Essential services provided by state and local government agencies rely on sensitive information stored in databases and files and processed by various applications. Protecting such information is essential for demonstrating that government agencies are trustworthy stewards of personal and private information. Almost every state has data breach notification laws requiring agencies and businesses to notify residents if their information has been accessed by unauthorized parties. By then, however, the damage may have already been done.
Remember Joe the Plumber? The McCain/Palin 2008 presidential campaign used Joe Wurzelbacher (a.k.a. Joe the Plumber) as a foil to slam Barack Obama’s economic policies as bad for the middle class. An employee at Ohio’s Department of Job and Family Services used state computers to search for information on the Buckeye state’s newest political sensation. This simple and likely harmless action resulted in a new Ohio law mandating civil and criminal penalties for improper access of personal information on state databases.
Contrast that minor incident with the 2012 data breach in South Carolina that resulted in the theft of approximately 3.6 million Social Security numbers and information on 387,000 credit and debit card accounts. An investigation found that two things could have prevented the hacking: the encryption of stored data and requiring the use of more than one password to log into the system remotely.
No doubt this major hack tightened up South Carolina’s security policies. But not enough. In December, a Department of Employment and Workforce (DEW) employee was fired for possibly exposing the personal information of thousands of current employees. The employee allegedly downloaded the personal information of 4,658 current and former DEW employees to a personal device, possibly exposing payroll information, Social Security numbers and bank account information.
Can Cloud Computing Help?
State and local governments have shown reluctance in moving applications and data into the cloud. A primary reason is concern over security. As a consequence, governments miss out on the other cloud benefits ─ scalable computer and storage infrastructures on current products and technologies, with data back up and disaster recovery, maintained by expert personnel in a facility other than their own.
The cloud computing industry is in a state of constant evolution and improvement, driven by competitive necessity. That includes security. The question is not whether the cloud is a secure place, but whether the cloud services provider (CSP) maintains a secure environment that’s adaptable to customer-specific requirements. Not all are. And some who claim that they are may not adhere to best practices for ensuring infrastructures will always remain secure and compliant with governing regulations and requirements.
Local and state governments owe it to themselves to evaluate cloud options and CSPs, even if they have no immediate plans to migrate to the cloud. That will provide a baseline for comparison to their own current IT infrastructure, policies and processes, as well as help them assess the state of the industry when they are ready to integrate cloud services at a later time.
What to Look for
Compliance and Security : Various industries and governing agencies subject the handling of critical data ─ personal data in particular ─ to a litany of regulatory requirements. Remaining compliant and current with them is a full-time job. With every major breach, the inclination of regulatory bodies is to clamp down tighter still. It’s a vicious cycle without end.
The first sign of a security- and compliance-minded CSP is that it submits to annual independent examinations under the SSAE 16 , ISAE 3402 and AT-101 audit standards. While not always germane to government, compliance with the Payment Card Industry Data Security Standard (PCI-DSS), the Health Insurance Portability and Accountability Act (HIPAA/HITECH) and Sarbanes-Oxley (SOX) demonstrates that the CSP has taken steps necessary to serve customers subject to strict security standards.
Transparency : CSPs should have no secrets from customers. This includes its audit reports and security policies and procedures, as well as its availability and performance service level commitments. Prospective customers need to know where the CSP stores data in order to assess potential for jurisdictional issues.
A CSP that owns, operates and maintains its own IT and cloud infrastructure is generally preferable to one that does not. So much the better if it operates multiple, geographically dispersed data centers. That CSP is in control of its own destiny and that of its customers. The same applies to a reseller’s services provider. Transparency may be even more important when an intermediary is involved, and the reseller should be proud of who it provisions its services from.
Infrastructure: Assume nothing. Review all aspects of infrastructure. Obvious areas are network capacity, redundancy and security; data storage and back-up; and compute capacity. Ask who the CSP’s product and technology partners are. This says a great deal about the quality and integrity of its systems ─ and what its maintenance processes are.
Physical infrastructure is no less important. Capabilities to look for include:
- Highly redundant power distribution system with Uninterruptible Power Supplies (UPS) and generators to back up commercial power
- Highly efficient cooling that ensures consistent temperature and humidity levels at all times
- Proximity card access with PIN to enter the building required
- Proximity card access with biometric (fingerprint) scan required
- Secured hardware
- Video surveillance cameras throughout
- On-site, trained staff 24/7/365
Flexibility: A majority of public cloud providers have fixed product and services offerings and a self-provisioning service model. Customers adapt to what’s offered, whether or not it’s the best solution for their particular needs now and as needs evolve.
Clearly, this model suits a number of organizations, agencies and businesses. What it does not provide, however, is a knowledgeable collaborator to assist with cloud strategy and designing a tailored implementation. Customers are not likely to find professional staff with current and relevant hardware, software and network certifications at their disposal, or local accountability to resolve issues quickly.
We mentioned earlier that this industry is rapidly evolving. It can be a tough place to go it alone. Having people available to answer questions and, equally important, to ask questions about making a customer’s investment work harder can be invaluable services.
Additional Services : Starting small and incrementally adding services as comfort increases is how many customers ease into cloud computing. It’s a journey. Find a CSP with a broad range of services and capabilities to stay and grow with. For example, server management and monitoring, data back-up, cloud-delivered desktops or disaster recovery protection may not be on the radar today, but may be services worth considering in the future.