These policies, guidelines and standards are defined by a number of different aspects:
- use cases approval
- IP Addressing
- roles and responsibilities.
- Public Cloud architecture design
- Data Security Protection Toolkit
- HSCN Connection Agreement
- HSCN Obligations Framework
- Health and Social Care cloud security good practice guide
- Inbound internet Connectivity Risk Mitigation for CNSPs and HSCN consumers
- Cloud service provider policy.
Use case approval
Each of the use cases we have provided have been broken down into the table below.
|
Automatically approved
|
Individual approval required |
Use case 1 |
✔
|
|
Use case 2 |
|
✔ compliance with S08
|
Use case 3 |
✔ |
|
Use case 4 |
|
✔ compliance with S08 and S010/S010a.
|
Use case 1 and use case 3 are approved use cases subject to addressing isolation requirements. The roles defined each have different responsibilities regarding the provision of those types of service.
Use case 2 requires compliance with S08 and explicit approval for the routing of traffic.
Use case 4 also requires compliance with S08 and explicit approval for the routing of traffic, and, in addition, it requires compliance with SO10 and SO10a which relate to Inbound internet
Obligations SO10 and SO10a have specific guidance available read the Inbound internet connectivity guidelines for CNSPs and consumers.
For adherence to obligation SO8, pre-approval by the NHS Digital Data Security Centre is required.
To do this, please raise a call with the NHS National Service Desk by emailing the NHS national service desk or by telephone on 0300 303 5035. Call should be raised with the HSCN service, defined that this is regarding Security Obligation S08/SO10/10a and marked for attention of the data security centre.
IP addressing
The very nature of public cloud services is that anyone can use them, including malicious actors who may use a public cloud service to initiate attacks and host or deliver malicious content. To mitigate the risk of malicious services hosted in public cloud, any public cloud service should always use addresses outside of the cloud providers public block. It is therefore required that when connecting a public cloud provisioned service to HSCN, this must be using HSCN approved addresses. Each service should have its own HSCN approved address so that isolation is maintainable between those services.
In the event of a malicious attack from a public cloud service the HSCN authority may be required to block the IP addresses where malicious traffic is originating from. Any service that uses public cloud addressing instead of HSCN approved addressing must ensure they mitigate the risks/ hazards associated with having their service blocked.
IP addresses need to be obtained from NHS Digital via the HSCN IP address management process and then be registered with the consuming organisation.
It is the CNSPs responsibility to ensure that all IP addresses allocated to Inbound Cloud connections are registered on the NHS Digital IPAM (HSCN IP address management).
Roles and responsibilities
We have provided a simple matrix of the associated standards and agreements and which roles are obliged to comply with which standards/agreements/policies/principles.
|
Consumer |
Cloud Service Provider (CSP) |
CNSP |
ITSP |
National Cyber Security Centre (NCSC) Cloud Security Principles |
✔ |
✔ |
✔ |
✔ |
Data Security and Protection Toolkit (DSPT) |
✔ |
✔ |
✔ |
✔ |
HSCN ITSP connection on agreement |
|
✔ |
|
✔ |
HSCN Consumers connection agreement |
✔ |
|
|
|
HSCN Obligations Framework |
|
|
✔ |
|
Health and social care cloud security good practice guide |
✔ |
✔ |
✔ |
✔ |
HSCN Cloud Service Provider (CSP) policy |
|
✔ |
|
|
Validate HSCN compliance and authority approval received |
|
✔ |
✔ |
✔ |
Public cloud architecture design
Services in the Public Cloud should be designed in line with NCSC Cloud Security Principles and Center for Internet Security (CIS) critical security controls.
To support this some top tier cloud providers have created a template for deploying a solution in line with the NCSC and CIS and on how to deploy and secure dedicated network links.
Both the AWS and Azure architectures provide a responsibility matrix for the above security controls. Other suppliers may also have produced similar materials and guidance
The hosting policy sets out which locations are acceptable for hosting specific data types. If you are responsible for multi-region deployments, you should consider how Direct Connect/ExpressRoute/Google cloud Interconnect (or similar infrastructure) deployments can maintain service connectivity and resilience/availability.
Guidance includes: (others are available)
AWS direct connect resiliency recommendations
Microsoft ExpressRoute overview
Cloud dedicated interconnect overview.