• case studies

Delivering a Secure, Serverless System of Record for a Critical National Identity Service

Delivering a Secure, Serverless System of Record for a Critical National Identity Service

Executive Summary

A UK public sector client responsible for the secure and efficient delivery of critical citizen-facing identity services embarked on a major transformation initiative to modernise its legacy digital infrastructure. A core objective of the programme was to develop a next-generation identity processing platform underpinned by a modern, cloud-native System of Record (SoR). This system needed to manage data classified as OFFICIAL-SENSITIVE and comply with stringent national cyber security requirements. Previous attempts to deliver such a system had failed due to the complexities of implementing sufficient security controls in a public cloud environment. Shivom was commissioned to design, build, and deliver a secure, scalable, and serverless architecture capable of meeting both operational needs and the highest levels of regulatory assurance.

The Challenge

The public sector client required a secure, high-performance, and resilient System of Record to support its new digital identity platform. The solution had to operate within AWS public cloud and handle data that could attract threats from highly capable adversaries, including Foreign Intelligence Services (FIS). Compliance with the UK’s national cyber security policies, particularly NCSC’s Cloud Security Principles was non-negotiable.

Key challenges included achieving formal assurance from multiple security authorities (NCSC, GCHQ, and the client’s internal security teams), implementing a secure-by-design platform that integrated identity and access management, and deploying comprehensive protective monitoring. Additionally, the client sought a fully serverless design that reduced infrastructure overhead while maintaining scalability, operational efficiency, and cost-effectiveness. A prior supplier had been unsuccessful in meeting these requirements, prompting an urgent need for a trusted partner who could operate confidently in a multi-stakeholder, high-assurance environment and deliver within tight timelines.

Our Approach and Solution

Shivom applied a security-first, cloud-native architecture approach to create a resilient and cost-effective serverless platform. The solution was designed and implemented using AWS-native services and best practices to ensure full compliance with government cyber standards.

Our architecture included private API Gateway endpoints, segregated virtual networks (VPCs), tightly scoped IAM roles, and client-managed encryption using AWS KMS. We built automated CI/CD pipelines with AWS CodeCommit, CodeBuild, and CodePipeline using the AWS CDK (TypeScript), enabling rapid and secure feature deployments.

A sophisticated protective monitoring framework was developed using StreamAlert system, integrated with CloudWatch, Kinesis, and PagerDuty for real-time alerting. Administrative actions were secured via multi-party approval workflows, and privileged access was only granted through time-bound, audit-logged CI/CD processes. Lambda functions delivered core capabilities such as secure GraphQL APIs, STS-based dynamic authorisation, and a “Lockdown” function capable of isolating the platform during a security incident.

Shivom maintained close and continuous collaboration with national security authorities and cloud vendors throughout the lifecycle. The architecture was reviewed and formally approved by NCSC, establishing a new reference model for secure serverless delivery within the UK public sector. Additionally, Shivom provided knowledge-sharing artefacts and reusable security patterns to support wider adoption and long-term sustainability across government departments.

Outcomes

🔒 NCSC-approved architecture for hosting OFFICIAL-SENSITIVE data in AWS

☁️ Delivered a fully serverless, cost-effective, scalable, and resilient SoR

♻️ Enabled zero-downtime deployments with CI/CD pipelines

🔐 Protected data with encryption at rest and in transit using client-managed KMS

🚨 Implemented automated incident response and self-protection mechanisms

✅ Received endorsements from central government stakeholders and cloud vendors

⚡ Accelerated time to production with reusable patterns and infrastructure as code

Key Learnings and Takeaways

🛡️ A security-first approach is essential when designing cloud-native systems handling sensitive data

☁️ Serverless technologies, when applied effectively, can meet even the most stringent public sector security requirements

🤝 Collaboration with national cyber authorities from the outset ensures faster compliance

🤖 Leveraging automation across CI/CD and security monitoring is critical to ensuring agility and resilience

📦 Reusable architecture patterns accelerate transformation across departments and create sustainable value

 

Consult Our Experts

    Other

    • case studies
    Empowering a Public Sector Client’s Digital Future through Data Architecture Excellence
    Setting the Standard: Building Reusable Government Patterns Through Architecture Review
    Enhancing Public Record Accuracy Through AI-Led Digitisation

    Leading IT Consultancy specialising in Data, AI, Security and Cloud Solutions for enterprise digital transformation.


    Email: theteam@shivom.uk

    Services

    Data Solutions & Engineering
    BI, Analytics and Data Science
    AI & Automation
    Cybersecurity
    Cloud & DevOps
    Architecture Services
    Digital Transformation
    Review Services

    Company

    About Us
    Case Studies
    Careers
    Contact Us

    Follow Us :

    Facebook X-twitter Linkedin
    Privacy Policy
    Terms and Conditions

    ©2025 Shivom . All rights reserved