Cloud Security and Privacy for eGov

By Laurie Head
AIS Network Vice President

As we embark on a path toward cloud hosting for state government, I’ve been in search of solid resources that will help inform our new role as a contracted hosting provider to support Virginia’s eGov Services.

The National Association of State Chief Information Officers has been very helpful in this regard. If you haven’t seen their site, take a look now. NASCIO is an excellent resource for information about state government and technology, and they have made available a wide range of publications for download.

I particularly like NASCIO’s series of reports about leveraging cloud technology. These reports — four so far — are designed for state chief information officers (CIOs) and other senior IT decision-makers, and they highlight the cloud’s potential for reducing costs, optimizing system efficiencies, and enhancing overall service delivery. They are as follows:

  • Capitals in the Clouds Part IV – Cloud Security: On Mission and Means (May 2012)
  • Capitals in the Clouds Part III – Recommendations for Mitigating Risks: Jurisdictional, Contracting and Service Levels (December 2011)
  • Capitals in the Clouds – The Case for Cloud Computing in State Government Part II: Challenges and Opportunities to Get Your Data Right (October 2011)
  • Capitals in the Clouds – The Case for Cloud Computing in State Government Part I: Definitions and Principles(June 2011)

For a discussion of issues related to cloud privacy and security, last month’s report (May 2012) is excellent in its examination of how individual agencies within the state infrastructure are coming together and how “all of this activity is converging on a developing government strategy for maturing and harvesting the value of cloud computing.” The authors use Delaware and Michigan as examples.

Further, the report outlines 12 recommendations for state CIOs moving toward the cloud. According to NASCIO, state IT leaders must:

  1. Mobilize internal support for cloud adoption through education and awareness, while clearly articulating the new security and privacy risks.
  2. Weigh the benefits and risks of cloud computing in terms of cost versus security and privacy concerns.
  3. Continue to temper expectations about savings opportunities and to examine risks and requirements.
  4. Educate policy makers on the differences between consumer cloud requirements versus the industrial-strength requirements of state government.
  5. Examine the state’s

    One caused kinda reviews! If standard terms and conditions for procurement and consider modifications to address cloud computing.

  6. Communicate and educate government officials on the terms of service presented and assumed for third-party cloud services.
  7. Start with a private cloud solution first, particularly where state data is highly sensitive.
  8. Develop an enterprise security policy that controls unauthorized use of cloud services while enabling legitimate business needs.
  9. Expect compliance issues and scan network traffic continually to uncover the use of unauthorized cloud services.
  10. Consider a cloud broker approach (i.e., develop roles specific for cloud management, like “broker” and “service portfolio manager” in ways that will enhance security/ efficiency).
  11. Work with the federal government to develop a common interpretation of security requirements so that comprehensive cloud requirements can be identified and relied upon.
  12. Stay tuned to the Federal Risk and Authorization Management Program (FedRAMP) as it evolves and leverage approved vendors (i.e., the program will provide a list of approved cloud providers for states beginning their cloud strategy).

Thanks to NASCIO for offering some very valuable research. I encourage you to read the report. Let me know what you think by commenting here.

Leave a Comment