Security and governance in the cloud


Published on

An examination of NHS England's journey to the cloud with a particular focus on security and governance issues related to the NHS & UK Government.

Please note that there are additional notes in the presentation including some additional explanation of the slides.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Cyber
    It’s just security!
    A new name for an old problem
    But some new challenges too
    But it is a convenient name
    Helps others get a handle on it, makes it a more tangible target

    cloud (small c)
    External services
    Not in our (or SI’s) data centre
    Some scalability
    Perhaps up more than down, maybe some limits
    E.g. ESR, NHSmail, O365

    Cloud (big C)
    Public vs Private
    Can be either, public increasingly common as security and confidence improves
    Scale up/down
    Micro charging
    Turn on/off instantly. Pay for whats on, when its on.
    Like a BANK (reusing money)
  • ALB + NHS = Part of 2 worlds.

    Central Government financial controls
  • Initial cloud use: ESR, NHSmail, PDR, Expenses, Office 365, Corestream, Kontiki
    (cloud with a small c)

    Not much legacy, little to no migration
  • Timeline of change
    Early days IT was magic and needed lots of magicians.
    Businesses wanted focus, magicians moved to specialist “temples”
    Now IT is a commodity, business users know and can do more themselves
    Gaps: Cyber, Operations, Control/Governance

    reducing costs (no capital investment in data centres full of expensive kit),
    ability to scale up/down instantly,
    increased agility (reducing time to deliver/change)

    Some Potential Cost Issues
    Highlights are often amazingly cheap compared to on-prem (but not always)
    Not always obvious - get the right license, watch out for required extras
    The highlight cost not always the true cost
    Don't forget the addons & the tools
    Watch out for the shift from capital to revenue
    Control Mission Creep

    “Slack was the fastest growing cloud app amongst Okta customers in the second half of 2015, with a 77 percent increase in adoption.” -
  • The Threats
    Combat Cloud DDOS with tested, safe DNS configurations and maybe direct WAN links
    Combat Ransomware with Versioned, Offline backups.
    Combat Phishing with education.
    Your data IS interesting! And valuable. Lots of bits of data make up a big picture.
    Low value targets pave the way to jump to high-value targets.
    Say No?
    No! Security is about ensuring the organisation safely delivers, not about blocking access or blindly following the “rules”
    Dig under the skin of assumptions – e.g. patient data has to be in England.
    Understanding and managing the risks
    DC vs Cloud Security
    Does Cloud service security being better than a DC mean it will never fail? No, no more so than a self-driving car, but they are safer.

    Information Security Policy (It's important to have an overarching policy which basically covers all bases at a high level) 
    Incident Response (No one can guarantee 100% security)
    Access Control (Don't forget 3rd Party Access)
    Vulnerability Management (In particular Patch Management)
    Information handling & retention policy (This works if you are confident of you data classification )
    Acceptable Use Policy (Covers things that 5 misses)
    From <cisp>

    Almost half of NHS Trusts make no attempt to monitor cloud app usage, according to the results of a Freedom of Information request.
    From <>

    A new book by Luis Ayala "Cybersecurity for Hospitals and Healthcare Facilities" provides an ideal resource for hospital managers and administrators. Wishing to come up to date with the types of attack hospitals are likely to face. In fact Ayala found over 170 possible attack vectors. Condensing them into the main point in this concise and informative book :
    1. Hacker Reconnaissance of Hospital Networks.
    2. How Hackers Gain Access to Healthcare Facilities.
    3. Active Medical Device Cyber Attacks.
    4. Cyber-Physical Attacks.
    5. Hospital Insider Threat.
    6. Detection of Cyber Attacks.
    7. Preventing Cyber Attacks.
    8. Cyber Attack Response and recovery Planning.
    Cyber Attack Response Procedures Template.

  • Moving away from centralised compliance to risk management
    Simplify the message so non-security specialists understand it
    Less domain specific – no more NHS-only terminology
    Greater alignment to commercial offerings
    Get rid of bespoke, no more “but we’re special” thinking
    Security becomes proportional to the risk
    Not one-size-fits-all
  • Centralised Compliance vs Principles based Risk Management
  • Sort the governance early
    Data sovereignty, Data classifications. SIRO sign-off
    Understand the risks
    Get sign-off early
    Simplify and clarify – data classifications
    Shadow IT is a growing reality – how to deal with it?
  • Many people actually hate change – though they claim they want it
    Fear, restricted understanding
    Overlapping services can be are confusing
    Too many options. Need to simplify the message.
    Pick & choose areas of focus, build in layers.
    Communicate - evangelise – encourage
    constantly – IT not always good at this – get the help of others
    Not everyone listens to IT
    Use the language of the business
    The key to communications, especially at higher levels
    Especially challenging to “magicians”
    The "evergreen" problem
    Constant change
    Apps only supported to n-1
    Especially hard in mixed environments
    Ongoing need for comms
    Taking responsibility not just taking "training“
    Business users have to take responsibility along with innovation
    Lots of short videos are good
    Easy way to consume, not difficult to produce (though takes practice & some confidence)
    Shifting staff skills
    You WONT have all the skills
    You WILL have to lose some people – not redundant, more changed
  • From a lessons learnt document shared via Crown Technology Services
  • Future Networks
    More agile, lower latency, private connections to public clouds
    Sharing infrastructure
    Cloud Managed Identities & SSO
    Cloud Managed Desktops
    The next BIG change!
    Tremendous opportunities for agility and further cost controls
    Unified Comms
    Simplify, reduce friction
    Lower costs by further eliminating travel
    More Azure
    Or other cloud platforms! 
  • LinkedIn
  • Security and governance in the cloud

    1. 1. Security and Governance in the Cloud NHS England’s use of technology 2016-11-18
    2. 2. Sky News, Wednesday 16th November 2016 A Sky News investigation has discovered the NHS trusts putting patients at risk by not protecting their data online. Seven NHS trusts, serving more than two million people, spent nothing on cybersecurity in 2015. Sky News worked with security experts to find serious flaws in their cybersecurity, which could be easily exploited by relatively unskilled hackers. Hacker House was able to find misconfigured email servers, outdated software and security certificates, along with NHS trusts' emails and passwords, through public searches.
    3. 3. • It’s just security! • But it is a convenient name • External services • Some scalability • E.g. ESR, NHSmail • Public vs Private • Scale up/down • Micro charging Definitions Cyber cloud Cloud
    4. 4. • A non-departmental public body, an Arm’s Length Body of the Department of Health, part of the NHS Constitution • Improving outcomes for patients, modernising • Support and allocate resources to CCG’s • Direct commissioning services Background to NHS England
    5. 5. • Built on open principles & the premise of minimal patient data • Starting up as public Cloud was really taking off • Considerable cloud use from the start • “Infrastructure Free” • Required to adopt existing solutions • 3,500 people, 33 offices ► 7,000–8,000 people, 51 offices • Contact Centre • Highly sensitive information • 10-12 thousand contacts a month • Dynamics Online – Ministerial Sign-off Building a New Organisation
    6. 6. • Cost • Flexibility, mobility • Speed to delivery • Evergreen Why the Cloud? • Centralised • Difficult to steer IT Dictates • Expensive to change • Slow to change SI does the heavy lifting • Improve agility • Lower Costs • Knowledge gap Business Leads
    7. 7. • The Threats • DDOS • Ransomware • Phishing • Malvertising • Lots of little attacks accumulate data • Sensitive data "has" to be in England!, "You can't offshore", "You can't put that in the cloud!" • Convincing the naysayers: Asking why, assessing the actual risk not the assumed risk • Getting people to own the risk and management • Is your (suppliers) datacentre more secure than a global scale specialist? Security
    8. 8. • Moving away from centralised compliance to risk management • Simplify the message so non-security specialists understand it • Greater alignment to commercial offerings • Security becomes proportional to the risk • No more “Computer says no” Agile Security
    9. 9. • The landscape has changed • Working outside the security boundary • Shifting boundaries • Untrusted environments - do you want this? • Checking the location of Cloud data • Not everything is where you think it is • Check where support is located • Eyes on • The need to review reports • Audit, DLP, "Secure Score“ • Security Information & Event Management (SIEM) • Identity Management & SSO • Integrated on-prem SSO requires authentication channels from the Internet (unless using ExpressRoute or VPN) • Two-Factor Authentication Security: Some Challenges
    10. 10. • Sort the governance early • Understand the risks • Get sign-off early • Simplify and clarify – data classifications • Shadow IT is a growing reality – how to deal with it? • We are actively pushing IT out to the business – but less strict controls mean more governance required. Governing the Cloud?
    11. 11. • Many people actually hate change – though they claim they want it • Overlapping services are confusing • Communicate - evangelise – encourage • Use the language of the business • The "evergreen" problem • Apps only supported to n-1 • Ongoing need for comms • Taking responsibility not just taking "training“ • Lots of short videos are good • Shifting staff skills Engagement
    12. 12. • Overlapping services • Shifting network requirements • The "evergreen" problem • Apps only supported to n-1 • Ongoing need for comms - evangelise - encourage • Taking responsibility not just taking "training" • Test environments • Shifting staff skills • Cost creep • Backup/Archive • O365 is BIG! Take care with deployment projects • Clear down and tidy AD first • Migration Other Lessons
    13. 13. Quote from Land Registry “Office 365 isn’t a project, it’s a way of life. You will forever be tweaking and changing things, along with rolling out, restricting and managing new features”
    14. 14. • Cloud offers genuine savings and flexibility • Governance is achievable – politics not technology • Security is there but people need convincing and processes need amending • The pace is fast! Get ready to run. • The journey continues – desktop is next Recap
    15. 15. • Future Networks • Cloud Managed Identities & SSO • Cloud Managed Desktops • Unified Comms • More Azure Roadmap for NHS England
    16. 16. Email: ************** LinkedIn: julianknight2 Twitter: @knightnet Julian Knight Head of Corporate ICT Technology & Security Transformation & Corporate Operations NHS England