Cloud Centre of Excellence Foundations

Provisioning of cloud components to business customers according to customer requests. In particular:

• AWS account creation
• AWS Landing Zone Build
• Azure account
• Azure Landing Zone

The provisioning will include:

• account/subscription design and creation
• centralised Identity and access management
• shared security components design and deployment
• initial Infrastructure as code templates and documentation
• secure / controlled connectivity to the cloud platform and applications

Monthly report providing cloud consumers with the key metrics for the NHSD services for the period.

The CCoE architects continue to explore opportunities for cloud platform shared services which can benefit NHS Digital.   The experience of building the PoC will provide the opportunity to understand how the services work and demonstrate them to stakeholders. In particular:

• how the new service is implemented and how it can be consumed
• understand design decisions required to host the system in the cloud, and the practical implications of these decisions
• security and compliance aspects of the solution

Curate and publish relevant, vetted architecture patterns for implementation of cloud systems in the context of the NHS.  Content is distributed on the the community of practice collaboration platform. 

Development of common platform security policies to ensure platform-wide implementation of business policies.  Alignment of the policies with existing security policies and working practices.  Communication of the platform policies to consumers of cloud services

Definition of the technical guardrails and configurations required to implement the policies on the cloud platforms.  Policy as code and implementation on the NHSD cloud service accounts.   Technical artefacts for policy as code and guardrails are available via the community of practice collaboration platform.

Reporting on compliance and security posture of cloud subscriptions and landing zones, using platform vendor tools. For example:  Azure Sentinel, AWS GuardDuty, audit policies.

Centralised collection of platform logs and alerting to detect suspicious activity, performance issues, security events, etc.

The NHSD CCoE provides access to a portal for cloud service, consumption, cost management to the owners of cloud subscription accounts and their deputies.

The NHSD CCoE provides a centralised billing and invoicing service for each monitored account, based on the invoices it receives from the Cloud service providers.

When the CCoE receives the invoice, it is analysed according to the ownership details in the asset inventory – costs are apportioned according to agreed rules. The IT Finance team process the outputs as chargebacks.

The customer (business unit account owner) receives a PDF document with detailed description of costs and usage for the period.

Provide periodic usage and cost reports to cloud account owners.  Further information is available in near-real time from the cloud cost management portal.

Maintain a working model of cost allocation for cloud services based on account ownership and usage.   Align with stakeholders and IT Finance.

Define and maintain a scheme of attributes (tags) which identify ownership, function, and status of cloud workloads and services.

The metadata tags are assigned to each cloud to enable cost allocation and service management processes.  A robust scheme of asset tags supports automation of key processes such as cloud service billing and chargebacks as well as IT service management processes for incident, problem and change management.

The cloud cost management system can be configured to alert account owners based on thresholds and consumption patterns.  Application owners can use these alerts to control how much capacity they use and stay within agreed budgets.

NHSD CCoE will proactively explore ways to reduce the purchase price of cloud services by negotiating bulk purchasing discounts and savings plans with the cloud service providers.

Typically, discounts are applied at a corporate level, based on a certain level of committed usage over time.

Proactive management of cloud vendors at a corporate level to deliver sustained value for money.  Activities focus on controlling costs, driving service excellence, and reducing business risks.

Contract Management manages contracts with cloud vendors and service providers. Activities include

• aligning and adapting vendors terms and conditions
• managing contractual changes, amendments, and deliverables
• overseeing Cloud CoE organisation and services to ensure contractual obligations are met
• aligning with Cloud CoE capabilities in case of changes to architecture due to contractual changes

Support procurement teams with technology expertise for contract renewals and negotiations.