In March last year, the UK undertook its first national census in a decade. Back in 2008, the Office of National Statistics had awarded the contract to operate the census to Lockheed Martin, the US company best known for developing military technology.
Security was a primary concern for Lockheed Martin. Any breach in census data would have proved highly damaging for the company, which also operates censuses in the US and Canada.
"This was a very public-facing project and the implications would have been very serious had there been a problem," explains Graham Emmons, UK census programme manager at the company.
Furthermore, the terms of its contract with ONS dictated that once the infrastructure and processes were in place and the census was underway, Lockheed Martin could not handle any of data collected itself.
"We had to give commitments from the outset that we would not have access to census data at any time," says Emmons.
This meant it had to build a highly secure operation for collecting and processing paper questionnaires and the infrastructure to support online census forms, all of which would handed over to its subcontractors once the census began.
Tiered architecture
Last year was the first time that the UK offered citizens the ability to fill out their census questionnaires online. Lockheed developed the back-end to the questionnaire itself, while the front-end was built by user interface specialist Web Technology Group.
"The web infrastructure had a tiered architecture, so the public facing services were isolated from the back-end services," explains David Williams, UK census security manager at Lockheed Martin.
The system was hosted in two sites, one of which was operated by networking provider Cable&Wireless. "We had complete redundancy, so we could lose an entire site or network and still maintain the experience for the end user," says Williams.
In fact, Lockheed Martin ensured that the web census could withstand up to 170,000 concurrent users. In the event, the website never saw anything like that volume of traffic, as uptake of the online questionnaire was less than anticipated. "We couldn’t take any chances," says Williams. "Nobody knew what level of take up we would get."
Paper questionnaires were collected at a specially leased facility in Manchester, which also housed some of the project’s IT infrastructure. The job of scanning the questionnaires into Lockheed’s optical character recognition systems was done by specialist subcontractor UK Data Capture Ltd.
Access to the paper forms was highly controlled, however, and the Manchester facility was divided up into security zones. "The whole site was divided into zones with different levels of sensitivity and risk, and there were identity card access points for every zone," explains Williams. "Access to the various zones depended on the sensitivity of the information."
Every one of the 1,300 staff working on the site had to get security clearance to the UK government’s SC (security check) standard, as though they were handling state secrets. "The census information itself was not classified as secret, but the ONS made a commitment that all staff would be cleared to that level in order to provide extra assurances," explains Emmons.
Hands-off approach
The IT equipment on the site was subject to tight procedural control. "Every port on every computer was locked down so that nobody could use removable devices," says Williams. "ONS themselves were the only ones that had the priveleges to enable and disable external ports, and there was a huge amount of procedure extract the data when it came to delivering the data to the client."
When the census began on 24th March, all Lockheed staff were obliged to leave the Manchester facility. "Having designed, tested and implemented the solution, the solution, we had to leave the facility for our partners to operate it," explains Emmons.
"This meant we were unable to have visibility into the system while the census was running," he adds. "Our contract had some substantial penalties in the event that something went wrong, and yet we were completely dependent on our partners to operate it. That in itself was a massive challenge."
"The day before we went live, Lockheed Martin personnel were in there trying to make sure that everything was tested thoroughly," Emmons recalls. "Then there was a security lock down, and we were instructed to leave."
Lockheed staff provided 24 hour remote support during the census, but the hands-on IT work fell to systems integration partner Steria. But while Lockheed provided Steria workers with detailed training in advance of the census, once it had begun the client – ONS – was in charge.
"Steria staff were seconded under ONS management control," explains Williams. "That meant that Lockheed Martin couldn’t instruct Steria directly." The IT infrastructure was also independently tested to ensure that no-one – especially Lockheed – had remote access, he adds.
The census ran without major incident, although the fact that take-up of the online questionnaire was significantly lower than expected meant that Lockheed Martin and the ONS renegotiated the cost of the project, given that there was more manual processing involved than planned.
The data collected from the website and from the paper questionnaires via optical character recognition was compiled in an Oracle database, again replicated across two sites for business continuity. Data was periodically sent to ONS over a secure network connection, while scanned images of the questionnaires were sent via secure media delivery, to allow ONS to cross-check the submissions and for archiving purposes.
"Somewhere in the region of 28 million households completed the questionnaire, 4 million of which were via the Internet," explains Emmons. "Each questionnaire had 32 pages and every page was scanned and read. That’s scale of the data we were collecting in terms of images and data."
Secure disposal
Questionnaires were stored on site until the entire exercise was complete, and were only destroyed after a final reconciliation against the OCR data. Each questionnaire was shredded before being sent to a pulping plant to be recycled. "Everything had to be shredded to exacting standards before it could be transported to the pulping mill," says Williams. "That was a very rigorous exercise."
Once the data had been cross-checked and delivered to the ONS, it was wiped from the on-site IT equipment. "We had between 700 and 8000 desktops and a whole raft of servers," explains Emmons. "We used CESG-approved products to wipe the harddrives, and when there was any question about the effectiveness of the wiping – for example, if you there was an error or if a particular piece of equipment didn’t lend itself to a CESG-approved product – then it was physically destroyed."
Only once all the data had been wiped was Lockheed able to return to the Manchester facility. "We didn’t go back until all the decommissioning was complete two months ago," says Emmons.
It is not certain that there will ever be another census data collection exercise of this scale in the UK, as the ONS is investigating the possibility of using alternative sources of demographic data to compile the census.
But the lengths that Lockheed Martin took to ensure the security of the data collected may be a sign of things to come for conventional businesses, as information security threats become increasingly sophisticated and data protection regulation grows stricter.
