Using AWS in the Context of NHS Cloud Security Guidance

The explicit guidance on the secure use of hyperscale cloudservices was published in January 2018 by four key UK Public Sector Health bodies: NHS Digital, the Department of Health and Social Care, NHS England, and NHS Improvement. That guidance built on the foundation of the National Cyber-Security Centre’s 14 Cloud Security Principles, and adopts the NCSC’s philosophy of devolving risk management to Information Asset Owners, taking a risk-based approach to managing information security in the cloud. It also draws a clear delineation between the security of the cloud infrastructure and services delivered from it, and the workloads deployed to that infrastructure. The expectations on organisations using the guidance are therefore that they 1) quantify the information security risks involved for their workloads; 2) satisfy themselves that the cloud provider they use implements the required controls to manage those risks; and 3) adopt the appropriate customer-usable controls for that purpose. This whitepaper explains how to achieve the latter when using AWS for cloud infrastructure.