AWS Public Sector Blog
Safeguarding data exchange in government using AWS
In the intricate web of government agencies, the smooth exchange of data is paramount to provide citizens seamless access to digital services. However, this exchange poses significant challenges, particularly concerning citizen-centric data. Multiple agencies need to manage data sensitivity and confidentiality, which, if leaked or stolen, can be detrimental to both the citizen and the reputation of the government.
Disparate government agencies are required to share data to provide citizen-centric outcomes in a digital landscape. When government agencies choose Amazon Web Service (AWS) to store data, they choose to take advantage of inheriting the strictest security controls and standards. In addition, AWS services offer a unique opportunity to enhance networking and security approaches, ensuring safe and resilient data transfer mechanisms. This blog post provides guidance towards data sharing among government agencies, offering prescriptive approaches and best practices for implementing secure data exchange solutions using AWS services.
Considerations for technical solutions
To craft an effective technical solution, public sector entities must consider the specific requirements of the use case. This post aims to provide recommendations that prioritize data integrity, security, compliance, and resilience while aligning with the Well-Architected Framework pillars. While this post focuses on public sector customers, the guidance of best practices is applicable to any organization with a data exchange use case.
However, it’s important to note that the guidance primarily targets inter-agency data exchange patterns and supports most intra-agency patterns. It supports AWS to AWS integrations and AWS to other integrations, such as other cloud providers or customer on-premises data centers. It does not factor in the current technology landscape and will not address any data validation or transformation requirements. The guidance ends once the data has reached its intended destination, irrespective of its use case or storage technology.
Figure 1. Inter-agency data exchange patterns.
Key considerations
Before diving into technical solutions, you need to consider key data properties such as classification, velocity, consumption, volume, and type. These factors influence the choice of AWS services and the establishment of appropriate data exchange patterns. Understanding the nuances of data attributes is essential for designing robust data-sharing mechanisms.
Underpinning your data transfer requirements are key components, including:
- Data classification: The class of data concerning the level of sensitivity, the risks it presents and the compliance regulations that protect it (for example, public, sensitive).
- Data velocity: How quickly you need to share the data (for example, real-time, batch, streaming).
- Data consumption: The approach to how the data is consumed for processing (for example, push, pull).
- Data volume: The amount of data that is being shared (for example, KM, MB, TB,).
- Data type: The type and format of the data being transferred (for example, text, image, blob).
Choosing the right solution
This post provides decision tables to summarize recommendations based on data attributes and use case requirements. This enables organizations to select the most suitable AWS services for secure data sharing to provide confidentiality, integrity, and resilience while also maintaining the ability to withstand cyberattacks. It is assumed that the data being exchanged is encrypted in transit using up-to-date encryption protocols.
For instance, organizations aiming to securely transfer small data payloads hosted on AWS to other organizations also hosted on AWS in an on-demand scenario may opt for the recommended AWS services, such as Amazon API Gateway using AWS PrivateLink.
Conversely, organizations transferring large volumes (gigabytes) of streaming data between systems hosted on AWS or third parties may opt to use the recommended AWS service Amazon Managed Streaming for Apache Kafka (Amazon MSK) or Amazon Kinesis as a robust solution.
Data exchange recommendations for on-demand use cases
The data will not traverse the public internet where possible.
| Source or target | Description |
Data consumption | Data volume | Data type or protocol | Recommendation | AWS services | Use cases enabled |
| AWS to AWS | For use cases where the producer wants to make small data payloads that are hosted on AWS available to consumers on AWS to query or pull on demand. |
Pull | KB or MB | Text, image | a) AWS PrivateLink with API Gateway b) AWS PrivateLink with AWS AppSync |
AWS PrivateLink Amazon API Gateway AWS AppSync |
Inter-service integration or inter-agency integration |
| AWS to third party | For use cases where the producer wants to make small data payloads that are hosted on AWS available to consumers anywhere to query or pull on demand. |
Pull | KB or MB | Text, image | a) API Gateway b) AWS AppSync |
Amazon API Gateway AWS AppSync |
Inter-service integration or inter-agency integration |
| Third party to AWS | For use cases where the producer wants to make small data payloads that are not hosted on AWS available to consumers on AWS or anywhere to query or pull on demand. |
Pull | KB or MB | Text, image | API | Third-party based REST API | Inter-service integration or inter-agency integration |
Data exchange recommendations for batch use cases
| Source or target | Description |
Data consumption | Data volume | Data type or protocol | Recommendation | AWS services | Use cases enabled |
| AWS to AWS and third party to AWS | For use cases where the producer wants to make data payloads, hosted anywhere, pushed to consumers on AWS periodically. |
Push | KB or MB or TB | Objects, Text, blob (images or objects) | a) Amazon S3 API over public or private endpoint |
Data sharing between agencies | |
| AWS to AWS | For use cases where the producer wants to make large data payloads, hosted on AWS, pushed to consumers on AWS periodically. |
Push | TB | Text, blob (images or objects) | a) Amazon S3 Replication b) Amazon S3 API |
Data sharing between agencies |
|
| AWS to non-AWS | For use cases where the producer wants to make large data payloads, hosted on AWS, available to consumers anywhere. |
Pull | TB | Text, blob (images or objects) | System: Make data securely available for consumption on Amazon S3 |
Data sharing between agencies |
Data exchange recommendations for streaming use cases
| Source or target | Description |
Data consumption | Data type or protocol | Recommendation | AWS services |
Use cases enabled |
| AWS to AWS and third party to AWS | For use cases where the producer wants to stream real time sensors and devices data payloads from anywhere to consumers on AWS. |
Push | Text (MQTT) | AWS IoT Core + Kinesis Data Streams | AWS IoT Core Amazon Kinesis Data Streams |
Sensor devices streaming data to AWS |
| AWS to AWS | For use cases where the producer wants to stream large volumes of real time small data payloads from AWS to consumers on AWS. |
Push | Text (HTTPS) | Amazon Kinesis Data Streams | Amazon Kinesis Data Streams | Event notifications |
| Third party to AWS | For use cases where the producer wants to stream real time data payloads from anywhere to AWS. |
Push | Text (TCP) | MSK | Clickstream |
|
| AWS to AWS and third party to AWS | For use cases where the producer wants to stream video in real time from anywhere to consumers on AWS. |
Push | Video or fps (HTTPS) | Amazon Kinesis Video Streams | Amazon Kinesis Video Streams | Video |
| AWS to AWS and third party to AWS | For use cases where the producer wants to stream small data payloads from anywhere to consumers (clients) on AWS on demand. |
Push or pull | Text (TCP) | WebSocket API | Websockets in API Gateway | Multiuser interactions, gaming |
Conclusion
In an era where data is a prized asset, safeguarding its sharing is imperative for maintaining trust and confidentiality. By using AWS services and adhering to best practices, government agencies can establish secure and resilient data transfer mechanisms. This proactive approach not only mitigates the risk of breaches but also fosters confidence among citizens in the government’s commitment to data privacy and security. Through careful consideration of data attributes and thoughtful implementation of technical solutions, the path to secure data sharing in the government sector becomes clearer, ensuring the integrity and confidentiality of shared information.
How can AWS help?
AWS offers in-person training, free online training, and certification programs. AWS has a number of partners and the AWS Professional Services team who can help you with your secure data transfer use cases.
To learn more about how you can use AWS to support your agency’s unique use case, contact the AWS Public Sector team.
AWS contributors: Andrew Hammett, Basheer Sheriff, Freddy Hartono, and Mehmet Akyuz.