Cloud Security

Hope, Concern Behind States' Quest for the Cloud

State CISOs Focus on Securing the Citizen-Generated Data
Hope, Concern Behind States' Quest for the Cloud
Cloud computing won't balance state government budgets; it won't even put a dent in the fiscal shortfall. Still, as states look at every opportunity to cut costs, the potential savings cloud computing presents seem enormous. And, state chief information security officers have been charged to figure out how to implement secure cloud computing.

"Because economic situation we have now, we can't ignore the benefits of the cloud but I think we proceed very carefully because simply of the kinds of the information we have," California Chief Information Security Officer Mark Weatherford said.

Colorado CISO Seth Kulakow agreed that cloud computing has captured the imagination of state governments. "Cloud security, obviously, is on everybody's mind," Kulakow said.

Weatherford, Kulakow and Nevada CISO Chris Ipsen outlined the initial steps their states are taking as they explore secure ways to exploit cloud computing at last week's RSA Conference 2010.

Like other state CISOs, Kulakow said the approach to secure cloud computing is similar to other types of computing platforms. "It's the same risk analysis and the same type of controls that you put in place to try to secure your cloud environment," he said.

Kulakow said security officers will gain a better understanding of cloud security as the technologies and processes mature. "You have to look hard not to try to go into that environment," he said. "It makes sense in some capacities."

Among those capabilities, Kulakow said, are disaster recovery and business continuity management, which could be significantly cheaper in the cloud than existing approaches.

Still, CISOs remain cautious about the cloud's benefits. What most concerns Ipsen with cloud computing is catastrophic failure. Ipsen imagines a scenario in which all states employ the same cloud service. "What impacts one state, impacts every state," the Nevada CISO said. "It's just a classic security challenge for us. We put all of our eggs in a basket."

Making the cloud secure will be complex but doable, the CISOs said. For one, contracts and service level agreements with cloud providers must be detailed with every imaginable situation and contingency spelled out.

"It's really a legal issue," Weatherford said. "In some respects. we've run into this a couple of times where organizations who are doing third-party services and all of a sudden we find out that company absorbed another company or they divested the company. Our information now ends up with somebody we didn't intended to be with and in a country we didn't want to be in. You go back, and look at the contracts and the contract is silent this kind of issues."

Ipsen said states must do a better job in defining contracts and SLAs. "We're really getting to the point where we need to be able to define what are our security requirements, what are our datasets, what are our security requirements, who can access that data," he said. "It's important as we go into the cloud that we should be able to ask the cloud providers to show me verification that there are rigors controls being applied."

Focusing on the data, not the platform, will go a long way to a secure cloud. "The cloud could be many things, but in one sense it's a big application," Ipsen said. "The focus is protecting the data, classifying the data. building a business case around the data, closely linked to the data (and providing) the security controls that are necessary."

The Nevada CISO said he can't emphasize the importance of rigorous controls around the data in the cloud, especially considering the fact that a third party has access to sensitive state data. And in securing data, Weatherford said, governments have a greater responsibility than do businesses. "You can make a decision when you walk into a bank or a gas station or a shopping center or whatever to provide personal and sensitive information; you can't make that same conscious decision when you deal with the state because you have to provide that information," the California CISO said.

Ipsen picked up on that theme, saying if states can't protect citizens' sensitive information in the cloud, then government should take a timeout in its pursuit of cloud computing. "Remember," he said, "governments aren't designed to be agile; we're designed to be resilient. ... One of the huge differences about governing is that we can compel citizens to give us info they wouldn't normally give us.

"Therefore, this is not a fiduciary discussion; this is an ethical discussion. What controls do we need to require ourselves and our service providers to make sure they're protecting the data to the level that we're compelling the citizens to give us this information? I think that's the fundamental question."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.