Above photo: Mr. Tan Eng Pheng, Senior Director, Clusters Group at GovTech speaking at the AWS Public Sector Summit

Websites are often the first point of contact between citizens and government. They deliver information and provide a convenient platform for transactions. The Singapore Government has over 500 of them.

Earlier this year, PM Lee Hsien Loong said, “There are big things which we need to do and many small things which we ought to do better. Every time I go on to a Government website, if for some reason I have to transact a service and I cannot find the link, I tell them, please put this link in.”

To support the government agencies in improving the digital shopfront and the user experience, the Government Technology Agency of Singapore (GovTech) introduced a common hosting platform for government websites, called the Content Websites Platform (CWP), in  October2016.

The CWP is a common secured environment based on a resilient, robust and controlled platform which provides a suite of standardised software for hosting content-based websites. It enables unclassified government websites to be centrally managed and operated on public cloud, bringing the benefits of convenience, greater security, optimisation of resources, faster deployment speed and cost savings through economies of scale.

The idea behind CWP is to improve the government’s digital shopfront experience and help organisations build websites within significantly reduced timeframes. CWP accomplishes that by leveraging public cloud technology and putting together a stack of services, around not just hosting, but also security and operations management.

On October 4, at the inaugural AWS Public Sector Summit, Mr. Tan Eng Pheng, Senior Director, Clusters Group at GovTech spoke about the CWP, outlining its development, adoption and benefits.

The project started at erstwhile Infocomm Development Authority or IDA and moved on to GovTech (IDA and the Media Development Authority were re-structured to form GovTech and the Infocomm Media Development Authority last year). The procurement and development process took around 15 months.

Traditionally, each agency built everything from the ground up. In the data centre approach, they were responsible for the everything, from storage through servers, virtualisation, operating system (O/S), middleware and runtime to services and the website itself.

In the private cloud approach, parts of the stack are managed for the agency but the agency is still responsible for at least half the stack.

With the CWP, the agencies only have to manage their own websites and they can focus on delivering the best possible user experience. Everything else is handled for them by GovTech.

Hosting environment

CWP is hosted in the Public Cloud, Amazon Web Services (AWS), and G-Cloud, IM8[1] Compliant Hosting Environment, for the ‘unclassified’ front-end website and ‘restricted’ form services respectively.

CWP offers two categories of services, Base Services and Catalogue Buy Services.  Base Services include virtual hosting environment services (AWS) and Form services (G-Cloud or Government Cloud) and bundled security infrastructure services; and security management services.

Agencies can choose from 3 website tiers for the virtual hosting environment services: Small (Website page views of 50,000 per day and website data transfer of 5GB), Medium (Website page views of 200,000 per day and website data transfer of 20GB), and Large (Website page views of 800,000 per day and website data transfer of 5GB).

There are similar categories for Form Services with small, medium and large for form traffic of 200, 400 and 800 per day respectively.

Integrated, centrally-managed security

Mr. Tan said, “In this heightened cyber risk landscape, security probably takes more effort than the website itself.” CWP centrally manages the security protection of all hosted websites, through a range of integrated security infrastructure and management services.

At the perimeter, measures comprise: 1) CyberWatch Centre, which captures and processes security alerts; 2) Content Delivery Network (CDN) for caching and distributing load; 3) Web application firewall to filter malicious web traffic; and 4) Defacement monitoring, which monitors webpages against unauthorised changes.

There is another layer of security which includes Virtual Private Cloud to protect cloud resources; End Point Protection against viruses and malware; Network Intrusion Protection System to examine network traffic flows and block exploits; Patch Management for monitoring and administering timely software patches, fixes and updates; and Cert Management for managing SSL/ TSL[2] certificates.

In addition, vulnerability assessment is conducted annually for application software/ customer website and on a quarterly basis for the Operating system, Database management system and the Network infrastructure. Both automatic and manual Penetration Testing is done once a year.

All of this is integrated as part of the basic services package.  The agencies don’t have to go around shopping to find security solutions. In addition, CWP leverages multiple availability zones[3] of AWS in Singapore, adding another layer of resiliency.

Content Publishing Services

This falls under the ‘Catalogue Buy Services’. (Catalogue Buy also includes a range of miscellaneous services, such as additional website traffic, form traffic, data storage; invoice options; urgent service requests; and performance test tools.)

CWP provides improved manageability and operational efficiency with five Content Management Systems (CMS) standardised software. Customer may bring their own CMS licenses over to CWP provided the licensing scheme is supported in CWP. Alternatively, customer may procure the CMS licenses in CWP. They can choose to deploy HTML websites where CMSes are not required.

The five supported CMSes are WordPress which is Open Source (with commercial support for plug-ins) and four proprietary CMSes, namely SharePoint, SiteCore, Swiit and Sitefinity.

Mr. Tan explained the selection process for the CMS software, saying, “Unfortunately, we are unable to service all CMSes. As the suite of offerings expands, the management complexity escalates. So, we decided to do the top 5 CMSes, which have the highest utilisation rate in government.”

Simple process for agencies

Agencies developing and deploying websites through CWP follow a simple 4-step process. GovTech has developed self-service portals for Service, Deployment, Security, Utilisation, User management, operations and service desk.

The requester goes on to the Service portal and signs up for an account. Once the account is approved, the requester can subscribe for the tier of service they want. After provisioning for the staging and production environment, the developer can start deploying their codes through the Deployment portal and then conduct user testing.

This is followed by booking and running security tests through the Security portal. Once vulnerability and penetration testing is completed, the security findings verified and any loopholes remediated, the agencies can deploy the website and go live.

The result of this process has been a drastic reduction in time taken for developing and deploying websites. It is down from months to weeks or even days. Mr. Tan said that a corporate website for Vital.Org, which provides human resources and finance services to government agencies, went from ‘signup’ on CWP to ‘go live’ in 7 working days.

Two examples of public cloud benefits- auto capacity scaling and security patching

In his presentation, Mr. Tan talked about how CWP leverages a range of useful utilities and services provided by AWS, such as Simple Queue Service, Lambda, CloudWatch and Elastic Load Balancing.

He gave two examples of how public cloud can provide distinct advantages in terms of operations, as well as security. Peak loads for websites can come at inconvenient or unpredictable times. Traditionally, the organisation would buy excess capacity, in case the need arose. But this ‘just in case’ came at a heavy cost. With the cloud infrastructure, the utilisation can be monitored (through CloudWatch) and a threshold set for it. Once the threshold is crossed, a new instance[4] is automatically created. Once connected to the Load Balancer, it goes live immediately. Surges in website traffic are handled with little to no downtime. And this flexibility enables rapid scale-up without having to go through hardware and set-up.

Another issue is security patching.  Each time a vulnerability is revealed, it has to be patched to make sure that it is not exploited. Here, public cloud provides the ability to do the patching offline. A similar instance can be patched, connected to the load balancer and once it is connected, the old unpatched can be discarded.

Previously, for patching, website administrators announced maintenance periods, taking the website offline for x hours and patching it before bringing it back online. There’s almost no downtime now. The patching can be done in minutes instead of hours.

In January 2017, WordPress had a vulnerability that was exploited worldwide. 1.5 million websites were affected. GovTech was able to complete the patching in a total elapsed time of 23 hours. The staging environment was patched in 4 hours, while the production environment was patched in 5 hours. There was no defacement and no downtime.

“The ability to patch very quickly is what separates the vulnerable and the ready. More than 90% of exploits will continue to be these known ones. Everyone knows about it. It’s a matter of who can get to the finishing line faster, the hacker or you,” Mr. Tan said.

Future plans

The CWP is already proving to be a transformative platform. It is allowing agencies to achieve cost and time savings and transparency. They no longer need to deal with multiple vendors. Moreover, Mr. Tan mentioned in post-presentation panel, that many government agencies are taking the opportunity of the migration to re-design the website and rewrite the content.

Around 70% of government websites, around 380, have migrated to the CWP. The number is expected to increase to 400 by the end of the year.

Going forward, GovTech wants to provide services to mobile platform through APIs. For instance, GovTech is working with the Ministry of Education (MoE) for native mobile apps which will consume content hosted on CWP through APIs (Application Programming Interfaces).

GovTech has also developed an Outlook and mobile calendar synchronisation solution for public servants using CWP.

The other part of the plan is exploring the possibility of pay-as-you-use Software-as-a-Service (SaaS) solutions, in areas like learning management and mass communication (marketing emails) on subscription basis in the future.

[1]The Instruction Manual for ICT or IM8 aims to enhance the overall effectiveness of ICT in the public sector, and establish minimum standards leading to a networked government.

[2] Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are cryptographic protocols that provide encryption and authentication between applications where data travels over an insecure network such as the Internet.

[3]AWS locations are composed of regions and Availability Zones. Each region is a separate geographic area. Each region has multiple, isolated locations known as Availability Zones. Availability Zones in a region are connected through low-latency links. If instances are distributed across multiple Availability Zones and one instance fails, an instance in another Availability Zone can handle requests.

[4] An instance refers to a virtual server for running applications.