Are rogue cloud users a risk for states?
State IT security programs appear to be swimming against the current when it comes to controlling the use of personal storage by employees and contractors who want to exploit always-connected access to state data, according to a new cloud security brief issued by the National Association of State Chief Information Officers.
“Capitals in the Clouds Part IV — Cloud Security: On Mission and Means,” focuses on the key security concerns faced by state CIOs and their security staffs as they incorporate the cloud delivery model into the tools they use to support state services and protect and maintain state data.
For instance, in February 2012, the state of Delaware queried other state chief information security officers on their policies toward the use of online file storage sites. Sixteen states responded to Delaware’s inquiry. Although the majority of states do not explicitly forbid external storage use, all CISOs believe there is significant risk in the uncontrolled use of these services, the NASCIO security brief states.
Decisions on cloud 'all about the data,' USPS security officer says
In moving to cloud, NASCIO advises 'buyer beware'
“A number of states are allowing individual agencies to establish policies, with the expectation that those agencies that are routinely dealing with sensitive data will tightly control or forbid external storage,” the brief states. “From an enterprise perspective, both policy-based and technical controls have been implemented in efforts to manage or constrain use.”
A number of states are identifying approved solutions that adequately protect data according to its assigned level of sensitivity. But even the states that have taken the strongest positions disallowing use see significant pushback from agencies, and most allow business exceptions to established policies, according to the NASCIO security brief.
Cloud computing represents a big opportunity to drive down costs through the use of IT while enhancing service, said Dugan Petty, NASCIO president and CIO for the state of Oregon. “But we cannot forget security requirements or be beguiled by too-easy solutions,” Petty said.
States must continue communicating and sharing approaches and experiences with cloud adoption and learn from federal and corporate partners as security requirements for cloud computing are defined and clarified, the brief states.
“Capital in the Clouds Part IV” also discusses states’ initial cloud projects and emphasizes that engaging external cloud services involves significant risks if new services have not been properly vetted by state security staffs or are oversold on the basis of misunderstood requirements.
“A lot of states may find that their security postures are actually enhanced by cloud solutions, but that won’t happen by accident,” said Dave Taylor, Florida’s CIO and chair of the NASCIO Security and Privacy Committee. “The brief points out some of the pitfalls states need to avoid,” Taylor said.
The brief concludes with recommendations to ensure that states maximize the opportunities afforded by cloud computing, while minimizing risks.