Cloud storage and data guidance

Cloud storage is purchased from a third-party cloud vendor who owns and operates data storage capacity and delivers it over the Internet in a pay-as-you-go model. These cloud storage vendors manage capacity, security, and durability to make data accessible to your applications all around the world.

Applications access cloud storage through traditional storage protocols or directly via an API. Many vendors offer complementary services designed to help collect, manage, secure and analyse data at a massive scale.

As the NHS takes advantage of cloud storage or uses storage attached to cloud computing servers it is the direction that all NHS data stored at rest remains within the UK, be encrypted at rest by using at minimum AES-256 encryption default and be securely encrypted in transit using TLS 1.2 as default.

Cloud provides have enabled the means to provide this encryption by default or can be requested to provide encrypted services when setting up storage accounts within their cloud storage services.

Some cloud services that may benefit the NHS are not always available within the cloud suppliers UK presence or may require additional resiliency. It is ok to use data processing services inside of Europe which is covered by GDPR legislation, but where possible the default should be using cloud services that are present within the UK.

This means that data still resides in the UK encrypted, but can be transferred securely encrypted using TLS 1.2 by default to the cloud provider presence in other European nations for that data to be processed securely and then any outcome of the data processing activity then transmitted back to the UK for the data to be stored.

All cloud workloads that want to transmit data outside of the UK for processing must undergo a Data Privacy Impact Assessment (DPIA) to understand what the impact would be if the innovation platform does leak or breach any form of data, Moreover, it is up to local or national IG teams and Senor Responsible Owners (SRO’s) to have final approval for proceeding with new innovation workloads.

As cloud providers have offerings to archive long-term data in cost-efficient and low impact services, it is good to have an automated data retention policy in place to move your data to more efficient, durable, and low-cost data stores. This will allow you to retain data for future use but also allow secure access to the data when required.

All data stored in a cloud data archive should also be encrypted at rest using AES-256 by default and be transmitted using TLS 1.3 encryption by default or at a minimal level of TLS 1.2

These cloud data archiving services can also be used for Hybrid IT Services to provide offsite backup functions to replace tape drives or digital preservation services such as, USB drives for long term storage and offers Encryption and audit functionality so data can be stored, monitored and accessed securely.