Forefront suite

One of the key security products used by the NHS today to protect the Network Perimeter is the Microsoft Internet Security and Acceleration Server (ISA) which is part of the Forefront suite of products, its typical uses are:



I want to provide secure access to clinical applications

Or substitute any one of the following:

· I want to provide services to unmanaged machines without compromising security

· I want to secure my legacy applications without having to rewrite them

· I want to be able to use RMS from Outlook Web Access

· I want to provide a cost-effective home working solution without buying everyone their own laptop

· I want to make staff aware of, and sign off on, changes in IT policy before they access patient data

A challenge with traditional VPN solutions is that they are somewhat inflexible about the access they give. Often in Healthcare we need to provide a granular level of access to applications, files and data. The Intelligent Application Gateway (IAG)[1], which is part of Microsoft Forefront Network Edge Security, provides secure socket layer (SSL) application access, a Web application firewall, and endpoint security management that enable access control, authorisation, and content inspection for a wide variety of line-of-business applications.

Together, these technologies provide mobile and remote workers with easy and flexible secure access from a broad range of devices and locations including kiosks, desktop computers, and mobile devices. IAG also enables IT administrators to enforce compliance with application and information usage guidelines through a customized remote access policy based on device, user, application, or other business criteria.



Intelligent Application Gateway

Key benefits include:

· A unique combination of SSL VPN-based access, integrated application protection, and endpoint security management.

· A powerful, Web-application firewall that helps keep malicious traffic out and sensitive information in.

· Reduced complexity of managing secure access and protecting business assets with a comprehensive, easy to use platform.

· Interoperability with core Microsoft application infrastructure, third-party enterprise systems, and custom in-house tools.



My users want to securely share information with arms length bodies

With the formation of multi-disciplinary teams we need to share information with other organisations quickly and securely. One way of doing this is to extend our network out to these organisations. In Windows Server (2003 onwards) we have Active Directory Federation Services (or ADFS) which will allow us to create Trust relationships between organisations to support the federation and sharing of information. Above I talked about Rights Management Services to secure documents inside of you organisation, in Windows Server 2008 we extend this building on ADFS.


Federated Rights Management

Rather than take this infrastructure approach though, our users can securely share information both inside and outside of the organisation using Microsoft Groove. Groove, which is part of Office System 2007, lets user create a secure workspace on their PC (it’s encrypted) and then invite a number of colleagues into that workspace. Data is transferred between PC’s using the Groove relay service (the default is the hosted service from Microsoft, or a Trust can implement their own). Groove can also be linked to Sharepoint document and forms libraries – so a Trust can offer internal users access to documents via their Sharepoint intranet and give external people access to these via groove. The Groove application will automatically synchronise data between the two.

There is a case study on the use of Groove in the NHS here.

[1] Not currently covered under the NHS Enterprise Agreement