Government IT: Can States Get a Handle on Securing the Cloud?
By Tony Kontzer
Emboldened by the Fed's early cloud computing success, state governments really want to take advantage of cloud computing -- so long as the risks are mitigated, that is.
Over the past several months, the National Association of State Chief Information Officers (NASCIO) has produced a series of briefs, entitled "Capitals in the Clouds," that have provided an overview of cloud computing, described the challenges of getting data in shape for a migration to the cloud, and explored the due diligence that states must perform to be clear about jurisdictional, contractual and service level issues.
But the fourth brief in the series tackles what has been the biggest obstacle preventing companies -- and government agencies -- from jumping into the cloud: Security. With so much data about citizens at issue, not to mention a clear responsibility to be transparent in disclosing any potential risks, state governments have to ensure that they've dotted their I's and crossed their T's before entrusting systems to cloud providers.
"Above all, we need to be able to guarantee our data is secure, and that the provider understands just how complex state government security requirements may be," the document states.
The brief makes it clear that states are contending with wildly varying security setups from agency to agency. This is happening, in part, because they aren't required to adhere to the Federal Information Security Management Act of 2002, which dictates security compliance standards at federal agencies. It also doesn't help that IT security at the state level is woefully under-funded, and that IT consolidation efforts have left state programs that remain decentralized facing significantly more challenges.
Obviously, such factors make it tricky to assess the security risks that cloud services pose to state governments, which is why NASCIO sought to explore the issue in the first place. While most states have understandably taken a slow, steady approach to cloud adoption, NASCIO identified two states whose approaches to cloud security can serve as models for other states:
- Delaware has developed a new set of terms and conditions for inclusion in the state's procurement process, requiring that all cloud-related requests for proposals include 12 new terms and conditions, as well as 20 statement of work clauses. In doing so, CISO Elayne Starkey states in the brief, "We felt it was possible to mitigate risks significantly and to establish a common understanding of what services can move to the cloud quickly and what may at present not be good candidates."
- Michigan, meanwhile, has an initiative dubbed MiCloud, which is essentially a private data center that provides cloud-based services to state and local government, and which provides governance and direction for the state's cloud computing efforts.
Fortunately, NASCIO notes that states have a built in cloud-vetting resource to turn to in the form of the Federal Risk and Authorization Management Program (FedRAMP), which provides a standardized approach to cloud security and which requires vendors to have a current "authorization to operate" in order to be considered for any federal cloud contracts.
According to NASCIO, a number of states are weighing the option of only doing business with vendors that have received FedRAMP authorization.
This could have a serious impact on rogue users' growing reliance on cloud-based storage services such as Box.net and Dropbox, which presumably would have to meet the FedRAMP standards.
In the meantime, NASCIO is recommending a number of actions state CIOs should take to ensure that they're not taking unnecessary risks:
- Mobilize internal support for cloud adoption, while clearly articulating security and privacy risks.
- Weigh the benefits and risks of cloud computing in terms of cost versus security and privacy concerns.
- Educate policy makers on the differences between consumer cloud services and the industrial strength requirements of state government.
- Consider modifying procurement terms and conditions to address cloud computing.
- Start with a private cloud solution where state data is highly sensitive.
- Develop an enterprise security policy that controls unauthorized use of cloud services while enabling legitimate business needs.
- Consider a cloud broker approach.
- Work with Federal government to develop comprehensive cloud requirements