3rd Party Risk Management

5 Critical Elements of a Cloud Framework

Michigan CIO Theis on the State's Cloud Computing Initiative
5 Critical Elements of a Cloud Framework
Michigan is in its eighth year of smaller budgets. As the state's chief information officer and director of the Department of Technology, Management and Budget, Kenneth Theis is looking at ways to drive efficiencies through IT, and one of his initiatives is cloud computing.

"Cloud computing is a great alternative to lower costs and to be more agile in meeting the customers' needs," Theis says in an interview with GovInfoSecurity.com (transcript below). "But, going to the cloud has to be done right."

To get it right, Theis has identified five critical areas that the state's cloud initiative must encompass to assure its success. They are:

  • Ownership of data;
  • Security compliance;
  • Compliance with federal and state legal requirements;
  • Location of data; and
  • Service-level agreements.

Most cloud computing providers offer different approaches to these five areas, a situation Theis says is untenable. "What we are trying to do in Michigan is to set the framework, which means that these cloud solution providers meet our requirements, not the other way around," he says.

In the interview, the first of two parts, Theis also discusses how the state will address cloud-computing security concerns at the Great Lakes Information Technology Center, a planned data processing center that should be operational by 2014. The center, to be owned and operated by Michigan, will host cloud computing applications for local governments and state agencies as well as some businesses.

In part two of the interview, Theis addresses how Michigan beenfits from being the first state to implement the federal Department of Homeland Security's Einstein intrusion detection system.

ERIC CHABROW: We now know there is a lot going on with the cloud in Michigan. First, tell us about the Michigan cloud computing framework.

KEN THEIS: Cloud computing is a great alternative, to lower costs and to be more agile in meeting the customers' needs. But, going to the cloud has to be done right. We have identified what we call our five key critical areas of things that really need to be encompassed, because a lot of cloud computing strategies offer their own different types of solutions for each one of these areas. It's important for every entity to create this framework. The cloud computing solutions are meeting the state's needs, not the state trying to meet their needs.

The first one is about ownership and ownership around the data, and who owns that data at the end of the day. What happens if that supplier or that solution provider goes bankrupt? The second one is obviously around security, compliance, identity and access management. Are there auditable records that are acceptable, and is it certified by a third-party auditor, that the security controls are appropriate for the type of business and the type of data that they are doing? The other issue is around legal issues. Is there a guarantee that the provider complies to all federal and state legal requirements? Is there a stipulation for the provider to make sure there is breach notification. Another area that we look at is location of the data. Where is the data located and can it be accessible, and whether it is within the state of Michigan, or not only the primary data but in a disaster recovery opportunity? The last area would be service-evel agreements. When you take a look at service-level agreements, are they in place? Are those performance methods in place, and are there associated penalties in place, to make sure that those things are required?

When you take a look at all those different cloud computer providers that are out there, for each of these five areas they are offering, each solution provider is offering different components and different elements for each of these five areas. What we are trying to do in Michigan is to set the framework, which means that these solution providers, these cloud solution providers meet our requirements, not the other way around.

CHABROW: What kind of reception have you gotten to that?

THEIS: It's been good. We are in a large organization. We have about 1,700 employees. Our employees appreciate the fact that when we do look at cloud computing, we are going at cloud computing consistently across the organization, and we are setting up an environment that is sustainable and supportable as we move forward. I think, from a provider standpoint, we've gotten a little bit of pushback. We've gotten some pushbacks, saying "Wait a minute, if we do those things, it might cost you a little bit more money." And what we are saying is it is worth a little bit more money. You're still getting the benefit of cloud computing, speed and agility and reduced costs, but you're doing it in a way that is more sustainable and more affordable and more stable for our organization, moving forward.

CHABROW: Let's talk a little bit more about the security area. You're talking about auditable records and third-party auditors. Tell us a little more about that, and why that's significant.

THEIS: These are key critical areas around security that are done at different levels. Every provider has different solutions in place and different levels of security in place. For example, having auditable records at all data access events, folks may say they have auditable records, but it's only auditable during these different timeframes, not all the way through the events of that specific transaction. What we are trying to do with each one of these areas is define the level of detail for each of these key elements, so there is no misunderstanding, if you will, or misinterpretation of our requirements when we are working with that specific provider.

CHABROW: In Michigan, you are working on something called the Great Lakes Information Technology Center, and that deals with cloud computing. Tell us about that.

THEIS: When you take a look at cloud computing, it offers a wonderful opportunity for the government and the public sector. If you take a look at Michigan, Michigan is like every other state in the fact that it's got thousands of data centers that are supporting all levels of government. When you take a look at those, whether they're cities, townships, municipalities, counties or state government, or school districts, or universities, there are thousands of data centers, and just like all of those data centers, the state of Michigan has three very large data centers. And with the requirements of what is happening with high-def computing, with a lot of things that are out there, everybody is having a lot of difficulty in setting up environments to support these new data center technologies.

Michigan, like many organizations, has a primary data center. Our data center is 34 years old, and it's full. What we're looking to do is not only how do we build a data center that supports state government, but how do we build a data center that can support all government computing, across all government entities. What we have done is developed a program called the Great Lakes Information and Technology Center. It really is an opportunity to build a public cloud, if you will, that will support not only state government, but all those other government entities as well. Obviously, as you could expect, that will drive efficiency, it will maximize energy utilization, and bottom line, it will promote better government and increase collaboration. Once you get all those server technologies together, then we can start looking at, more importantly, how can we start sharing applications, such as e-mail, across those different government entities.

The other thing that is really a cool key component of this program is from an economic development perspective. The Michigan Economic Development Corporation loves this project, to build a state-of-the-art, purpose-built data center that would support all government entities, because they would like to make these services available for companies that they are looking to recruit into the state of Michigan. One of the things they would like to put into their economic toolbox is, as they are recruiting people into Michigan, to offer to host their computer systems, maybe for 12, 18 or 24 months as another carrot to bring them into the state.

CHABROW: Would this same data center host private companies as it would government entities?

THEIS: For the most part, it would be built around the public sector, but absolutely it would have the ability to add private sector entities, as well. Not only those small/mid-sized companies, but potentially, like you said, private companies.

CHABROW: What are the concerns of cloud computing that is raised, and this is one of the attractions of community cloud computing, where you have similar kinds of businesses and organizations sharing facilities, is the mixing of data or the potential mixing of data. It's one thing when you think about, maybe, different kinds of governments within Michigan sharing facilities, but from this kind of security concern, if you introduce private companies, does that raise some worries for people?

THEIS: Absolutely. There are definitely security challenges that need to be faced off with that. Also, probably as important as a security issue would be the perception issue, the perception of the public that there would be a public entity housed, or hosting their data to a very close proximity to government data. There are ways to deal with that. But, again, I don't want to take away the primary purpose of this Great Lakes Information and Technology Center would be to go after those things that are hosted, or services that are provided through the public sector.

CHABROW: What kind of responses have you gotten from other government entities in Michigan to this?

THEIS: It's actually been great. The challenges in Michigan are tremendous. We are in our eighth year of budget reductions, and that's not only for state government, but for all of our local government entities, as well. The pain that they feel today is even worse than the pain that the state has felt. We have gotten a lot of interest from a number of different entities that would like to join us, and almost become an anchor tenant with the state of Michigan as we move forward with this project.

CHABROW: Would this be operated by Michigan state employees or would it be outsourced to some cloud provider who would come in and operate it?

THEIS: The primary solution for this is to stay the same that it is today, and that is that it would be a facility that would be owned by the state of Michigan and it would be operated by the state of Michigan. We have done a request for information, and we have sought input from all of our vendor partners out there. We had 60 different technology partners respond to that request for information, but we did tell them that we were open to additional ideas and different innovative solutions that they had out there, as well. We haven't shut it off completely, but the idea would be that now we own the building, we can manage it with state employees.

CHABROW: Where are you in the process of getting this operating?

THEIS: We are through our request-for-information process. We are formalizing the overall business case and feasibility, and we plan to move forward with an actual request for proposal toward the beginning of next year.

CHABROW: When do you think it will be operational?

THEIS: Getting the data center up and operating is typically anywhere from realistically a three-to-four-year project. We would hope to be through the procurement process probably by this time next year, and from there we will start going through the planning and the build phase, which is typically anywhere from a 20- to 28-month process.

CHABROW: Has there been a location decided yet?

THEIS: You know, we haven't. When we went out with the request for information, we kept it wide open and said we would be very open to different locations throughout the state of Michigan. We received a number of different high-level ideas and approaches that literally highlighted a number of areas throughout the entire state.

CHABROW: Any idea how many jobs this could create?

THEIS: We have not gotten all the way through that. At the end of the day, you have the jobs of actual construction, and then, actually, obviously, operating at that point. But, we're not through that analysis yet. That's what we're doing today is understanding what that business feasibility looks like, and we should be able to articulate that later this year.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.