Security

Within NHS and healthcare organisations security is a component of any IT deployment, and the cloud introduces unique security concerns. Many business areas within healthcare are subject to regulatory requirements that make protecting sensitive data a major organisational priority when considering a cloud transformation. Identifying potential security threats to your cloud environment and establishing processes and procedures for addressing these threats should be a priority for any IT security or cybersecurity team.

All deployed assets must be categorised by criticality and data classification. Classifications must be reviewed by the cloud governance team and the application owner before deployment to the cloud.

All data must be encrypted when at rest and in transit.

Network subnets containing protected data must be isolated from any other subnets. Network traffic between protected data subnets is to be audited regularly.

No subnet containing protected data can be directly accessed over the public internet or across data centres. All access into those subnets must come through a firewall solution capable of performing packet scanning and blocking functions.

Deploy automated DDoS mitigation mechanisms to all publicly accessible network endpoints. No public-facing website backed by IaaS should be exposed to the internet without DDoS.

All connections between the on-premises and cloud networks must take place either through a secure encrypted VPN connection or a dedicated private link.

Governance tooling must audit and enforce network configuration requirements defined by the security baseline team.

Trends and potential exploits that could affect cloud deployments should be reviewed regularly by the security team to provide updates to Governance teams and the DPIA updated when required.