Scottish Government Maintains Security Edge and Drives Multi-Cloud Transformation with F5

The Scottish Government’s Agriculture and Rural Economy Directorate (ARE) is responsible for promoting and supporting the agricultural economy in Scotland, including through the payment of subsidies.

Its IT team manages web-based applications that farmers use to claim financial support of up to $1 billion per annum–a critical area of ARE’s work and one in which identity management, secure access, and protection from attacks are paramount.

The Challenge

F5 has been supporting ARE since the early 2000s to maximize the efficiency and security of these applications—from load balancing to identity management, WAF protection, and the support of a managed services security team.

For ARE, the key challenges have been to maintain and modernize its application security in a constantly changing threat landscape and pursue digital transformation prudently–all with a close eye on cost and the security implications of moving workloads into the cloud or maintaining them on-premises.

This is where F5 came into the picture, providing the latest technology in application security, access to expertise and resources, as well as support to develop a multi-cloud strategy that has flexibility and control as its hallmarks.

The Solution

As a long-term F5 customer, ARE has used a wide range of F5 products and services to meet application security and delivery needs. Having initially deployed F5 on-premises for traffic management and load balancing, it subsequently sought a solution for identity management after encountering cost constraints with its existing provider.

“We had certain challenges as IT matured, the platforms evolved, and cloud became a key player,” recalls Neill Smith, Head of IT Infrastructure at ARE.

“When we started to move workloads into the cloud, one of the real challenges was that our existing identity management provider was working successfully, but when we were trying to port applications and our IM stack, it was becoming prohibitive due to cost and licensing restrictions. It was blocking us from maturing.”

The switch to BIG-IP Access Policy Manager was a gamechanger. “Not only was it cheaper, but it gave us flexibility to analyze all our applications and run them where they fit best,” says Smith.

Already a user of Advanced Web Application Firewall, ARE also decided that its needs would be best served by using the solution as a managed service via Silverline.

“We had some challenges recruiting and retaining the right talent for cybersecurity,” Smith explains.

“It’s all good having a WAF, but how are you monitoring it? Are you monitoring it continually? How many resources are required, and how much does that cost? Silverline gave us that ability to manage and monitor the application protection with cybersecurity experts on call. That gave us greater reassurance that we can apply our WAF rules in a way that gives us 24x7, 365-protection.”

Determined to stay ahead of a fast-paced threat landscape, ARE has continued to work closely with F5 to carefully evolve its approach to application performance and security.

The Benefits

Multi-Layer Security 

“The good thing for me has been seeing F5 pivot and react to the ever-changing landscape of the IT world,” Smith reflects. “From my side it’s reassuring to see F5 recognizing the trends, reacting quickly, and identifying key areas.”

The upshot is that F5 has helped ARE to implement multiple layers of security that minimize its vulnerability to cyberattacks.

“What we’ve done with F5 is to add layers,” he adds. “F5 provides numerous layers of the security onion. You’re never going to be fully protected, but it’s about minimizing that attack radius.”


In addition, by using F5’s managed service offering, Silverline Web Application Firewall, ARE has not only gained reassurance that it has experts on call around the clock, but it has also been able to make better use of its in-house IT team.

“The shift into Silverline not only gives us greater protection—it has also freed up the time of people, who would otherwise have been monitoring our WAF on-premises, to do other cybersecurity tasks,” Smith enthuses.

Dealing with New Forms of Attack

Most recently, ARE has been working with F5 to leverage advanced technology for application security and multi-cloud workloads.

“Silverline Shape Defense provides us with end-to-end application security using its AI and machine learning capabilities. It’s the modern way of thinking, and it’s going to be very powerful for new styles of attack,” Smith says. “It’s given us another layer of protection in areas like credential stuffing and through enabling us to utilize the fraud and abuse prevention platform that F5 provides.”

Preparing for the Future

In parallel, ARE is piloting solutions from F5 Distrubed Cloud Services to explore a multi-cloud strategy for managing its workloads. This entails joining public and private clouds together (network stitching) with Distributed Cloud Mesh. ARE is also looking at using Distributed Cloud App Stack to move a microservices API between public clouds to achieve high availability and additional cost optimization.

“For me, multi-cloud means the ability to control your workloads and run them where and whenever you choose,” says Smith. “I want the ability to move those workloads effectively at the click of a button, and that’s where F5 comes in. It can enable our developers to do what they’re good at, which is coding, with the F5 Distributed Cloud Platform orchestrating the movement and execution of those workloads wherever we choose.”

Having worked together for such a long time, F5 now has an extensive understanding of ARE’s specific needs as a government organization managing significant volumes of payments via web applications.

“There’s a relationship, particularly with the account team I have. They take an interest in who we are and what we do. And they only come knocking on the door in terms of new products and services when they know it will be relevant for us,” says Smith.

“F5 is there to help me out when I need it. That’s what you want–someone who understands you, rather than just treating you as another customer and another number.”

  • Maintain and modernize application security in a constantly changing threat landscape
  • Develop a multi-cloud strategy with flexibility and control
  • Accelerate and optimize digital transformation across organization

  • Multiple layers of security, minimizing vulnerability to cyberattacks
  • Multi-cloud flexibility and control
  • 24/7 support