Remember your teacher telling you to pay attention and “Get your head out of the clouds?” Well, times have changed, and it’s time to get your head in the cloud. Cloud computing, that is. With a simple internet search, it is easy to discover the many ways in which cloud computing is benefitting private and public industries, such as attaining economies of scale, cutting capital costs or improving overall access to data. According to a Forbes article, integrating cloud systems into your organization even enables the greater potential to get into new business ventures. And government agencies at all levels are taking advantage of this technological phenomenon.
But despite all of these positives to using the cloud, there still are the issues of information security and privacy. During Wednesday’s GovLoop State & Local Innovators Virtual Summit training session “Securing the Cloud at Your Level,” Tony Collins, Enterprise Architect for the State of Delaware, and David Blankenhorn, Vice President of Engineering and Chief Cloud Technologist at DLT Solutions, discussed the ways to mitigate cloud risks by understanding the top threats and risks as well as your data priorities.
Mitigating Risk through the Eyes of Delaware
To get a policy perspective, Collins discussed mitigating an organization’s risks by focusing on the state of Delaware’s experience with cloud computing. Delaware is at the forefront of the cloud movement as one of the first states to dive into the cloud. The Delaware Information Security Policy, which includes 20 terms and conditions (T&Cs), was first implemented into existing state legislature in 2011.
“Some vendors accepted everything without question, which made us nervous,” said Collins. “Did they really read them or understand them? And other vendors were unable or unwilling to meet several to many of our terms and conditions.” As a result, Delaware learned a lot regarding IT procurement and contracting processes as well as vendor capabilities.
In 2013 and 2014, a standalone policy was established, which included a separate set of terms and conditions for public data and another that pertained to non-public, confidential data. The state had encountered multiple experiences that warranted the more specific T&Cs to both protect the state’s data and its interests and business needs. Currently, the T&Cs of the legislative policy applies mainly to Software as a Service (SaaS) and apply to any type of outsourced model, not simply cloud vendors. The policy is for protecting data while in the outsource solution in addition to protecting data while it is being transferred.
Learning from Delaware’s Lessons
The particular payment model for data can be either a detriment or a benefit to any state in terms of cloud security. Some data procurement involves a subscription, and other use a pay-as-you-go type method. This usually affects the ownership rights of the data.
In some cases, the state may not own the data and a third party is involved. The state may provide a third party with data, but by doing so, it relinquishes all rights to the transferred information. It is crucial to determine ownership before knowing how to handle the information. Once ownership is determined, it can be classified. From there, it can be protected in all areas, whether in a solution or being transferred. Also, it is necessary to capture only required information.
Due to the length nature of contract negotiations, Delaware has learned how to properly prepare to speed up this process. One of the most important parts of negotiating contracts is determining what actions will be taken when information is removed from the cloud. Establishing the exit strategy should be part of the contract development process and how data will be returned or destroyed when a contract ends.
Delaware’s cloud legislation T&Cs include protecting both cloud and offsite hosting to provide rapid delivery of information and enhanced scalability. This ensures the reducing risks associated with entrusting the State’s to a third party. Delaware has distinct understanding of what data it owns and under what circumstances the service provider can access specific data. This includes prohibiting the service provider from storing or transferring non-public state data outside of the United States. In regards to terminating information, Delaware’s data must be returned in a specified format, such as CSV or XML, and data disposal must adhere to NIST approved methods.
Securely Leveraging Cloud Technology with IaaS
Blankenhorn focused on cloud security in terms of Infrastructure as a Service (IaaS). The typical use cases in the past of IaaS, said Blankenhorn, were more along the lines of web services, constituent services, and skill development. But more and more these days, he explained, there are new types of groups making use of IaaS — everything from the disaster recovery community to GIS to office productivity.
As more and more use cases of IaaS are being deployed, Blankenhorn shared several best practices that users should keep in mind:
• Delegation, NOT Abdication
• Develop a Pre-Nuptial (aka an exit strategy)
• Use Existing Tools and Enhance with Native (or Hybrid) Cloud Capabilities
– CDN, DDoS Protection, Security Services
– Extract/Transform/Load (ETL)
– Continuous Monitoring
• Encrypt Everything (mask or tokenize where you can’t)
• Map Compliance (HIPAA, FERPA, ISO, PCI, SOC, CJIS, Geo-loca0on,etc.)
• Leverage a Risk Management Approach
• Leverage Existing Disciplines
• Develop New Skills, Approaches, and Design Patterns
• Read the Fine Print and Analyze Risk
GovLoop recently hosted its State and Local Innovators Virtual Summit, an all-day, virtual event with six different online trainings, networking opportunities and resources to help you do your job better. Be sure to read the other recaps here.