Embed Size (px)
Citation preview
Security and Governance in the CloudNHS England’s use of technology2016-11-18
Sky News, Wednesday 16th November 2016
A Sky News investigation has discovered the NHS trusts putting patients at risk by not protecting their data online.Seven NHS trusts, serving more than two million people, spent nothing on cybersecurity in 2015.
Sky News worked with security experts to find serious flaws in their cybersecurity, which could be easily exploited by relatively unskilled hackers.
Hacker House was able to find misconfigured email servers, outdated software and security certificates, along with NHS trusts' emails and passwords, through public searches.
• It’s just security!• But it is a convenient name
• External services• Some scalability• E.g. ESR, NHSmail
• Public vs Private• Scale up/down• Micro charging
Definitions
Cyber
cloud
Cloud
• A non-departmental public body, an Arm’s Length Body of the Department of Health, part of the NHS Constitution
• Improving outcomes for patients, modernising
• Support and allocate resources to CCG’s
• Direct commissioning services
Background to NHS England
• Built on open principles & the premise of minimal patient data
• Starting up as public Cloud was really taking off
• Considerable cloud use from the start
• “Infrastructure Free”
• Required to adopt existing solutions
• 3,500 people, 33 offices
► 7,000–8,000 people, 51 offices
• Contact Centre• Highly sensitive information• 10-12 thousand contacts a month• Dynamics Online – Ministerial Sign-off
Building a New Organisation
• Cost• Flexibility, mobility• Speed to delivery• Evergreen
Why the Cloud?
• Centralised• Difficult to steer
IT Dictates
• Expensive to change
• Slow to change
SI does the heavy
lifting
• Improve agility• Lower Costs• Knowledge gap
Business Leads
• The Threats• DDOS• Ransomware• Phishing• Malvertising• Lots of little attacks accumulate data
• Sensitive data "has" to be in England!, "You can't offshore", "You can't put that in the cloud!"
• Convincing the naysayers: Asking why, assessing the actual risk not the assumed risk
• Getting people to own the risk and management
• Is your (suppliers) datacentre more secure than a global scale specialist?
Security
• Moving away from centralised compliance to risk management
• Simplify the message so non-security specialists understand it
• Greater alignment to commercial offerings• Security becomes proportional to the risk• No more “Computer says no”
Agile Security
• The landscape has changed• Working outside the security boundary
• Shifting boundaries• Untrusted environments - do you want this?
• Checking the location of Cloud data• Not everything is where you think it is• Check where support is located
• Eyes on• The need to review reports• Audit, DLP, "Secure Score“• Security Information & Event Management (SIEM)
• Identity Management & SSO• Integrated on-prem SSO requires authentication channels from the
Internet (unless using ExpressRoute or VPN)• Two-Factor Authentication
Security: Some Challenges
• Sort the governance early• Understand the risks• Get sign-off early• Simplify and clarify – data classifications• Shadow IT is a growing reality – how to deal with it?• We are actively pushing IT out to the business – but less
strict controls mean more governance required.
Governing the Cloud?
• Many people actually hate change – though they claim they want it
• Overlapping services are confusing• Communicate - evangelise – encourage• Use the language of the business• The "evergreen" problem
• Apps only supported to n-1• Ongoing need for comms• Taking responsibility not just taking "training“• Lots of short videos are good
• Shifting staff skills
Engagement
• Overlapping services• Shifting network requirements• The "evergreen" problem
• Apps only supported to n-1• Ongoing need for comms - evangelise - encourage• Taking responsibility not just taking "training"
• Test environments• Shifting staff skills• Cost creep• Backup/Archive• O365 is BIG! Take care with deployment projects• Clear down and tidy AD first• Migration
Other Lessons
Quote from Land Registry
“Office 365 isn’t a project, it’s a way of life. You will forever be tweaking and changing things, along with rolling out, restricting and managing new features”
• Cloud offers genuine savings and flexibility• Governance is achievable – politics not technology• Security is there but people need convincing and processes
need amending• The pace is fast! Get ready to run.• The journey continues – desktop is next
Recap
• Future Networks• Cloud Managed Identities & SSO• Cloud Managed Desktops• Unified Comms• More Azure
Roadmap for NHS England
Email: **************LinkedIn: julianknight2Twitter: @knightnet
Julian KnightHead of Corporate ICT Technology & Security
Transformation & Corporate OperationsNHS England
