AWS Public Sector Blog

Safeguarding data exchange in government using AWS

AWS branded background design with text overlay that says "Safeguarding data exchange in government using AWS"

In the intricate web of government agencies, the smooth exchange of data is paramount to provide citizens seamless access to digital services. However, this exchange poses significant challenges, particularly concerning citizen-centric data. Multiple agencies need to manage data sensitivity and confidentiality, which, if leaked or stolen, can be detrimental to both the citizen and the reputation of the government.

Disparate government agencies are required to share data to provide citizen-centric outcomes in a digital landscape. When government agencies choose Amazon Web Service (AWS) to store data, they choose to take advantage of inheriting the strictest security controls and standards. In addition, AWS services offer a unique opportunity to enhance networking and security approaches, ensuring safe and resilient data transfer mechanisms. This blog post provides guidance towards data sharing among government agencies, offering prescriptive approaches and best practices for implementing secure data exchange solutions using AWS services.

Considerations for technical solutions

To craft an effective technical solution, public sector entities must consider the specific requirements of the use case. This post aims to provide recommendations that prioritize data integrity, security, compliance, and resilience while aligning with the Well-Architected Framework pillars. While this post focuses on public sector customers, the guidance of best practices is applicable to any organization with a data exchange use case.

However, it’s important to note that the guidance primarily targets inter-agency data exchange patterns and supports most intra-agency patterns. It supports AWS to AWS integrations and AWS to other integrations, such as other cloud providers or customer on-premises data centers. It does not factor in the current technology landscape and will not address any data validation or transformation requirements. The guidance ends once the data has reached its intended destination, irrespective of its use case or storage technology.

going from left to right, the diagram shows the push or pull flow of data between third parties (on premises or using a cloud provider) to applications on the AWS Cloud

Figure 1. Inter-agency data exchange patterns.

Key considerations

Before diving into technical solutions, you need to consider key data properties such as classification, velocity, consumption, volume, and type. These factors influence the choice of AWS services and the establishment of appropriate data exchange patterns. Understanding the nuances of data attributes is essential for designing robust data-sharing mechanisms.

Underpinning your data transfer requirements are key components, including:

  • Data classification: The class of data concerning the level of sensitivity, the risks it presents and the compliance regulations that protect it (for example, public, sensitive).
  • Data velocity: How quickly you need to share the data (for example, real-time, batch, streaming).
  • Data consumption: The approach to how the data is consumed for processing (for example, push, pull).
  • Data volume: The amount of data that is being shared (for example, KM, MB, TB,).
  • Data type: The type and format of the data being transferred (for example, text, image, blob).

Choosing the right solution

This post provides decision tables to summarize recommendations based on data attributes and use case requirements. This enables organizations to select the most suitable AWS services for secure data sharing to provide confidentiality, integrity, and resilience while also maintaining the ability to withstand cyberattacks. It is assumed that the data being exchanged is encrypted in transit using up-to-date encryption protocols.

For instance, organizations aiming to securely transfer small data payloads hosted on AWS to other organizations also hosted on AWS in an on-demand scenario may opt for the recommended AWS services, such as Amazon API Gateway using AWS PrivateLink.

Conversely, organizations transferring large volumes (gigabytes) of streaming data between systems hosted on AWS or third parties may opt to use the recommended AWS service Amazon Managed Streaming for Apache Kafka (Amazon MSK) or Amazon Kinesis as a robust solution.

Data exchange recommendations for on-demand use cases

The data will not traverse the public internet where possible.

Source or target

Description

Data consumption Data volume Data type or protocol Recommendation AWS services

Use cases enabled

AWS to AWS

For use cases where the producer wants to make small data payloads that are hosted on AWS available to consumers on AWS to query or pull on demand.

Pull KB or MB Text, image a) AWS PrivateLink with API Gateway
b) AWS PrivateLink with AWS AppSync
AWS PrivateLink
Amazon API Gateway
AWS AppSync

Inter-service integration or inter-agency integration

AWS to third party

For use cases where the producer wants to make small data payloads that are hosted on AWS available to consumers anywhere to query or pull on demand.

Pull KB or MB Text, image a) API Gateway
b) AWS AppSync
Amazon API Gateway
AWS AppSync

Inter-service integration or inter-agency integration

Third party to AWS

For use cases where the producer wants to make small data payloads that are not hosted on AWS available to consumers on AWS or anywhere to query or pull on demand.

Pull KB or MB Text, image API Third-party based REST API

Inter-service integration or inter-agency integration

Data exchange recommendations for batch use cases

Source or target

Description

Data consumption Data volume Data type or protocol Recommendation AWS services

Use cases enabled

AWS to AWS and third party to AWS

For use cases where the producer wants to make data payloads, hosted anywhere, pushed to consumers on AWS periodically.

Push KB or MB or TB Objects, Text, blob (images or objects)

a) Amazon S3 API over public or private endpoint
b) AWS Transfer family

Amazon S3 API
AWS Transfer family

Data sharing between agencies
AWS to AWS

For use cases where the producer wants to make large data payloads, hosted on AWS, pushed to consumers on AWS periodically.

Push TB Text, blob (images or objects) a) Amazon S3 Replication
b) Amazon S3 API

Amazon S3 Replication

Data sharing between agencies

AWS to non-AWS

For use cases where the producer wants to make large data payloads, hosted on AWS, available to consumers anywhere.

Pull TB Text, blob (images or objects)

System: Make data securely available for consumption on Amazon S3

Amazon S3 API get-object

Data sharing between agencies

Data exchange recommendations for streaming use cases

Source or target

Description

Data consumption Data type or protocol Recommendation

AWS services

Use cases enabled

AWS to AWS and third party to AWS

For use cases where the producer wants to stream real time sensors and devices data payloads from anywhere to consumers on AWS.

Push Text (MQTT) AWS IoT Core + Kinesis Data Streams AWS IoT Core
Amazon Kinesis Data Streams

Sensor devices streaming data to AWS

AWS to AWS

For use cases where the producer wants to stream large volumes of real time small data payloads from AWS to consumers on AWS.

Push Text (HTTPS) Amazon Kinesis Data Streams Amazon Kinesis Data Streams

Event notifications

Third party to AWS

For use cases where the producer wants to stream real time data payloads from anywhere to AWS.

Push Text (TCP) MSK

Amazon MSK

Clickstream
telemetry,
large data payloads streamed, such as pictures

AWS to AWS and third party to AWS

For use cases where the producer wants to stream video in real time from anywhere to consumers on AWS.

Push Video or fps (HTTPS) Amazon Kinesis Video Streams Amazon Kinesis Video Streams

Video

AWS to AWS and third party to AWS

For use cases where the producer wants to stream small data payloads from anywhere to consumers (clients) on AWS on demand.

Push or pull Text (TCP) WebSocket API Websockets in API Gateway

Multiuser interactions, gaming

Conclusion

In an era where data is a prized asset, safeguarding its sharing is imperative for maintaining trust and confidentiality. By using AWS services and adhering to best practices, government agencies can establish secure and resilient data transfer mechanisms. This proactive approach not only mitigates the risk of breaches but also fosters confidence among citizens in the government’s commitment to data privacy and security. Through careful consideration of data attributes and thoughtful implementation of technical solutions, the path to secure data sharing in the government sector becomes clearer, ensuring the integrity and confidentiality of shared information.

How can AWS help?

AWS offers in-person training, free online training, and certification programs. AWS has a number of partners and the AWS Professional Services team who can help you with your secure data transfer use cases.

To learn more about how you can use AWS to support your agency’s unique use case, contact the AWS Public Sector team.


AWS contributors: Andrew Hammett, Basheer Sheriff, Freddy Hartono, and Mehmet Akyuz.