Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security and governance in the cloud


Published on

An examination of NHS England's journey to the cloud with a particular focus on security and governance issues related to the NHS & UK Government.

Please note that there are additional notes in the presentation including some additional explanation of the slides.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security and governance in the cloud

  1. 1. Security and Governance in the Cloud NHS England’s use of technology 2016-11-18
  2. 2. Sky News, Wednesday 16th November 2016 A Sky News investigation has discovered the NHS trusts putting patients at risk by not protecting their data online. Seven NHS trusts, serving more than two million people, spent nothing on cybersecurity in 2015. Sky News worked with security experts to find serious flaws in their cybersecurity, which could be easily exploited by relatively unskilled hackers. Hacker House was able to find misconfigured email servers, outdated software and security certificates, along with NHS trusts' emails and passwords, through public searches.
  3. 3. • It’s just security! • But it is a convenient name • External services • Some scalability • E.g. ESR, NHSmail • Public vs Private • Scale up/down • Micro charging Definitions Cyber cloud Cloud
  4. 4. • A non-departmental public body, an Arm’s Length Body of the Department of Health, part of the NHS Constitution • Improving outcomes for patients, modernising • Support and allocate resources to CCG’s • Direct commissioning services Background to NHS England
  5. 5. • Built on open principles & the premise of minimal patient data • Starting up as public Cloud was really taking off • Considerable cloud use from the start • “Infrastructure Free” • Required to adopt existing solutions • 3,500 people, 33 offices ► 7,000–8,000 people, 51 offices • Contact Centre • Highly sensitive information • 10-12 thousand contacts a month • Dynamics Online – Ministerial Sign-off Building a New Organisation
  6. 6. • Cost • Flexibility, mobility • Speed to delivery • Evergreen Why the Cloud? • Centralised • Difficult to steer IT Dictates • Expensive to change • Slow to change SI does the heavy lifting • Improve agility • Lower Costs • Knowledge gap Business Leads
  7. 7. • The Threats • DDOS • Ransomware • Phishing • Malvertising • Lots of little attacks accumulate data • Sensitive data "has" to be in England!, "You can't offshore", "You can't put that in the cloud!" • Convincing the naysayers: Asking why, assessing the actual risk not the assumed risk • Getting people to own the risk and management • Is your (suppliers) datacentre more secure than a global scale specialist? Security
  8. 8. • Moving away from centralised compliance to risk management • Simplify the message so non-security specialists understand it • Greater alignment to commercial offerings • Security becomes proportional to the risk • No more “Computer says no” Agile Security
  9. 9. • The landscape has changed • Working outside the security boundary • Shifting boundaries • Untrusted environments - do you want this? • Checking the location of Cloud data • Not everything is where you think it is • Check where support is located • Eyes on • The need to review reports • Audit, DLP, "Secure Score“ • Security Information & Event Management (SIEM) • Identity Management & SSO • Integrated on-prem SSO requires authentication channels from the Internet (unless using ExpressRoute or VPN) • Two-Factor Authentication Security: Some Challenges
  10. 10. • Sort the governance early • Understand the risks • Get sign-off early • Simplify and clarify – data classifications • Shadow IT is a growing reality – how to deal with it? • We are actively pushing IT out to the business – but less strict controls mean more governance required. Governing the Cloud?
  11. 11. • Many people actually hate change – though they claim they want it • Overlapping services are confusing • Communicate - evangelise – encourage • Use the language of the business • The "evergreen" problem • Apps only supported to n-1 • Ongoing need for comms • Taking responsibility not just taking "training“ • Lots of short videos are good • Shifting staff skills Engagement
  12. 12. • Overlapping services • Shifting network requirements • The "evergreen" problem • Apps only supported to n-1 • Ongoing need for comms - evangelise - encourage • Taking responsibility not just taking "training" • Test environments • Shifting staff skills • Cost creep • Backup/Archive • O365 is BIG! Take care with deployment projects • Clear down and tidy AD first • Migration Other Lessons
  13. 13. Quote from Land Registry “Office 365 isn’t a project, it’s a way of life. You will forever be tweaking and changing things, along with rolling out, restricting and managing new features”
  14. 14. • Cloud offers genuine savings and flexibility • Governance is achievable – politics not technology • Security is there but people need convincing and processes need amending • The pace is fast! Get ready to run. • The journey continues – desktop is next Recap
  15. 15. • Future Networks • Cloud Managed Identities & SSO • Cloud Managed Desktops • Unified Comms • More Azure Roadmap for NHS England
  16. 16. Email: ************** LinkedIn: julianknight2 Twitter: @knightnet Julian Knight Head of Corporate ICT Technology & Security Transformation & Corporate Operations NHS England