Registers of Scotland, or RoS, is one of the longest established public records services in Britain and Ireland, with land data held in its Register of Sasines – sasine being an ancient term to describe how property was held and transferred in feudal times – dating back centuries.
The Register of Sasines as it exists today was created by an act of the Scottish Parliament in 1617, making it the oldest such register anywhere in the world. It served as the primary land register in Scotland until the late 1970s, when it was modernised following changes to national legislation.
However, the modern day register, having built up over the course of 40 years, is now itself showing its age. Added to that, RoS has taken on responsibility for more than 20 other registers covering, for example, landlords and letting agents, sites of special scientific interest (SSSIs), and even the locations of historic crofts around Scotland.
It’s no overstatement to say things have got complex, so RoS is now in the process of replatforming itself in an ambitious digital transformation strategy that hinges on transitioning to an Amazon Web Services (AWS) cloud infrastructure.
On legacy and debt
But this transition risked being hindered by legacy, siloed security infrastructure, while at the same time the Covid-19 pandemic demanded an overnight transition from paper-based processes to a more innovative approach to processing digital registration submissions.
“Getting rid of the legacy, technical debt and all of the vulnerabilities and the issues that you get around that is really important to us,” says RoS security architect Bob Bowden.
“Until 2018, and the inception of the IT security function, there were essentially no security services. Obviously, we had firewalls, we had proxies, we had antivirus on endpoints, but they were considered part of the operational service rather than a security overlay,” he says.
On his arrival at RoS in 2018, the organisation had just kicked off a vulnerability scanning programme. It bought a web application firewall (WAF) which improved things marginally, but by Bowden’s admission, RoS was still “pretty immature” in its ability to detect and respond to incidents, conduct forensics and so on.
“Whilst that is a bad situation to be in, because we didn’t have very much, it made my life an awful lot easier, because instead of having to join together lots and lots of individual systems, I was able to put together a business case for essentially a homogenous environment, based on a single set of technologies, with single integrations into the same place that we can then write correlation rules against,” he explains.
“For our new IT security team, made up of people who generally didn’t have very much experience, this meant we were teaching them to manage a single console and a single interface in prioritising their incidents, and so the focus becomes much more on onboarding stuff into their standard way of working rather than teaching them 500 different tools that they’re only going to use once a month.
“It’s been an advantage to be able to start with a relatively untouched canvas.”
At the same time, Bowden was rearchitecting RoS’s risk management framework, which prior to his arrival reflected the nebulous nature of its security technology, which he says has helped get traction with the board and convince them to sign off on what was needed. A couple of minor security incidents may not have hindered his ability to make the case, he adds.
Giant game of Tetris
RoS’s journey with Palo Alto Networks began with a security roadmap that looked, says Bowden, “like a giant game of Tetris that somebody has lost spectacularly”.
The introduction to Palo Alto came about somewhat by chance, as Bowden and his team had been looking for a cloud security posture management (CSPM) platform and were close to signing off on an alternative supplier – a large and well-known one – during the course of which they discovered that the RoS network team was looking to move away from that same supplier’s firewalls to Palo Alto.
Bob Bowden, Registers of Scotland
“So we decided to look at Palo Alto’s CSPM product [Prisma Cloud],” says Bowden. “While we were discussing that, not only were we impressed by it and its ease of use, it was drastically more intuitive than the other offering.
“We then spoke to Palo Alto around their integration with the firewall in the endpoint, which is when we started having conversations about Cortex XDR [Extended Detection and Response] and Cortex XSOAR [Extended Security Orchestration, Automation and Response].
“At this point, we had a full roadmap which basically articulated everything that was missing from the organisation, and we worked out that by getting the XDR product, and XSOAR product, and getting that on top of the CSPM product, that would essentially do a lot of the bigger initiatives we were trying to deal with,” says Bowden.
RoS has now been up and running for some time, and so far, barring a couple of issues which were more the result of taking a rather more incremental approach to deployment than anything else, things have been going well.
Saving their bacon
Indeed, it was during the Covid-19 pandemic, specifically the early days of the country’s first national lockdown in spring 2020 and the horrific second wave of December 2020 and January 2021, that Palo Alto’s technology came to RoS’s rescue on a number of occasions.
During the first lockdown, RoS was hitting problems because it was not then legally permitted to receive any kind of digital document, meaning every single land transaction in Scotland had to be received through the post as a paper document and scanned in.
This had been the way for so long thanks to resistance from the legal profession, but according to Bowden, that viewpoint changed abruptly with the onset of Covid-19, and six weeks later RoS was receiving digital deeds – and has never looked back.
Clearly the technology to receive digital documents has been around for a long time, but having just gone through the process of setting up Palo Alto XSOAR, Bowden and his team were able to speed the transition to digital documents by leveraging it to provide a security overlay service to cover the file submission process.
“It allowed us to write an automation that would scan a file share, so external documents get put by the external web server onto a file share, XSOAR picks them up, does some analysis, puts them up to the Palo Alto WildFire API [application programming interface] to make sure they aren’t carrying any malware, and as soon as we have positive confirmation the file is safe we can pick it from the staging area and move it into RoS for people to start working on it,” he says.
Then, during Scotland’s strict Christmas 2020 lockdown – which included a travel ban to and from the rest of the UK – Bowden found a certificate was due to expire on RoS’s virtual private network (VPN) client on 31 December. Nobody was in the office, so nobody could update their VPN, and nor could anybody get into the office to push an update.
“We were essentially going to lose our entire workforce off the network. But the XDR product, which we had pushed out to every endpoint by then, gave us a remote shell. That gave us the ability to jump onto those workstations via an automated script and pull down the updated package to reinstall the VPN client on the fly before the user was connected. So we had no loss of service for any of our staff,” says Bowden.
“It could have been catastrophic for us, to be honest. It could have massively impacted the business. Instead, it didn’t, there wasn’t even a blip. There have been a few cases like that, where we’ve been able to extend the use of tools beyond security to deal with challenges.”
Full steam ahead to AWS
Unpredictable challenges aside, the improvements Bowden has made to RoS’s security posture mean the transition to AWS is now proceeding at pace, although it won’t be fully complete for another year or more.
His small security team, which when he joined consisted of a graduate apprentice, an ex-copper and a retiree who had come back to work to help out for a bit, has benefited immeasurably from Prisma Cloud’s automated features.
“What Prisma Cloud was able to give us from the CSPM perspective was to not have to skill these guys up immediately in all of the security within AWS. What we were able to do was essentially point it at the AWS environment, say we want to apply GDPR and PCI-DSS compliance as a starter for 10, and hit the button,” he says.
“So immediately, we were able to get a step change in the security of the AWS environment we were developing, and that allowed us to then pivot back and focus on the internal stuff.”
Elsewhere, Palo Alto XDR is playing a vital role in helping the security team get to the bottom of potential incidents arising across the endpoint and server estate, while XSOAR is helping reduce the volume of day-to-day work taken up by managing phishing or otherwise problematic emails – something RoS receives a lot of from, for example, legal professionals who haven’t properly set up their own email security records.
Ultimately, Bowden reports he is himself spending much less time triaging and investigating alerts. “The amount of time taken to identify issues, investigate them and determine whether or not they are false positives has drastically dropped, and the skill level required to do that triage has reduced,” he says. “I no longer get involved in investigating every incident, which is what happened in the early days.
“Now we’ve got two guys, our graduate apprentice who recently qualified, and another junior member of the team who transferred out of one of the business analysis units, so he was totally non-technical before he joined the team three years ago and now he’s perfectly capable of dealing with pretty much any anomalous incident. We’ve got massive benefits from that.”