Key considerations for migrating to AWS
The cloud policy statement
When you begin your journey to the cloud, your leadership team must agree on a cloud policy statement. Your cloud policy statement defines the objectives of your migration to the cloud and your high-level methodology.
The following examples demonstrate successful UK public sector cloud policies. NHS Trust leadership should seek to emulate the simplicity and clarity of these policies, both in terms of their objectives and how they measure success. Their alignment with the “ground-level” needs of departments and citizens, and the strategic direction of government, means that they have gained sufficient buy-in from all stakeholders.
Cloud policy example: DHSC Public Cloud First policy
In October 2018, the Department for Health and Social Care
(DHSC) published the policy paper
The
future of healthcare: our vision for digital, data and
technology in health and care.
The stated objectives of this cloud policy statement are:
-
We get the resilience and backups of some of the most cyber-aware and heavily invested companies in the world.
-
We can run and grow projects that work with infinite amounts of data or have unpredictable processing needs.
-
We can share data to increase security, where only those with appropriate access are able to access the data that they need.
-
Commodity services (like word processing) we use are continually upgraded and improved without massive migration projects.
This policy is successful because of the clear strategic
objectives, scope, and success criteria. The policy aligns with
other important healthcare policies, such as
NHS
Digital’s guidance on the use of public cloud services
Cloud policy example: GDS Cloud First
Another example of successful cloud policy is the Government
Digital Service’s (GDS)
Cloud
First policy,
-
Consider cloud solutions before alternatives – Non-cloud technologies may be considered but must demonstrably offer better value for money.
-
Public cloud first – Public cloud should be favoured over other cloud deployment models, such as community, hybrid, or private cloud.
More recently, GDS has evolved their Cloud First policy into a Cloud Native policy, with more outcome-based objectives. This change happened because of the success of the Cloud First policy in driving cloud adoption, and it now aims to encourage departments to meet business needs entirely in the cloud.
Total cost of ownership
A key advantage of migrating to the AWS Cloud is reduced cost. In order to effectively set targets for successful adoption, NHS Trust leadership should estimate the total cost of ownership (TCO) of their current IT estate, relative to their prospective AWS Cloud estate.
AWS helps reduce cost by reducing the need to invest in large capital expenditures. Instead, the pay-as-you-go model empowers you to invest in the capacity you need, and use it only when the business requires it.
The AWS Pricing Calculator
Cloud compliance
Compliance to relevant security standards is vital to cloud adoption. AWS is compliant to a series of UK, EU, and global data protection standards, including:
-
International Organisation for Standardization (ISO) 27001, 27017, 27018, 9001
-
Cyber Essentials Plus
-
General Data Protection Regulation (GDPR)/Data Protection Act 2018
-
National Cyber Security Center (NCSC) Cloud Security Principles
For a more complete list with the full range of AWS compliant
security features and standards, visit
AWS Compliance Programs.
NHS Trusts looking to use the AWS Cloud may do so either by using
services over the public internet or, if desired, the secure
Health and Social Care Network (HSCN). In line with the
Internet
First
policy
If NHS Trusts have an overriding need to access AWS Cloud services through HSCN, they can do so. AWS is connected to HSCN through several partner organisations.
Engage the APN to help manage security
APN Partners enrolled in the
APN
Healthcare Competency Program
NHS Trusts may choose to outsource some of their responsibility to an APN Partner. They may choose to use an APN Technology Partner’s application, or perhaps engage an AWS Partner to manage their security. AWS and its partners offer hundreds of services and features to help organisations meet their security objectives for visibility, auditability, control, and agility.
Alternatively, you may want to insource some or all management of security in the cloud. To support you in this, AWS has published literature, such as the Using AWS in the Context of NHS Cloud Security Guidance whitepaper, to provide information on selection and implementation of security controls for AWS Cloud services in the healthcare sector. This guidance closely follows the NCSC’s 14 Cyber Security Principles, with specific guidance on how NHS Trusts can implement and maintain them.
Security benefits of using AWS
AWS designed its
virtual
global infrastructure
-
Keeping data safe – The AWS infrastructure puts strong safeguards in place to help protect your privacy. All data is stored in highly secure AWS data centres.
-
Meeting compliance requirements – AWS manages dozens of compliance programs in its infrastructure. This means that segments of your compliance have already been completed.
-
Saving money – Cut costs by using AWS data centres. Maintain the highest standard of security without having to manage your own facility.
-
Scaling quickly – Security scales with your AWS Cloud usage. No matter the size of your organisation, the AWS infrastructure is designed to keep your data safe.
The AWS security approach also delivers the following advantages, opportunities, and best practices:
-
Scale and innovate, while maintaining a secure environment and paying only for the services used.
-
Inherit AWS policies, architecture, and operational processes built to satisfy the requirements of the most security-sensitive customers.
-
Harness the AWS shared responsibility model, within which customers retain control of the security they choose to implement to protect their content, platform, applications, systems, and networks.
-
Read guidance and expertise through online resources, personnel, and APN Partners.
-
Access advisories for current issues, and work with AWS when you encounter security issues.
-
Access hundreds of security-specific tools and features to help meet security objectives across network security, configuration management, access control, and data encryption.
-
Benefit from nearly continuous audits, with certifications from accreditation bodies across geographies and verticals.
-
Access automated tools for asset inventory and privileged access reporting.
Benefits of AWS security over on-premises security
Lower cost and higher efficiency are two of the most obvious benefits of using the cloud, as opposed to building and running a physical data centre. Customers can also obtain greater security in the cloud than is available in traditional data centres. Other security benefits include:
-
Scale securely with superior visibility and control – With AWS, customers control where their data is stored, who can access it, and what resources their organisation is consuming at any given moment. Fine-grained identity and access controls combined with nearly continuous monitoring for near real-time security information ensures that the right resources have the right access at all times.
-
Automate and reduce risk with deeply integrated services – Automating security tasks on AWS allows customers to be more secure by reducing human configuration errors and giving security and IT teams more time to focus on other business-critical work. AWS offers integrated solutions that can be combined to automate tasks, making it easier for security teams to work closely with developer and operations teams to create and deploy code faster and more securely.
-
Build with the highest standards for privacy and data security – AWS is vigilant about customer privacy. With AWS, customers always own their data—including the ability to encrypt it, move it, and manage retention. All data flowing across the AWS global network that interconnects its data centres and Regions is automatically encrypted at the physical layer before it leaves AWS secured facilities. Additional encryption layers exist as well (for example, all virtual private cloud (VPC) cross-Region peering traffic and customer or service-to-service Transport Layer Security (TLS) connections).
-
Choose from skilled security partners – Customers can use security technology and consulting services from familiar solution providers. AWS has carefully selected providers with deep expertise and proven success securing every stage of cloud adoption, from initial migration through ongoing day-to-day management.
-
Inherit the most comprehensive security and compliance controls – To aid customers’ compliance efforts, AWS regularly achieves third-party validation for thousands of global compliance requirements for finance, retail, healthcare, government, and more.
-
Achieve instant visibility into inventory – The first step in securing assets is knowing what those assets are. With AWS, customers no longer have to guess what their IT inventory is. With tools like AWS Config
and resource tagging, customers can always tell exactly what cloud assets they are using at any moment and easily label each asset for tracking purposes. -
Access free security tools – Many AWS security features and services are free, like individual firewalls (security groups) for Amazon Elastic Compute Cloud
(Amazon EC2) instances, security logging with AWS CloudTrail, private subnets with Amazon Virtual Private Cloud (Amazon VPC), and user access control with AWS Identity and Access Management (IAM). For a more comprehensive list, visit AWS Cloud Security . -
Independent Regions provide data privacy compliance – With AWS data centres located in geographical Regions
across the world, customers can choose the area that meets their data privacy requirements. AWS will not move or replicate customer content outside of their chosen AWS Regions without their agreement, except as necessary to comply with the law or a binding order of a governmental body. -
Harness Distributed Denial of Service (DDoS) protection – All AWS customers benefit from the automatic protections of AWS Shield
Standard, which defends against most common, frequently occurring network and transport layer DDoS attacks that target websites and applications. This is offered on all AWS Cloud services and in every AWS Region at no additional cost. -
Reduce or remove the need for duplicate data centres – With features like AWS Auto Scaling
and Elastic Load Balancing , customers can ensure that their production systems remain online and that traffic is routed to healthy instances. Customers can continuously replicate data and have it ready to bring online if primary nodes fail, only paying for the nodes used. -
Benefit from continuous hardware replacement and upgrades – AWS is always improving its infrastructure. AWS replaces end-of-life hardware with the latest processors that not only improve performance and speed but also include the latest secure platform technology, like the Intel Advanced Encryption Standard New Instructions (AES-NI) encryption instruction set, which significantly speeds up the running of the AES algorithm.
-
Share the responsibility for compliance – Because AWS has already received many certifications for its infrastructure, part of customers’ compliance work has already been done. For a current list of the certifications that AWS has received, refer to the AWS Compliance
website.
AWS Compliance Programs
AWS Compliance Programs
The IT standards AWS complies with are broken out by Certifications and Attestations; Laws, Regulations and Privacy; and Alignments and Frameworks. Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance. AWS customers remain responsible for complying with applicable compliance laws, regulations, and privacy programs. Compliance alignments and frameworks include published security or compliance requirements for a specific purpose, such as a specific industry or function.
For more information, refer to the comprehensive
AWS Compliance Programs
NHS Trusts and NHS Trust leadership can refer to Using AWS in the Context of NHS Cloud Security Guidance as the first point of enquiry for additional information on how to implement AWS Cloud services in alignment with the NCSC guidance, and NHS guidance on the secure use of hyperscale cloud services.
New cloud computing skills
AWS Training
Career and incentive management
Cloud adoption introduces changes to NHS Trusts’ IT staff career paths. This requires HR managers and people managers to update career management skills and processes, so that they can ensure that their team members understand their new roles and career options.
Incentive management is key to attracting and retaining employees. Consider incentives as part of cloud adoption work streams. Your organisation’s culture and ability to provide an environment for attracting and retaining talent plays a key role in successful adoption. Teams need to develop new skills to manage culture and new processes for talent management.