Executive Summary
A UK Public Sector Client, responsible for managing citizen identity and passport data, launched the Secure Transformation programme to modernise and transform its core System of Record (SoR). This foundational platform underpins the client’s critical services, handling sensitive personal data at scale. The transformation was essential to replace legacy systems with secure, scalable, and cloud-native solutions capable of meeting the demands of a rapidly evolving digital and threat landscape.
The SST programme focused on application development, data architecture, and secure system design to support sensitive citizen data classified up to SECRET and TOP SECRET. These efforts were fundamental to meeting digital transformation goals while maintaining compliance with the UK Government’s stringent security and data governance requirements. Given the critical nature of identity-related data and the high level of threat actors targeting government systems, the client sought a hybrid cloud approach that blended on-premises control with the scalability and agility of public cloud services. This vision became a pivotal enabler for the client’s next-generation platform and broader public sector digital strategy.
The Challenge
The traditional hosting model within the public sector client was heavily reliant on legacy, on-premises infrastructure—an approach that was costly, rigid, and resource-intensive. As digital transformation accelerated, so did the need to securely host vast volumes of sensitive citizen data. However, migrating these workloads to public cloud environments was met with resistance from national security stakeholders, including NCSC and GCHQ, who demanded robust assurances that OFFICIAL-SENSITIVE and SECRET data could be secured to the highest standards.
Additionally, the legacy systems lacked scalability and resilience, presenting operational bottlenecks and potential compliance risks. The absence of hybrid capabilities meant the client could not fully benefit from cloud-native innovation without compromising required levels of physical control for sensitive workloads. The challenge extended beyond technology to include navigating a complex regulatory landscape, aligning multi-agency stakeholders, and demonstrating that a hybrid model—leveraging both Azure Public Cloud and Azure Stack Hub on-premises infrastructure—could deliver operational, financial, and security advantages. A successful pilot would be required to validate the approach and secure executive endorsement.
Our Solution
A&A Digital Tech partnered closely with the public sector client and key government stakeholders to design, implement, and pilot a secure hybrid cloud architecture based on Microsoft Azure Stack Hub. Our engagement began with a detailed discovery phase, consulting across technical, security, and operational functions including stakeholders from NCSC and the Department’s Technology Directorate to map suitable workloads and define appropriate data classification boundaries.
We architected a solution that enabled sensitive workloads to be hosted securely on-premises via Azure Stack Hub, while less sensitive services were deployed to Azure Public Cloud. The architecture adhered to zero-trust principles and incorporated layered security controls fully aligned to NCSC’s Cloud Security Principles. A&A Digital Tech facilitated joint design reviews with Microsoft and national security bodies, ensuring buy-in through transparent technical dialogue and assurance.
The project involved piloting key workloads to demonstrate secure CI/CD pipelines, automated infrastructure provisioning, and robust operational management across hybrid environments. A&A Digital Tech led agile delivery and continuously refined the solution based on lessons learned during implementation. Stakeholder confidence was nurtured through show-and-tell sessions, live demonstrations, and risk-based assessments. The result: a validated hybrid model that proved secure cloud transformation is achievable even within the most security-sensitive areas of the public sector.
Outcomes
🔧 Pilot Success – Successfully piloted Azure Stack Hybrid Cloud hosting for OFFICIAL-SENSITIVE and SECRET workloads.
💰 Cost Savings – Reduced capital expenditure and annual operational costs in millions of GBP.
✅ Regulatory Approval – Achieved stakeholder approval from NCSC, GCHQ, and the Home Office for hybrid cloud adoption.
🏗️ Strategic Foundation – Laid the technical foundation for department wide future data centre modernisation.
📈 Improved Resilience – Improved scalability, resilience, and disaster recovery posture of critical systems.
🔐 Secure Automation – Demonstrated secure, automated CI/CD pipelines operating across hybrid environments.
Key Learnings and Takeaways
🤝 Stakeholder Engagement – Early and transparent engagement with security and compliance stakeholders is essential to cloud adoption in regulated sectors.
🌐 Pragmatic Adoption – Hybrid cloud architectures offer a viable path for sensitive data workloads where full public cloud adoption is constrained.
⚙️ Automation is Key – Automation of infrastructure and security operations is critical to managing hybrid complexity and maintaining compliance.
📊 Iterative Validation – Incremental pilot deployments and transparent demonstrations accelerate stakeholder trust and adoption.
💡 Efficiency Gains – Hybrid cloud solutions, when well-designed, can yield significant cost savings and operational efficiencies in the public sector.
