Navigating Security Concerns as you Consider Cloud Solutions in State/Local Government
By Bob Rhodes, Vice President of Client Services at MTX
With the ever increasing threat to our data, how might State Governments innovate using the Cloud?
Many State Agencies and State IT Organizations experience the following weighty constraints:
- Shrinking Central IT budget
- Aging infrastructure
- Lack of current skills
- Aged Application portfolio at the Agency level
- Upgrade / Modernization / Remediation budget concerns
Cloud solutions, if correctly identified and integrated can lessen the load on all of the above impediments. However, the valid question of security must be fully addressed. While security related questions are valid, the resources posing the questions may not always have the best interests of the State in mind. Be wary of individuals who look to protect the status-quo by saying “No” to everything, and perhaps going so far as to spread fear amongst the Agencies and central IT. Develop your change management approach in advance.
In my former role as State Chief Technology Officer, one approach I’ve used in laying the groundwork for Cloud based solutions was forming a true partnership with our head of IT Operations and our Chief Security Officer. The three of us honestly answered the question, “can some of these providers protect and serve our data better than we could ever do ourselves?” The answer was YES. Once we established that truth, we decided to create a short list of such pre-vetted vendors, all whom exhibited advanced security methodology and industry certifications. Our first such list was very short; the list included Amazon Web Services, Salesforce, and Microsoft. Any subsequent solutions existing wholly within the realm of the short list were granted an automatic exemption from IT staff and InfoSec security concerns. No need to reinvent the process each time by every project manager, IT Architect, or Systems Engineer.
Additionally, you may desire to further strengthen your solution by:
- Insisting on FedRAMP certification
- Insisting that the solution be developed on-shore with controls to prove.
- Insisting that encryption also covers data at rest
While IT Policy waivers should be viewed as a strategic tool by IT leadership (by the way, IT policy is created by Central IT leadership…), IT Procurement policy may be ‘law’ in your State, and you should adjust your cloud procurement strategy as necessary.