Not surprisingly, the question of GraphQL in government -- or highly regulated -- spaces is a topic that is broached somewhat regularly. The questions range from:

• Is GraphQL appropriate for legacy tech?
• Can GraphQL be used in my modernisation project?
• Does GraphQL work in a highly-regulated environment filled with a mix of modern and legacy systems?
• Can GraphQL be deployed securely?

The answer to all is, of course, yes.

However, there are several insights that can be derived from hearing someone describe how they have solved for these specific challenges.

Recently, Hasura hosted GraphQL Asia. The content was...as always...incredibly compelling. However one talk, in particular, was focused on GraphQL adoption in government (embedded at the end of this post).

Bharat Kashyap, software engineer at Samagra Development Associates, gave a talk described as:

At the Central Tech Team at Samagra - a governance consulting team working in four different states in India - we've been trying to create a culture of using open-source, scalable and fast (bleeding-edge) tech for government use cases. What we've done so far - enable tracking and monitoring of student and teacher attendance in all public schools of Haryana; building the technology architecture behind Mission Prerna, Uttar Pradesh's mission to transform basic education and enable tech systems that allowed Himachal Pradesh to be declared the country's best state in terms of learning continuity in 2020, according to the Annual State of Education Report. How do we do it - and how does GraphQL fit into the picture?

Bharat shared the 3 phases of evolution of government technology (particularly in context of the Indian government system) as:

• Computerisation
• Digitisation
• Public Digital Infrastructure

The latter is an emergent property and less well-defined than the others but Bharat provides detail of his viewpoint.
Interestingly, and having personally worked in several highly-regulated industries including government projects, the maturation cycle follows quite closely with our experience in a variety of countries. The difference being how, and where, on the journey a country (or industry) is in its journey.

It differs wildly! In fact, you will see that the use cases in smaller, or private, industry matches quite closely with initiatives in the government.

In this talk, the example of e-Samwad was given. This is referred to as “digital public goods for school education” and includes a mobile application for a parent-student interface, a unified student database, and a learning progress monitoring system.

Interestingly, this same capability has been taken -- sometimes renamed -- and used to solve similar challenges in neighbouring states.

This section began with a fantastic turn of phrase, “Deploying GraphQL in the greatest enterprise of all...the government.” In it, several challenges that are faced by government tech providers were enumerated. This included migration from legacy systems with a focus on the wide-variety of products that are already deployed in the public sector. It is interesting to note that Hasura’s support for SQL Server was directly referenced here as important and necessary.

Interestingly, the second challenge was particularly interesting and simply was called ‘Community’. To quote:

GraphQL exists because of its active community. But, sometimes the features that we would want to prioritise for governments are not the ones that are being prioritised by the community. That is, of course, a common challenge for open-source systems.

Having lived through this tension more than once, I am not surprised it is of concern. However, the community at Hasura is incredibly welcoming of -- and open to the needs of -- all categories and types of users. I suspect we will see the same trend more broadly in the GraphQL ecosystem.

The benefits can be as important as the challenges. In this case, GraphQL was described as “fast”. Fast to build, to develop, to deploy, to iterate. Also, GraphQL is configurable in that you aren’t dependent on a particular stack or library. And, finally, it is scalable...both in its ability to handle traffic as well as to handle use-cases across multiple government entities or states. In fact, the solutions referenced are deployed in a region with a population of 200M!

Of course, no post about regulated industries (finance, banking, healthcare, public-sector, etc) is complete without a consideration of security and compliance. While this did not feature heavily in the talk (as lightning talks can be restrictive) it is an important topic. This is, in fact, why Hasura Cloud attesting to SOC2 type 1 and HIPAA certifications was such an important item on our roadmap. In fact, recently, we have reworked the entirety of our Hasura Security page to cover the topic of security and compliance more broadly.

We all know that compliance is simply a milestone and achievement (or if you are slightly more cynical, a ‘checklist’). However, adopting the required security posture for applications in highly-regulated environments requires not only compliance but planning your system for confidentiality, integrity, and availability. Our rigorous compliance audits are only a small component of the Hasura offering.

Next Steps

If you are interested in learning more about GraphQL, we’ve pulled together everything from a high-level overview to a comparison of GraphQL vs Rest to more information about the GraphQL Community.

Of course, the best way to learn is to ‘try’. Hasura Cloud is compliant, secure, highly-available and has a fully-realised free tier that lets you explore our offering in context of your desires. It takes about 30 seconds to get started.