Weeknotes s01e28

TL,DR: BCS Professional Membership. Azure Express Route readiness — so close to the finish line. Azure Cloud Migration Prep. NHSmail Leavers and intros to Intune/Hololens2. Cyber and Risk. And a week of Remembrance.

[W/C 08/11/2021]

Click here for previous weeknotes s01e27.

Who did you talk to outside your organisation?

• Continued meetings following on from last week with Virgin, Maintel and Phoenix to progress the the the second resilient circuit that makes up our Azure Express Route and keep the urgency on everyone’s radar to ensure we hit our tight deadlines for delivery. Didn’t quite land this week with some bits left outstanding to early next week. In retrospect a good call to move Azure Cloud Migrations back by a week. So close to that finish line.

• Myself and Emily Wright caught up with colleagues from NHS Digital who are working on InTune/Hololens2 about the process for on-boarding KGH and a discussion around our next session with key IT and clinical stakeholders to see the art of the possible with Hololens2. Looking to see if we can get another pilot NHS Trust to talk to us about their deployment and benefits of Hololens2 via the NHSmail central tenant.

What would you have liked to do more of?

Given the re-activeness of this week around Express Routes, somethings like scoping the IT enabling works for HIP2 took a hit. Did not manage to get as far as I intended.

What do you wish you could have changed?

• Finally a Virgin Media engineer arrives onsite with the missing second Express Route Router to install on Friday afternoon… but was sent without the SFP port module to allow him to patch it physically into the circuit… so still no resilient connectivity and no fail over test conducted (pre-req for Azure Data Centre Migrations)…roll on Monday! So close to that finish line…
• Ongoing issues with not marking leavers on the NHSmail platform given that we don’t yet have any centralised mechanism for controlling SharePoint Online permissions through the NHSmail admin portal. I’ve written about this in previous weeknotes. It has started to bare us some pain points with leavers quite rightfully asking why their NHSmail accounts are not being marked as leavers so their new NHS organisation can transfer their email account following them into their new role without having to change their email address. One of them being quite senior this week where we had a Director of IT their new Trust reach out to see why and what we could do for this particular case. Have been informed by NHS Digital colleagues the functionality/issue will be released in a future release, likely to be Q1 2022. It was reiterated that the safest way to prevent an IG/Data Protection issue from occurring is to disable accounts and for new NHSmail accounts to be setup in their new organisation.

What challenged me?

• Dynamic Routing on the local end of the Express Route. The revelation that all was not as we expected came mid way through this week. Although we had it confirmed that BGP routing protocol is active on the express route in Virgin Media’s network, we subsequently found out it’s only at the Azure end. Which means locally between our new firewalls and the local Routers we will need to input static routes for either complete ranges or specific IP addresses. The impact of which leaves us in the position of engaging Virgin Media every time we want to make a change, and up to 10 days to make the change post logging the request. The Data centre migration just got way more complicated given that a significant number of our services need to talk to services hosted on the HSCN network via a local connection. Decided that this was way too painful and not acceptable to work with this. Pieced the complete picture together with our Networking/Server Teams and the impact this would have and what can be done to make this easier. This meant jumping into difficult conversations and coordinating 3rd parties to get on calls together with short notice and then run through our options, impact and risk of the options, ability to execute and test in the timeframe available, eg a week! Eventually we got there with a really helpful engineer from Virgin who went above and beyond. Change was thankfully approved and BGP/Dynamic Routing is now up and running locally also after changes to the Routers (Virgin) and Firewalls (Maintel). Which means the routers will learn and pass on traffic originating locally and transmit up to Azure via the Express Routes dynamically. Will need to stress test the success of this change, along with second router being patched in and hopefully sign off on the express routes next week, just in time to start migrations. What a way to end the week!
• Thoughts on on enabling MFA for Office365/SharePoint within an acute Hospital environment. Clinical users already face a major challenge around multiple and slow logins. Which is just not acceptable in my view and we need to do more as a priority to deploy a Single Sign On (SSO) solution. This not only helps our user base but will massively increase the cyber security posture as complexity becomes less of an issue. Almost anyone with knowledge of Office 365 security administration will ask you rhetorically as a matter of fact, “so you have MFA turned on right? Yeh course you do… right? Right??”

For me enabling MFA means a couple of things.

• One — user education on what happens in the real world and the risks if you don’t use MFA.
• Two-making use easier.

The latter is fortunately is getting easier with the Microsoft Authenticator App on your mobile phone or the newly released FIDO2 tokens capabilities on NHSmail, especially useful for clinicians who can’t carry a mobile phone in certain areas. There is also the old school thought that MFA is not needed on the corporate network as that’s bullet proof secure! Hmm in the days when maybe everything was on-prem and sitting behind the firewall. Those days are gone as we develop in an ever rapidly maturing digital world with cloud based systems and apps. The local network is fast becoming just a commodity item. NCSC have published Zero trust architecture design principles and guidance. Some of the principles talk about authenticating and authorising everywhere, and not trusting any network, including your own.

https://www.ncsc.gov.uk/guidance/setting-two-factor-authentication-2fa

What did you enjoy?

• BCS (British Computer Society) launch event across the Group. Was brilliant news learning on the Digital Townhall a few weeks back that we had signed up for corporate membership, this was the official launch introduced by Andy Callow and led by BCS. Was great to hear about the benefits and accreditation routes. Registered and proud to say I am now a Professional Member, MBCS. This has been on my development bucket list for ages, so really greatful this opportunity came along. Looking forward to submitting an application to become a Chartered IT Professional — CITP.

What did you achieve?

• Azure Sentinel POC deployment workshop — ran smoothly early in the week. Ready for next steps to start on-boarding additional security feeds from hosts, firewalls and other security products,
• Virgin Media confirmed that their backend configuration at the Virgin/BT Openreach exchange was completed and tested successfully on Wednesday. Am essential step to ensuring the resilient express route circuit has connectivity to Virgin Media Data Centres and consequently to Azure Data Centres.
• Several Azure Migration meetings where we ran through current risks and issues. Also had a walk through the detailed change documentation from Grant (Infrastructure Manager) and Karen (Cloud Migration PM), they have done a cracking job. The level of detail was quite meticulous and stakeholder engagement seems to be going well. Bit more work required before it goes formally for final sign off to CAB next week.
• Attended a short “Rate my Shift" app discovery session to hear about how an app may help the Trust to improve health and wellbeing, a lot like a pulse check for staff as to how they are feeling after their day or shift. Although really pro about the idea of staff having the ability to actively feedback, was not convinced we need a 3rd party app. Made me think about the art of the possible with using Office 365, develop something in-house using PowerApps maybe and present as an android/iOS app with full reporting into drill down Power Bi dashboards. Food for thought, our opportunities in this space are only just opening up and relatively new to this space, so really eager to learn more from other Trusts already doing this.
• Spoke to a few colleagues around NHSmail’s exchange online archive service and how we can publicise it more with our users more proactively taking the approach to undertake mailbox housekeeping little but often. Given that for some users having mailboxes limited to 4Gb is too restrictive, its a life saver having access to online exchange archive with a 100Gb limit. The archive is available online and accessible from anywhere just like your mailbox using Outlook Online.
• We had our monthly Cyber Security Group meeting at KGH, and quite a bit of emphasis on our Cyber Security performance dashboard along with an overview of some new and mandatory Data Security Protection Toolkit (DSPT) requirements that may present a challenge for our next submission. We need more focus on Cyber and create an annual Work Programme that has budget and resource assigned to meet some of the challenges ahead as well as the current ones. Will aim to work on this with Suraj Palmer-shah (Cyber Security Officer) to start building this. The governance reporting lines for Cyber also need some thought as to how assurance and risks are presented to senior folk at Digital Hospital Committee.
• Although due to meeting clashes I missed the Divisional Risk Management Working Group meeting, I managed to update and even close a couple of risks down. Reviewing some of the risks re-enforced that we need to continue getting better at raising, managing and ensuring we have frequently reviewed mitigation plans that are tracked in more detail.
• Working towards finishing off scoring the security governance elements for a procurement tender responses.
• Quotes received for CISSP virtual classroom training. Will be raising orders next week and subsequently booking in. Have started reading the manual in a concerted effort to make steady progress to get a head start on the training course. The volume of information to take in is quite daunting. However I am really looking forward to achieving CISSP accreditation.

What did you learn?

• During conversations this week with NHS Digital colleagues I managed to get an answer albeit brief that it may be possible to get ATP Defender/Sentinel feeds from the NHSmail Office 365 tenant to feed into our local Azure Sentinel Pilot. A few other Trusts have also been working in this with NHSD specifically around Sentinel feeds. Have been given the contact details for the team working on this, so will be following up on this.
• Read an article by Shaun Van Niekerk, CISSP around Defence in Depth in an NHS setting— Cyber Security. Shaun provides such a wealth of cyber knowledge and recommend a follow on LinkedIn.

• Spent some time learning about the experience and the significant impact that Sikh Soldiers made during World War 1 & 2 this week in the run up to Remembrance Sunday. Some amazing work being done in the community to ensure their sacrifices and memory stays alive.

UKPHA founder Amandeep Singh Madra told The Indian Express that this begins to tell the story of 5 lakh men from Punjab who went to war – 5 per cent of the total British force. “It is a never before seen archive that shows the names and villages of every man from Punjab who served in WW-I. It lets families trace their details just by entering the name of the soldier and the village or either of them,” he said.

‘Empire, Faith & War’ project aims to commemorate the remarkable but largely forgotten contribution and experiences of the Sikhs during this epochal period in world history.

Useful reading on the subject at Upkha.

What are you looking forward to next week?

• Working and fully tested Azure Express Route ready for Azure Migration Waves to commence the week after.
• Catching up on items that have dragged on from this week and a few that have been on my backlog for a number of weeks.