Enterprise cloud security, NCSC CAF alignment, Microsoft Fabric data platform, and a Cloud Centre of Excellence — delivered for a UK Combined Authority.
UK Combined Authorities occupy a complex position: they hold significant responsibility for regional economic development, transport, and public services, but operate with limited central IT functions relative to their remit. This Combined Authority faced overlapping challenges — an Azure environment that had grown organically without formal security controls, a fragmented data landscape preventing effective regional reporting, and no clear strategic framework for cloud adoption or cyber security.
The organisation needed more than a technical review. It needed a coherent technology strategy that could survive political cycles, provide a credible platform for managed cyber services re-tender, and give leadership the assurance that sensitive regional data was properly protected. At the same time, the appetite to exploit Microsoft Fabric and AI capabilities was growing — without a clear understanding of what security foundations were required first.
Magma Cloud was engaged to lead across the full technology and cyber security agenda. We began by establishing the baseline: reviewing the existing Azure environment, identifying configuration gaps, and assessing posture against the NCSC Cyber Assessment Framework (CAF). That assessment gave the organisation a clear, evidence-based view of where it stood across all 14 CAF principles — and what needed to change before any expansion of cloud services.
In parallel, we designed and established a Cloud Centre of Excellence (CCoE) — a governance function providing standards, patterns, and oversight for all cloud workloads. This gave the organisation the internal framework to sustain cloud security improvements without relying on external consultants for every decision.
We then authored the Core Technology Strategy and Cyber Security Strategy — two linked documents giving the executive leadership team a five-year roadmap, prioritised by risk and aligned to the CAF. Both strategies were written to be readable by non-technical stakeholders and to survive committee scrutiny.
With security foundations in place, we designed and implemented the Microsoft Fabric data and AI platform — an enterprise-grade data architecture connecting the Combined Authority's regional datasets, enabling reporting and analytics that had previously required manual reconciliation across disconnected systems. Security controls, access governance, and data classification were built in from the outset.
Finally, we led the re-tender of managed cyber services — preparing the specification, evaluation criteria, and scoring framework, and supporting the selection process to ensure the incoming provider would work within the CAF-aligned security baseline we had established.
Book a free Ignite Assessment — a 30-minute call with a senior security architect. You'll leave with a read of your current posture, the top risks we'd tackle first, and a clear view of how we can help.
Book Ignite Assessment