Key considerations for migrating to AWS - Guidance for NHS Trusts Adopting AWS Cloud Services
The cloud policy statementTotal cost of ownershipCloud complianceSecurity benefits of using AWSAWS Compliance ProgramsNew cloud computing skills

Key considerations for migrating to AWS

The cloud policy statement

When you begin your journey to the cloud, your leadership team must agree on a cloud policy statement. Your cloud policy statement defines the objectives of your migration to the cloud and your high-level methodology.

The following examples demonstrate successful UK public sector cloud policies. NHS Trust leadership should seek to emulate the simplicity and clarity of these policies, both in terms of their objectives and how they measure success. Their alignment with the “ground-level” needs of departments and citizens, and the strategic direction of government, means that they have gained sufficient buy-in from all stakeholders.

Cloud policy example: DHSC Public Cloud First policy

In October 2018, the Department for Health and Social Care (DHSC) published the policy paper The future of healthcare: our vision for digital, data and technology in health and care. This policy paper includes the DHSC Public Cloud First policy, which states, “… all our services should run in the public cloud with no more locally managed servers.”

The stated objectives of this cloud policy statement are:

  • We get the resilience and backups of some of the most cyber-aware and heavily invested companies in the world.

  • We can run and grow projects that work with infinite amounts of data or have unpredictable processing needs.

  • We can share data to increase security, where only those with appropriate access are able to access the data that they need.

  • Commodity services (like word processing) we use are continually upgraded and improved without massive migration projects.

This policy is successful because of the clear strategic objectives, scope, and success criteria. The policy aligns with other important healthcare policies, such as NHS Digital’s guidance on the use of public cloud services and the NHS Long Term Plan objectives, to increase productivity of NHS staff and deliver digitally enabled care, which has promoted stakeholder commitment to the policy.

Cloud policy example: GDS Cloud First

Another example of successful cloud policy is the Government Digital Service’s (GDS) Cloud First policy, which was introduced in 2013 for all technology investments. The policy was built around two pillars:

  • Consider cloud solutions before alternatives – Non-cloud technologies may be considered but must demonstrably offer better value for money.

  • Public cloud first – Public cloud should be favoured over other cloud deployment models, such as community, hybrid, or private cloud.

More recently, GDS has evolved their Cloud First policy into a Cloud Native policy, with more outcome-based objectives. This change happened because of the success of the Cloud First policy in driving cloud adoption, and it now aims to encourage departments to meet business needs entirely in the cloud.

Total cost of ownership

A key advantage of migrating to the AWS Cloud is reduced cost. In order to effectively set targets for successful adoption, NHS Trust leadership should estimate the total cost of ownership (TCO) of their current IT estate, relative to their prospective AWS Cloud estate.

AWS helps reduce cost by reducing the need to invest in large capital expenditures. Instead, the pay-as-you-go model empowers you to invest in the capacity you need, and use it only when the business requires it.

The AWS Pricing Calculator lets you explore AWS services and create an estimate for the cost of your use cases on AWS. You can model your solutions before building them, explore the price points and calculations behind your estimate, and find the available instance types and contract terms that meet your needs. This enables you to make informed decisions about using AWS. You can plan your AWS costs and usage or price out setting up a new set of instances and services.

Cloud compliance

Compliance to relevant security standards is vital to cloud adoption. AWS is compliant to a series of UK, EU, and global data protection standards, including:

  • NHS DigitalData Security and Protection (DSP) Toolkit

  • International Organisation for Standardization (ISO) 27001, 27017, 27018, 9001

  • Cyber Essentials Plus

  • General Data Protection Regulation (GDPR)/Data Protection Act 2018

  • National Cyber Security Center (NCSC) Cloud Security Principles

For a more complete list with the full range of AWS compliant security features and standards, visit AWS Compliance Programs.

NHS Trusts looking to use the AWS Cloud may do so either by using services over the public internet or, if desired, the secure Health and Social Care Network (HSCN). In line with the Internet First policy, NHS Trusts need not constrain themselves to HSCN-only services.

If NHS Trusts have an overriding need to access AWS Cloud services through HSCN, they can do so. AWS is connected to HSCN through several partner organisations.

Engage the APN to help manage security

APN Partners enrolled in the APN Healthcare Competency Program and the AWS Security Competency Partners are well placed to help NHS Trusts achieve compliance to standards such as NCSC’s 14 Cyber Security Principles. They provide DCB0129 compliant technologies (Clinical Risk Management standards), adopt them in compliance to DCB0160 (Clinical Risk Management: its Application in Deployment and Use of Health IT Systems), and generally help you achieve your cloud security objectives.

NHS Trusts may choose to outsource some of their responsibility to an APN Partner. They may choose to use an APN Technology Partner’s application, or perhaps engage an AWS Partner to manage their security. AWS and its partners offer hundreds of services and features to help organisations meet their security objectives for visibility, auditability, control, and agility.

Alternatively, you may want to insource some or all management of security in the cloud. To support you in this, AWS has published literature, such as the Using AWS in the Context of NHS Cloud Security Guidance whitepaper, to provide information on selection and implementation of security controls for AWS Cloud services in the healthcare sector. This guidance closely follows the NCSC’s 14 Cyber Security Principles, with specific guidance on how NHS Trusts can implement and maintain them.

Security benefits of using AWS

AWS designed its virtual global infrastructure to provide optimum availability while ensuring customer security, privacy, and segregation. With the AWS Cloud, not only are infrastructure headaches removed, but so are many of the related security issues. AWS data centres use state-of-the-art electronic surveillance and multi-factor access control systems, and maintain strict, least-privileged-based access authorizations. In addition, AWS designed its environmental systems to minimise the impact of disruptions to operations, and its multiple geographic Regions and Availability Zones allow AWS customers to remain resilient in the face of most failure modes—including natural disasters or system failures. Some of the major benefits of AWS security include:

  • Keeping data safe – The AWS infrastructure puts strong safeguards in place to help protect your privacy. All data is stored in highly secure AWS data centres.

  • Meeting compliance requirements – AWS manages dozens of compliance programs in its infrastructure. This means that segments of your compliance have already been completed.

  • Saving money – Cut costs by using AWS data centres. Maintain the highest standard of security without having to manage your own facility.

  • Scaling quickly – Security scales with your AWS Cloud usage. No matter the size of your organisation, the AWS infrastructure is designed to keep your data safe.

The AWS security approach also delivers the following advantages, opportunities, and best practices:

  • Scale and innovate, while maintaining a secure environment and paying only for the services used.

  • Inherit AWS policies, architecture, and operational processes built to satisfy the requirements of the most security-sensitive customers.

  • Harness the AWS shared responsibility model, within which customers retain control of the security they choose to implement to protect their content, platform, applications, systems, and networks.

  • Read guidance and expertise through online resources, personnel, and APN Partners.

  • Access advisories for current issues, and work with AWS when you encounter security issues.

  • Access hundreds of security-specific tools and features to help meet security objectives across network security, configuration management, access control, and data encryption.

  • Benefit from nearly continuous audits, with certifications from accreditation bodies across geographies and verticals.

  • Access automated tools for asset inventory and privileged access reporting.

Benefits of AWS security over on-premises security

Lower cost and higher efficiency are two of the most obvious benefits of using the cloud, as opposed to building and running a physical data centre. Customers can also obtain greater security in the cloud than is available in traditional data centres. Other security benefits include:

  • Scale securely with superior visibility and control – With AWS, customers control where their data is stored, who can access it, and what resources their organisation is consuming at any given moment. Fine-grained identity and access controls combined with nearly continuous monitoring for near real-time security information ensures that the right resources have the right access at all times.

  • Automate and reduce risk with deeply integrated services – Automating security tasks on AWS allows customers to be more secure by reducing human configuration errors and giving security and IT teams more time to focus on other business-critical work. AWS offers integrated solutions that can be combined to automate tasks, making it easier for security teams to work closely with developer and operations teams to create and deploy code faster and more securely.

  • Build with the highest standards for privacy and data security – AWS is vigilant about customer privacy. With AWS, customers always own their data—including the ability to encrypt it, move it, and manage retention. All data flowing across the AWS global network that interconnects its data centres and Regions is automatically encrypted at the physical layer before it leaves AWS secured facilities. Additional encryption layers exist as well (for example, all virtual private cloud (VPC) cross-Region peering traffic and customer or service-to-service Transport Layer Security (TLS) connections).

  • Choose from skilled security partners – Customers can use security technology and consulting services from familiar solution providers. AWS has carefully selected providers with deep expertise and proven success securing every stage of cloud adoption, from initial migration through ongoing day-to-day management.

  • Inherit the most comprehensive security and compliance controls – To aid customers’ compliance efforts, AWS regularly achieves third-party validation for thousands of global compliance requirements for finance, retail, healthcare, government, and more.

  • Achieve instant visibility into inventory – The first step in securing assets is knowing what those assets are. With AWS, customers no longer have to guess what their IT inventory is. With tools like AWS Config and resource tagging, customers can always tell exactly what cloud assets they are using at any moment and easily label each asset for tracking purposes.

  • Access free security tools – Many AWS security features and services are free, like individual firewalls (security groups) for Amazon Elastic Compute Cloud (Amazon EC2) instances, security logging with AWS CloudTrail, private subnets with Amazon Virtual Private Cloud (Amazon VPC), and user access control with AWS Identity and Access Management (IAM). For a more comprehensive list, visit AWS Cloud Security.

  • Independent Regions provide data privacy compliance – With AWS data centres located in geographical Regions across the world, customers can choose the area that meets their data privacy requirements. AWS will not move or replicate customer content outside of their chosen AWS Regions without their agreement, except as necessary to comply with the law or a binding order of a governmental body.

  • Harness Distributed Denial of Service (DDoS) protection – All AWS customers benefit from the automatic protections of AWS Shield Standard, which defends against most common, frequently occurring network and transport layer DDoS attacks that target websites and applications. This is offered on all AWS Cloud services and in every AWS Region at no additional cost.

  • Reduce or remove the need for duplicate data centres – With features like AWS Auto Scaling and Elastic Load Balancing, customers can ensure that their production systems remain online and that traffic is routed to healthy instances. Customers can continuously replicate data and have it ready to bring online if primary nodes fail, only paying for the nodes used.

  • Benefit from continuous hardware replacement and upgrades – AWS is always improving its infrastructure. AWS replaces end-of-life hardware with the latest processors that not only improve performance and speed but also include the latest secure platform technology, like the Intel Advanced Encryption Standard New Instructions (AES-NI) encryption instruction set, which significantly speeds up the running of the AES algorithm.

  • Share the responsibility for compliance – Because AWS has already received many certifications for its infrastructure, part of customers’ compliance work has already been done. For a current list of the certifications that AWS has received, refer to the AWS Compliance website.

AWS Compliance Programs

AWS Compliance Programs helps customers to understand the robust controls in place at AWS to maintain security and compliance in the cloud. By tying together governance-focused, audit-friendly service features with applicable compliance or audit standards, AWS Compliance Enablers build on traditional programs, helping customers to establish and operate in an AWS security control environment.

The IT standards AWS complies with are broken out by Certifications and Attestations; Laws, Regulations and Privacy; and Alignments and Frameworks. Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance. AWS customers remain responsible for complying with applicable compliance laws, regulations, and privacy programs. Compliance alignments and frameworks include published security or compliance requirements for a specific purpose, such as a specific industry or function.

For more information, refer to the comprehensive AWS Compliance Programs website.

NHS Trusts and NHS Trust leadership can refer to Using AWS in the Context of NHS Cloud Security Guidance as the first point of enquiry for additional information on how to implement AWS Cloud services in alignment with the NCSC guidance, and NHS guidance on the secure use of hyperscale cloud services.

New cloud computing skills

AWS Training is designed to help individuals delivering cloud-based solutions to gain proficiency with AWS Cloud services and solutions. AWS offers both digital training through self-paced labs and instructor-led classes. Refer to the AWS Training and Certification website for full details and course options. The AWS role-based technical training courses are designed around the three primary roles in engineering teams delivering cloud-based solutions: Solutions Architect, SysOps Administrator, and Developer. Whether you are just getting started, or looking to deepen your skills, AWS offers training to help you learn to design, develop, and operate available, efficient, and secure applications in the AWS Cloud.

Career and incentive management

Cloud adoption introduces changes to NHS Trusts’ IT staff career paths. This requires HR managers and people managers to update career management skills and processes, so that they can ensure that their team members understand their new roles and career options.

Incentive management is key to attracting and retaining employees. Consider incentives as part of cloud adoption work streams. Your organisation’s culture and ability to provide an environment for attracting and retaining talent plays a key role in successful adoption. Teams need to develop new skills to manage culture and new processes for talent management.