In California, secure file transport goes through the cloud
California’s Office of Technology Services began offering secure file transfer services to state partners as early as 2005 in response to growing demands for regulatory compliance with health care and other personal and sensitive information.
“At the time, the data center had nothing to offer,” said Kevin Paddock, who manages Secure File Transfer for the OTS. It began by implementing SecureTransport from Tumbleweed Communications.
The initial offering worked but was limited in its management capabilities. One of the biggest drawbacks was that it did not support the delegated administration of customer accounts organized under hierarchical business units.
Secure cloud service: If you build it, you have to sell it.
Security worries can hinder cloud adoption, House panel is told
In moving to the cloud, NASCIO advises, 'buyer beware'
This feature was important because the Office of Technology Services acts as a third-party service provider for state agencies, who are responsible for the security and management of their own data and for vetting and credentialing the partners who have access to it.
“We could not manage and administer every customer account,” Paddock said. “How do we know who these people are?”
In 2008 Tumbleweed merged with Axway, a software-as-a-service company based in Phoenix that began updating SecureTransport to provide more advanced features.
“When I saw what this product could do, I was impressed,” Paddock said. But he still was hampered by the lack of administrative flexibility, which made it difficult for his customers to manage their accounts. “It was almost like buying a major league ball team and only playing the minor league players.”
Fortunately, Axway wanted to exploit the growing market for cloud computing and was eager to accommodate California’s request for more horizontal scalability in its software.
“It is inherently federated,” John Thielens, Axway’s chief cloud services architect, said of the management approach. “As customers come onto the system, people are credentialed” by the OTS. Each customer then is delegated the authority to credential recipients who are authorized to receive the customer’s data through the Secure Transfer Service.
"It’s up to the agency to assign the security level that is needed,” together with the required level of authentication, Thielens said.
Centralization — and customer control
The result is a centralized system for securely managing and sharing information that gives each customer control over the storage, transfer and access of its own data.
“We provide the technology” for the secure transfer, Thielens said, “but not the cloud infrastructure." The private cloud is hosted in the state’s data center.
The SecureTransport platform supports a variety of authentication schemes depending on customers’ requirements, using common protocols including FTPS, the Secure File Transport Protocol supporting Transport Layer Security and Secure Sockets Layer; HTTPS, the Secure Hypertext Transfer Protocol combined with TLS and SSL; SSH-FTP, an extension of the Secure Shell protocol for file transfer; and SCP, the Secure Copy Protocol based on SSH. Individuals use a stand-alone client to authenticate with servers for transfer.
“On the front end, it’s simple,” Thielens said of the platform. But getting the various security protocols to work efficiently with each other and making the management transparent to the distributed customers, as well as doing encryption on the fly required integration with proprietary technology, he said.
The Office of Technology Services provides a baseline of security for its Secure File Transfer, encrypting the data in the data center with Triple-DES for data at rest and using SSL and SSH for data in transit. Any additional levels of security as well as security outside the data center are provided by the client.
“It’s up to the end user to maintain the security of that data,” at the appropriate level depending on regulations and the type of data involved, Paddock said.
Cloud file transfer benefits
Providing Secure File Transfer as a cloud-based service can help improve security for agencies and create financial savings.
“It allows the centralization of expertise,” Thielens said. In the cloud there is one infrastructure that can be managed and secured by a dedicated staff rather than distributing the task among multiple agencies. “It blends with the economy of scale.”
This is not always apparent to potential users, Paddock said. They have their own security staffs that they are used to depending on. “What they don’t understand is that we can free them up,” by moving some of their responsibilities to the OTS.
The key to making Secure File Transfer a success is persuading customers to use it. The service is available to any state agency, as well as to cities, counties and schools, on a pay-as-you-go basis.
“As long as one of the parties is a California government entity, they can subscribe to the service,” Paddock said. Subscribers then can sign up their own nongovernmental partners such as contractors and vendors to use the service as well.
But the state’s executive branch does not have direct authority over all government entities, so potential customers have be persuaded to use the service. The service’s first big customer was the Department of Motor Vehicles.
“DMV was the customer who broke it wide open for us,” Paddock said. The department came on board in late 2008, when the system began supporting delegated administration.
“DMV was not a hard sell. They had done their homework,” and were interested in buying the Tumbleweed product for themselves. When they heard about the service being offered through OTS with the Axway successor, they were eager to take advantage of it.
Today, all IT capital plans are reviewed and agencies are directed to the OTS for Secure File Transfer services rather than building their own, although they are not required to use it.
Although OTS still is marketing its service, it now serves 35 state departments with 135 unique business groups and one county, with about user 4,300 accounts. Bringing new customers on board is important because these customers support the office, which receives no money from the state’s general fund.
“We only generate revenue from the services we provide,” Paddock said.
Supporting a system that operates on a cost recovery mode with a broad base of distributed customers was another challenge for Axway, Thielens said. As each new customer is brought on, not only does the data being housed and used by that customer need to be identified and managed, but the data needed for the billing system also must be identified and tracked. Charge-back codes are implemented and usage information is logged and reported for each customer.
In the case of California and Axway, the need of the state to implement a cloud-based system with delegated management matched well with the company’s desire to extend its offerings into a cloud environment. Many of the customizations the state requested have become standard features in Axway’s SecureTransport offering. Paddock said agencies should look for this synergy with vendors.
“If you are shopping for solutions, consider very strongly the vendor-partner relationship,” he said.