Managing Cloud Providers: New ApproachDelaware's CSO Provides Flexibility in Security Requirements
Elayne Starkey, the state of Delaware's chief security officer, no longer micromanages how cloud services providers secure state data.
Employing cloud services is a state government priority to limit costs, provide scalability and implement computing initiatives rapidly, and Starkey's office is responsible for negotiating all aspects of cloud services contracts for the Department of Technology and Innovation.
Until a year or so ago, Delaware would dictate to the providers how they should secure state data on the cloud, such as specific steps to take to safeguard passwords. Delaware had about three dozen terms and conditions on how the provider would be held accountable for the data. In phone conversations with the providers to negotiate contracts, Starkey says she and her team rarely got through the entire list of conditions.
"We went slightly overboard with our level of protections, thinking that our cloud provider needed to protect data in exactly the same we did with an on premises solution," she says in an interview with Information Security Media Group. "We were very prescriptive on not only what we wanted them to do but how we wanted to do that."
Streamlined, Quicker Process
Reflecting on the situation, state IT leaders concluded that what mattered most was that the data was kept secure and that the state needn't dictate to cloud providers how to accomplish that. Today, Delaware presents providers with 10 requirements for securing the data and then reviews the processes the vendors employ to safeguard the information.
"It's a much more streamlined process; it's a much quicker process for us to get through the vetting of the business cases," she says. " ... We just opted to pull back a little bit ... and focus in on the overall protection standards, if you will, and then each provider could plug in their level of details that allows them to accomplish that level of protection."
Delaware, however, prescribes how cloud providers handle data breaches. "We have not relaxed our positions on things like breach notification, covering the cost related to a breach recovery and response," Starkey says. "We are the ultimate owners of the data and we're just entrusting our data to them."
In the interview, Starkey discusses how Delaware state government:
- Employs encryption;
- Identifies and mitigates risk; and
- Implements the federal government's cybersecurity framework.
Starkey has been Delaware's state chief security officer for 9Â½ years. She previously served as the chief technology officer of the Department of Technology and Information and chief information officer of the Department of Public Safety.