Australia - govCMS Government as a Service

NYC Camp 2015

David PetersonSenior Solution Architect Asia Pacific & Japan, Acquia

@davidseth #govCMS

What is govCMS Why Open Source Best Practices What we have Learned Future

govCMS is a whole of gov re-think about online, agile, accessibility, procurement, security, support and open source.

Not just code.

• What is govCMS • Aims • Why did it come about

The govCMS Program

govCMS SaaS Platform

govCMS Distribution

govCMS Deed Professional Services

• Drupal • Security • Public Cloud • Deed • Agile • Design Standards / Accessibility • Services

govCMS

• Disparate technologies • Costly hosting and software maintenance • Substantial staff overhead to keep websites online and secure • Difficulty complying with gov standards: design, accessibility, privacy &

security • Limited number of staff within agency with appropriate skills to manage

the website

govCMSWhat Problems does govCMS Solve

• Reduced time for procurement • Improved mobile delivery • Cost savings related to sharing of code between agencies • Better portability of websites during MoG changes • Reduced stand-up time for new websites

Benefits

• Portability of talent as people move between agencies • Increased desire to upskill with Drupal •Encouraged to share code and be part of community

BenefitsTotal Reinvention of Skills and Sharing

How did it come about

• Policy for eGovernment and the Digital Economy [let’s go online] • AU gov’s Open Source Policy [share code and functionality] • AU gov’s Cloud Computing Policy (v3) [save costs, ensure security] • Best practise service design — DTO [accessibility & easier to use]

Modern Approach to Tech

Open Source

• Security • You can look at the code • You can diff the code • Many eyes - Community • Roadmap • Community

Open SourceWhy is it Dominating in Australian Government?

• Roadmap • Community • Broader adoption by Aussie companies • Shared code, create once use many

Open SourceWhy is it Dominating in Australian Government?

Principle 3 of the Australian Government Open Source Software Policy:

“Australian Government agencies will actively participate in open source software communities and contribute back where appropriate”

Functionality created by one agency can be made available for all

Open SourceWhy is it Dominating in Australian Government?

• Must be *truly* Open Source • Must not be .Net or Ruby • Resulted in 18 systems • 3 finalists: Magnolia, Liferay, Drupal

Open SourceAustralian Government Criteria for CMS

• Largest community • Largest number of companies in AU • Largest number of freelancers • Extensibility of module system

Open SourceWhy Drupal was Selected

• govCMS distribution available on d.o and github • https://drupal.org/project/govcms • https://github.com/govCMS/govCMS/

• IRAP assessment against the ISM (used FedRAMP mapping) • Always updated for security and feature enhancements

govCMS Distribution

Dependancies: git$&$composer

:$git$clone$git@github.com:govCMS/govCMS.git$:$cd$govCMS$:$composer$install$<<prefer<dist$<<working<dir=build$:$build/bin/phing$<f$build/phing/build.xml$build

govCMS Distribution

Phing for build Behat for testing Travis CI used for test runner

Drupal Code Security Skills Cloud

Best Practices

• Saves an agency time • Compliance ticks out of the box:

• Public cloud • Open Source • IRAP assessed • Alignment to the ISM

Best PracticesDrupal > OOTB

• Continuously improved • Security maintained and the distribution regularly updated • Meta data standard minimums adhered to • Can just get on with maintaining the sites content

Best PracticesDrupal > OOTB

• Really limit number of Drupal modules • No module creep • Limitation was the best part • Learning to use drupal • Finding the balance to what the client *thinks* they need vs what they

actually need

Best PracticesDrupal > Distribution

• 85% of functionality, give up some functionality for stability & security • Frame limitations as a feature, don't start with can't do this, can't do that

• Start with Security, Stability and Performance • It's about the efficiencies, they don’t have to think about it, they know they

are getting value for money • Really it is more than the distro. Whole is greater than the parts. • Don’t code your way out of every Drupal problem. Use Drupal.

Best PracticesDrupal > Site Building

• Governance is key • Thoroughly documenting the procedures allows for security accreditation,

who's responsible, owning the roadmap, ensuring stability • Preference for secure, stable code over "there's a module for that". • Initially a "hard sell" but as soon as the positives are discussed quickly

dissolves

Best PracticesCode > Governance

• Requests for new functionality follow a prescribed process: d.o issue, reviewed by gOps team, • Don't ask for a specific module, propose a problem • "I would like an email sent out when a content item needs approval"

• gOps team will look into potential reusability across other govCMS sites as well as best implementation

• Automated testing is crucial

Best PracticesCode > Adding new Functionality

• Every site is secure by default (even the forgotten ones) • https everywhere • Locked down protected Drupal paths • No storage of PII information (yet) • Antivirus • Best practise platform, configuration, DNS management • Expert DDOS & CDN

Security

• AWS Sydney Region across both Availability Zones • Acquia Cloud Site Factory • Constant monitoring • Over engineer your security stack • Disaster Recovery • Offsite archival backup 7 years • Offsite Log storage 7 years

Cloud

• Less is more •Keep modules to a minimum, every single one needs to be updated

tested. Gets even more critical when running 100’s of sites •Have a process to get new functionality included into govCMS

• Jumpstarts to enable teams • Get beginners up and running quickly • Agile training • Support

What we have Learned

• Massive amount of interest from agencies large and small. Four of the largest largest AU agencies are all building sites on govCMS, one launched so far. • Larger Agencies want to be part of the platform strategy • Agencies are happy to share back functionality to govCMS distro

• Much wider impact on other State and Local gov • schoolCMS • councilCMS

What we have LearnedUptake

• Pattern 1 — basic site, good fit for govCMS • Pattern 2 — bit more complex, “may” need some additions to govCMS • Pattern 3 — a lot of extra functionality, needs some additions to govCMS

What we have LearnedBuild Patterns

• Build pattern sites that can be cloned • Set of configuration all bundled up in a site that no one will run in

production but can be used for a starter site • I've got limited budget, what is the best way to get going?

• Sub theme, change colours, replace content and they go. One week later

• And these sites are rock solid secure, DDOS, updated with security patches

What we have LearnedBuild Patterns

Skill Sets

Low Complexity

Medium Complexity

High Complexity

Expected Project Uptake

• Cloud Security best practices • Code Security best practices • Automated testing best practise • Drupal distro

Sharing

• Expanded functionality • Platforms for

• School • Local Government • Councils

• DTO —Digital Transformation Office •Government as an API

Future

Questions?

@davidseth #govCMS