Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (12)
Similaire à Security and governance in the cloud
Similaire à Security and governance in the cloud (20)
Dernier
Dernier (20)
Security and governance in the cloud
- 1. Security and Governance in the Cloud NHS England’s use of technology 2016-11-18
- 2. Sky News, Wednesday 16th November 2016 A Sky News investigation has discovered the NHS trusts putting patients at risk by not protecting their data online. Seven NHS trusts, serving more than two million people, spent nothing on cybersecurity in 2015. Sky News worked with security experts to find serious flaws in their cybersecurity, which could be easily exploited by relatively unskilled hackers. Hacker House was able to find misconfigured email servers, outdated software and security certificates, along with NHS trusts' emails and passwords, through public searches.
- 3. • It’s just security! • But it is a convenient name • External services • Some scalability • E.g. ESR, NHSmail • Public vs Private • Scale up/down • Micro charging Definitions Cyber cloud Cloud
- 4. • A non-departmental public body, an Arm’s Length Body of the Department of Health, part of the NHS Constitution • Improving outcomes for patients, modernising • Support and allocate resources to CCG’s • Direct commissioning services Background to NHS England
- 5. • Built on open principles & the premise of minimal patient data • Starting up as public Cloud was really taking off • Considerable cloud use from the start • “Infrastructure Free” • Required to adopt existing solutions • 3,500 people, 33 offices ► 7,000–8,000 people, 51 offices • Contact Centre • Highly sensitive information • 10-12 thousand contacts a month • Dynamics Online – Ministerial Sign-off Building a New Organisation
- 6. • Cost • Flexibility, mobility • Speed to delivery • Evergreen Why the Cloud? • Centralised • Difficult to steer IT Dictates • Expensive to change • Slow to change SI does the heavy lifting • Improve agility • Lower Costs • Knowledge gap Business Leads
- 7. • The Threats • DDOS • Ransomware • Phishing • Malvertising • Lots of little attacks accumulate data • Sensitive data "has" to be in England!, "You can't offshore", "You can't put that in the cloud!" • Convincing the naysayers: Asking why, assessing the actual risk not the assumed risk • Getting people to own the risk and management • Is your (suppliers) datacentre more secure than a global scale specialist? Security
- 8. • Moving away from centralised compliance to risk management • Simplify the message so non-security specialists understand it • Greater alignment to commercial offerings • Security becomes proportional to the risk • No more “Computer says no” Agile Security
- 9. • The landscape has changed • Working outside the security boundary • Shifting boundaries • Untrusted environments - do you want this? • Checking the location of Cloud data • Not everything is where you think it is • Check where support is located • Eyes on • The need to review reports • Audit, DLP, "Secure Score“ • Security Information & Event Management (SIEM) • Identity Management & SSO • Integrated on-prem SSO requires authentication channels from the Internet (unless using ExpressRoute or VPN) • Two-Factor Authentication Security: Some Challenges
- 10. • Sort the governance early • Understand the risks • Get sign-off early • Simplify and clarify – data classifications • Shadow IT is a growing reality – how to deal with it? • We are actively pushing IT out to the business – but less strict controls mean more governance required. Governing the Cloud?
- 11. • Many people actually hate change – though they claim they want it • Overlapping services are confusing • Communicate - evangelise – encourage • Use the language of the business • The "evergreen" problem • Apps only supported to n-1 • Ongoing need for comms • Taking responsibility not just taking "training“ • Lots of short videos are good • Shifting staff skills Engagement
- 12. • Overlapping services • Shifting network requirements • The "evergreen" problem • Apps only supported to n-1 • Ongoing need for comms - evangelise - encourage • Taking responsibility not just taking "training" • Test environments • Shifting staff skills • Cost creep • Backup/Archive • O365 is BIG! Take care with deployment projects • Clear down and tidy AD first • Migration Other Lessons
- 13. Quote from Land Registry “Office 365 isn’t a project, it’s a way of life. You will forever be tweaking and changing things, along with rolling out, restricting and managing new features”
- 14. • Cloud offers genuine savings and flexibility • Governance is achievable – politics not technology • Security is there but people need convincing and processes need amending • The pace is fast! Get ready to run. • The journey continues – desktop is next Recap
- 15. • Future Networks • Cloud Managed Identities & SSO • Cloud Managed Desktops • Unified Comms • More Azure Roadmap for NHS England
- 16. Email: ************** LinkedIn: julianknight2 Twitter: @knightnet Julian Knight Head of Corporate ICT Technology & Security Transformation & Corporate Operations NHS England
Notes de l'éditeur
- Cyber It’s just security! A new name for an old problem But some new challenges too But it is a convenient name Helps others get a handle on it, makes it a more tangible target cloud (small c) External services Not in our (or SI’s) data centre Some scalability Perhaps up more than down, maybe some limits E.g. ESR, NHSmail, O365 Cloud (big C) Public vs Private Can be either, public increasingly common as security and confidence improves Scale up/down Instantly Micro charging Turn on/off instantly. Pay for whats on, when its on. Like a BANK (reusing money)
- ALB + NHS = Part of 2 worlds. Central Government financial controls
- Initial cloud use: ESR, NHSmail, PDR, Expenses, Office 365, Corestream, Kontiki (cloud with a small c) Not much legacy, little to no migration
- Timeline of change Early days IT was magic and needed lots of magicians. Businesses wanted focus, magicians moved to specialist “temples” Now IT is a commodity, business users know and can do more themselves Gaps: Cyber, Operations, Control/Governance Cost: reducing costs (no capital investment in data centres full of expensive kit), ability to scale up/down instantly, increased agility (reducing time to deliver/change) Some Potential Cost Issues Highlights are often amazingly cheap compared to on-prem (but not always) Not always obvious - get the right license, watch out for required extras The highlight cost not always the true cost Don't forget the addons & the tools Watch out for the shift from capital to revenue Control Mission Creep “Slack was the fastest growing cloud app amongst Okta customers in the second half of 2015, with a 77 percent increase in adoption.” - https://www.okta.com/Businesses-At-Work/2016-03/
- The Threats Combat Cloud DDOS with tested, safe DNS configurations and maybe direct WAN links Combat Ransomware with Versioned, Offline backups. Combat Phishing with education. Your data IS interesting! And valuable. Lots of bits of data make up a big picture. Low value targets pave the way to jump to high-value targets. Say No? No! Security is about ensuring the organisation safely delivers, not about blocking access or blindly following the “rules” Dig under the skin of assumptions – e.g. patient data has to be in England. Understanding and managing the risks DC vs Cloud Security Does Cloud service security being better than a DC mean it will never fail? No, no more so than a self-driving car, but they are safer. Information Security Policy (It's important to have an overarching policy which basically covers all bases at a high level) Incident Response (No one can guarantee 100% security) Access Control (Don't forget 3rd Party Access) Vulnerability Management (In particular Patch Management) Information handling & retention policy (This works if you are confident of you data classification ) Acceptable Use Policy (Covers things that 5 misses) From <cisp> Almost half of NHS Trusts make no attempt to monitor cloud app usage, according to the results of a Freedom of Information request. From <http://www.theregister.co.uk/2016/09/30/nhs_cloud_app_security/> A new book by Luis Ayala "Cybersecurity for Hospitals and Healthcare Facilities" provides an ideal resource for hospital managers and administrators. Wishing to come up to date with the types of attack hospitals are likely to face. In fact Ayala found over 170 possible attack vectors. Condensing them into the main point in this concise and informative book : 1. Hacker Reconnaissance of Hospital Networks. 2. How Hackers Gain Access to Healthcare Facilities. 3. Active Medical Device Cyber Attacks. 4. Cyber-Physical Attacks. 5. Hospital Insider Threat. 6. Detection of Cyber Attacks. 7. Preventing Cyber Attacks. 8. Cyber Attack Response and recovery Planning. Cyber Attack Response Procedures Template. http://www.apress.com/9781484221549?gtmf=s
- Moving away from centralised compliance to risk management Simplify the message so non-security specialists understand it Less domain specific – no more NHS-only terminology Greater alignment to commercial offerings Get rid of bespoke, no more “but we’re special” thinking Security becomes proportional to the risk Not one-size-fits-all
- Centralised Compliance vs Principles based Risk Management
- Sort the governance early Data sovereignty, Data classifications. SIRO sign-off Understand the risks Get sign-off early Simplify and clarify – data classifications Shadow IT is a growing reality – how to deal with it?
- Many people actually hate change – though they claim they want it Fear, restricted understanding Overlapping services can be are confusing Too many options. Need to simplify the message. Pick & choose areas of focus, build in layers. Communicate - evangelise – encourage constantly – IT not always good at this – get the help of others Not everyone listens to IT Use the language of the business The key to communications, especially at higher levels Especially challenging to “magicians” The "evergreen" problem Constant change Apps only supported to n-1 Especially hard in mixed environments Ongoing need for comms Taking responsibility not just taking "training“ Business users have to take responsibility along with innovation Lots of short videos are good Easy way to consume, not difficult to produce (though takes practice & some confidence) Shifting staff skills You WONT have all the skills You WILL have to lose some people – not redundant, more changed
- From a lessons learnt document shared via Crown Technology Services
- Future Networks More agile, lower latency, private connections to public clouds Sharing infrastructure Cloud Managed Identities & SSO Cloud Managed Desktops The next BIG change! Tremendous opportunities for agility and further cost controls Unified Comms Simplify, reduce friction Lower costs by further eliminating travel More Azure Or other cloud platforms!