An examination of NHS England's journey to the cloud with a particular focus on security and governance issues related to the NHS & UK Government.
Please note that there are additional notes in the presentation including some additional explanation of the slides.
2. Sky News, Wednesday 16th November 2016
A Sky News investigation has discovered the
NHS trusts putting patients at risk by not
protecting their data online.
Seven NHS trusts, serving more than two million
people, spent nothing on cybersecurity in 2015.
Sky News worked with security experts to find
serious flaws in their cybersecurity, which could
be easily exploited by relatively unskilled
hackers.
Hacker House was able to find misconfigured
email servers, outdated software and security
certificates, along with NHS trusts' emails and
passwords, through public searches.
3. • It’s just security!
• But it is a convenient name
• External services
• Some scalability
• E.g. ESR, NHSmail
• Public vs Private
• Scale up/down
• Micro charging
Definitions
Cyber
cloud
Cloud
4. • A non-departmental public body, an Arm’s Length Body of
the Department of Health, part of the NHS Constitution
• Improving outcomes for patients, modernising
• Support and allocate resources to CCG’s
• Direct commissioning services
Background to NHS England
5. • Built on open principles & the premise of minimal patient
data
• Starting up as public Cloud was really taking off
• Considerable cloud use from the start
• “Infrastructure Free”
• Required to adopt existing solutions
• 3,500 people, 33 offices
► 7,000–8,000 people, 51 offices
• Contact Centre
• Highly sensitive information
• 10-12 thousand contacts a month
• Dynamics Online – Ministerial Sign-off
Building a New Organisation
6. • Cost
• Flexibility, mobility
• Speed to delivery
• Evergreen
Why the Cloud?
• Centralised
• Difficult to
steer
IT
Dictates
• Expensive
to change
• Slow to
change
SI does
the heavy
lifting
• Improve
agility
• Lower
Costs
• Knowledge
gap
Business
Leads
7. • The Threats
• DDOS
• Ransomware
• Phishing
• Malvertising
• Lots of little attacks accumulate data
• Sensitive data "has" to be in England!, "You
can't offshore", "You can't put that in the cloud!"
• Convincing the naysayers: Asking why,
assessing the actual risk not the assumed risk
• Getting people to own the risk and
management
• Is your (suppliers) datacentre more secure than a global
scale specialist?
Security
8. • Moving away from centralised compliance to risk
management
• Simplify the message so non-security specialists
understand it
• Greater alignment to commercial offerings
• Security becomes proportional to the risk
• No more “Computer says no”
Agile Security
9. • The landscape has changed
• Working outside the security boundary
• Shifting boundaries
• Untrusted environments - do you want this?
• Checking the location of Cloud data
• Not everything is where you think it is
• Check where support is located
• Eyes on
• The need to review reports
• Audit, DLP, "Secure Score“
• Security Information & Event Management (SIEM)
• Identity Management & SSO
• Integrated on-prem SSO requires authentication channels
from the Internet (unless using ExpressRoute or VPN)
• Two-Factor Authentication
Security: Some Challenges
10. • Sort the governance early
• Understand the risks
• Get sign-off early
• Simplify and clarify – data classifications
• Shadow IT is a growing reality – how to deal with it?
• We are actively pushing IT out to the business – but less
strict controls mean more governance required.
Governing the Cloud?
11. • Many people actually hate change – though they claim they
want it
• Overlapping services are confusing
• Communicate - evangelise – encourage
• Use the language of the business
• The "evergreen" problem
• Apps only supported to n-1
• Ongoing need for comms
• Taking responsibility not just taking "training“
• Lots of short videos are good
• Shifting staff skills
Engagement
12. • Overlapping services
• Shifting network requirements
• The "evergreen" problem
• Apps only supported to n-1
• Ongoing need for comms - evangelise - encourage
• Taking responsibility not just taking "training"
• Test environments
• Shifting staff skills
• Cost creep
• Backup/Archive
• O365 is BIG! Take care with deployment projects
• Clear down and tidy AD first
• Migration
Other Lessons
13. Quote from Land Registry
“Office 365 isn’t a project, it’s
a way of life. You will forever
be tweaking and changing
things, along with rolling out,
restricting and managing new
features”
14. • Cloud offers genuine savings and flexibility
• Governance is achievable – politics not technology
• Security is there but people need convincing and processes
need amending
• The pace is fast! Get ready to run.
• The journey continues – desktop is next
Recap
15. • Future Networks
• Cloud Managed Identities & SSO
• Cloud Managed Desktops
• Unified Comms
• More Azure
Roadmap for NHS England
Cyber
It’s just security!
A new name for an old problem
But some new challenges too
But it is a convenient name
Helps others get a handle on it, makes it a more tangible target
cloud (small c)
External services
Not in our (or SI’s) data centre
Some scalability
Perhaps up more than down, maybe some limits
E.g. ESR, NHSmail, O365
Cloud (big C)
Public vs Private
Can be either, public increasingly common as security and confidence improves
Scale up/down
Instantly
Micro charging
Turn on/off instantly. Pay for whats on, when its on.
Like a BANK (reusing money)
ALB + NHS = Part of 2 worlds.
Central Government financial controls
Initial cloud use: ESR, NHSmail, PDR, Expenses, Office 365, Corestream, Kontiki
(cloud with a small c)
Not much legacy, little to no migration
Timeline of change
Early days IT was magic and needed lots of magicians.
Businesses wanted focus, magicians moved to specialist “temples”
Now IT is a commodity, business users know and can do more themselves
Gaps: Cyber, Operations, Control/Governance
Cost:
reducing costs (no capital investment in data centres full of expensive kit),
ability to scale up/down instantly,
increased agility (reducing time to deliver/change)
Some Potential Cost Issues
Highlights are often amazingly cheap compared to on-prem (but not always)
Not always obvious - get the right license, watch out for required extras
The highlight cost not always the true cost
Don't forget the addons & the tools
Watch out for the shift from capital to revenue
Control Mission Creep
“Slack was the fastest growing cloud app amongst Okta customers in the second half of 2015, with a 77 percent increase in adoption.” - https://www.okta.com/Businesses-At-Work/2016-03/
The Threats
Combat Cloud DDOS with tested, safe DNS configurations and maybe direct WAN links
Combat Ransomware with Versioned, Offline backups.
Combat Phishing with education.
Your data IS interesting! And valuable. Lots of bits of data make up a big picture.
Low value targets pave the way to jump to high-value targets.
Say No?
No! Security is about ensuring the organisation safely delivers, not about blocking access or blindly following the “rules”
Dig under the skin of assumptions – e.g. patient data has to be in England.
Understanding and managing the risks
DC vs Cloud Security
Does Cloud service security being better than a DC mean it will never fail? No, no more so than a self-driving car, but they are safer.
Information Security Policy (It's important to have an overarching policy which basically covers all bases at a high level)
Incident Response (No one can guarantee 100% security)
Access Control (Don't forget 3rd Party Access)
Vulnerability Management (In particular Patch Management)
Information handling & retention policy (This works if you are confident of you data classification )
Acceptable Use Policy (Covers things that 5 misses)
From <cisp>
Almost half of NHS Trusts make no attempt to monitor cloud app usage, according to the results of a Freedom of Information request.
From <http://www.theregister.co.uk/2016/09/30/nhs_cloud_app_security/>
A new book by Luis Ayala "Cybersecurity for Hospitals and Healthcare Facilities" provides an ideal resource for hospital managers and administrators. Wishing to come up to date with the types of attack hospitals are likely to face. In fact Ayala found over 170 possible attack vectors. Condensing them into the main point in this concise and informative book :
1. Hacker Reconnaissance of Hospital Networks.
2. How Hackers Gain Access to Healthcare Facilities.
3. Active Medical Device Cyber Attacks.
4. Cyber-Physical Attacks.
5. Hospital Insider Threat.
6. Detection of Cyber Attacks.
7. Preventing Cyber Attacks.
8. Cyber Attack Response and recovery Planning.
Cyber Attack Response Procedures Template.
http://www.apress.com/9781484221549?gtmf=s
Moving away from centralised compliance to risk management
Simplify the message so non-security specialists understand it
Less domain specific – no more NHS-only terminology
Greater alignment to commercial offerings
Get rid of bespoke, no more “but we’re special” thinking
Security becomes proportional to the risk
Not one-size-fits-all
Centralised Compliance vs Principles based Risk Management
Sort the governance early
Data sovereignty, Data classifications. SIRO sign-off
Understand the risks
Get sign-off early
Simplify and clarify – data classifications
Shadow IT is a growing reality – how to deal with it?
Many people actually hate change – though they claim they want it
Fear, restricted understanding
Overlapping services can be are confusing
Too many options. Need to simplify the message.
Pick & choose areas of focus, build in layers.
Communicate - evangelise – encourage
constantly – IT not always good at this – get the help of others
Not everyone listens to IT
Use the language of the business
The key to communications, especially at higher levels
Especially challenging to “magicians”
The "evergreen" problem
Constant change
Apps only supported to n-1
Especially hard in mixed environments
Ongoing need for comms
Taking responsibility not just taking "training“
Business users have to take responsibility along with innovation
Lots of short videos are good
Easy way to consume, not difficult to produce (though takes practice & some confidence)
Shifting staff skills
You WONT have all the skills
You WILL have to lose some people – not redundant, more changed
From a lessons learnt document shared via Crown Technology Services
Future Networks
More agile, lower latency, private connections to public clouds
Sharing infrastructure
Cloud Managed Identities & SSO
Cloud Managed Desktops
The next BIG change!
Tremendous opportunities for agility and further cost controls
Unified Comms
Simplify, reduce friction
Lower costs by further eliminating travel
More Azure
Or other cloud platforms!