SHA-1 to SHA-2 migration projects accelerate across NHS following growth of BYOD and internet connected systems.
ANSecurity has given details of a successful project with Nottinghamshire Healthcare NHS Foundation Trust to move to the SHA-2 cryptographic standard to help strengthen its security posture.
With over 12,000 computing devices and 500 servers under its management, Nottinghamshire Healthcare has maintained an ongoing strategy to continually improve its security controls. Most of its systems are used internally and unconnected to the internet. However, increased use of BYOD and more interconnection has prompted the IT department to instigate a migration of its PKI infrastructure to the newer SHA-2 (Secure Hash Algorithm 2), a set of cryptographic hash functions that is widely used in security applications and protocols, including TLS and SSL, PGP, SSH, S/MIME, and IPsec.
“SHA-1 has been depreciated in terms of its security capability, however not all our applications or servers natively supported SHA-2 which meant we needed to consider the upgrade with the context of a wider application server upgrade,” explains Andy Spencer, System Team Leader for Nottinghamshire Healthcare, “It is a significant project that we felt could benefit from dedicated security expertise for which we turned to ANSecurity.”
ANSecurity helped the Trust to overcome the complexity of its legacy PKI, along with dependencies on existing services including mobile device onboarding and remote access control. As Jason Parry, Network Security Architect for ANSecurity explains, “We discussed at length with Andy and his team the merits of several deployment scenarios to determine the best course of action. Next, we agreed a process with various business groups who consume PKI and once ratified completed our standard scope of works documentation with pre-requisites to streamline the deployment.”
The actual project was driven by the Nottinghamshire Healthcare’s IT department under guidance from ANSecurity to ensure high levels of knowledge transfer. The entire migration project including legacy operating systems migration and remediation of weaknesses within the SHA-1 signatures took just 3 days, leading to improved security posture without any disruption to its 24/7 operations.
“Any organisations with a legacy windows PKI environment need to perform something similar,” Parry explains, “This may not require a wholesale replacement and in many cases, it might be applicable to perform a simpler migration to new servers along with an upgrade that renews existing PKI infrastructure.”
ANSecurity have performed dozens of these projects over the last 24 months and has a significant number planned for the next year. “The NHS with its large number of legacy systems is a sector that is rapidly moving to SHA-2,” says Parry. “Busy IT staff that may have overlooked these types of projects due to the complexity of legacy applications servers should not be overly concerned as the process for migration is relatively straightforward and uses a well understood process.”