dollar, multi-year effort, you should really take security into consideration.”


Housing and Development Board (HDB)’s former Chief Information Officer and National University of Singapore (NUS)’s School of Computing Professor (Practice), Alex Siow, said that a large system enhancement such as application modernisation could take two or three years.


To subscribe to the GovInsider bulletin click here 

Why security is needed for a microservices architecture


As single modules, microservices tap on containerisation platforms to provide a consistent layer that allows all applications to work in tandem.


However, there remains risks arising from containerisation, including privileged user abuse by container administrators, cross container access, and compliance risks associated with limited controls within containerised environments.


This is why Thales embeds encryption and tokenisation technologies within its CipherTrust Data Security Platform to provide both the flexibility and comprehensiveness to secure their microservices architecture.


“We can do it throughout the technology stack, on the application layer, the file-system layer and even the storage layer,” Koh explained.


Organisations dealing with more sensitive data may wish to encrypt on the application layer, while those with less sensitive data may do so on the filesystem or storage layer, he added.


A layer-by-layer approach is how the Central Provident Fund Board (CPF) refreshes its legacy systems. Image: CPF's website.

For the Central Provident Fund Board (CPF), a flexible, layer-by-layer approach is key as the public sector agency refreshes its legacy systems.


Prof Siow highlights that the project currently underway at CPF – which manages the retirement savings of all Singaporeans and permanent residents, who number 3.9 million.


“They are doing this phase by phase, isolating systems so that they would not impact one another, and then you can modify things module by module,” he explained.


A robust security solution is also especially important for public agencies when they deal with highly sensitive citizen data, such as their national registration identity card and financial data.

Visibility and accountability


Security need not be a difficult proposition for organisations, said Koh, as the CipherTrust Data Security Platform is also able to cater to various cloud environments.    


Organisations typically seek the services of a consultant when embarking on application modernisation. Koh highlighted the value of taking a platform approach with security.


A security platform enables organisational leaders to have visibility and control over multiple aspects of application modernisation, including internal staff workflows, customer experiences, and a snapshot of business priorities.


“My customers at the C-suite level tell me they’re more concerned about visibility right now. Their staff may report that their systems are secure, but how can they see what is being used, where, and how can they report this if they are being audited?


“The CipherTrust Data Security Platform can generate reports to track their compliance and provide the clarity that leaders and their organisations need.”


With such visibility and clarity, public agencies seeking to digitalise more of their services, and modernise systems, can be more assured about security as they incorporate more dynamic functionality into e-government apps and services for the people.