In California, secure file transport goes through the cloud

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

The state hosts its Secure File Transfer service on a private cloud, offering it on a pay-as-you-go basis to government entities and their partners throughout California.

California’s Office of Technology Services began offering secure file transfer services to state partners as early as 2005 in response to growing demands for regulatory compliance with health care and other personal and sensitive information.

“At the time, the data center had nothing to offer,” said Kevin Paddock, who manages Secure File Transfer for the OTS. It began by implementing SecureTransport from Tumbleweed Communications.

The initial offering worked but was limited in its management capabilities. One of the biggest drawbacks was that it did not support the delegated administration of customer accounts organized under hierarchical business units.

Related coverage:

Secure cloud service: If you build it, you have to sell it.

Security worries can hinder cloud adoption, House panel is told

In moving to the cloud, NASCIO advises, 'buyer beware'

This feature was important because the Office of Technology Services acts as a third-party service provider for state agencies, who are responsible for the security and management of their own data and for vetting and credentialing the partners who have access to it.

“We could not manage and administer every customer account,” Paddock said. “How do we know who these people are?”

In 2008 Tumbleweed merged with Axway, a software-as-a-service company based in Phoenix that began updating SecureTransport to provide more advanced features.

“When I saw what this product could do, I was impressed,” Paddock said. But he still was hampered by the lack of administrative flexibility, which made it difficult for his customers to manage their accounts. “It was almost like buying a major league ball team and only playing the minor league players.”

Fortunately, Axway wanted to exploit the growing market for cloud computing and was eager to accommodate California’s request for more horizontal scalability in its software.

“It is inherently federated,” John Thielens, Axway’s chief cloud services architect, said of the management approach. “As customers come onto the system, people are credentialed” by the OTS. Each customer then is delegated the authority to credential recipients who are authorized to receive the customer’s data through the Secure Transfer Service.

"It’s up to the agency to assign the security level that is needed,” together with the required level of authentication, Thielens said.

Centralization — and customer control

The result is a centralized system for securely managing and sharing information that gives each customer control over the storage, transfer and access of its own data.

“We provide the technology” for the secure transfer, Thielens said, “but not the cloud infrastructure." The private cloud is hosted in the state’s data center.

The SecureTransport platform supports a variety of authentication schemes depending on customers’ requirements, using common protocols including FTPS, the Secure File Transport Protocol supporting Transport Layer Security and Secure Sockets Layer; HTTPS, the Secure Hypertext Transfer Protocol combined with TLS and SSL; SSH-FTP, an extension of the Secure Shell protocol for file transfer; and SCP, the Secure Copy Protocol based on SSH. Individuals use a stand-alone client to authenticate with servers for transfer.

“On the front end, it’s simple,” Thielens said of the platform. But getting the various security protocols to work efficiently with each other and making the management transparent to the distributed customers, as well as doing encryption on the fly required integration with proprietary technology, he said.

The Office of Technology Services provides a baseline of security for its Secure File Transfer, encrypting the data in the data center with Triple-DES for data at rest and using SSL and SSH for data in transit. Any additional levels of security as well as security outside the data center are provided by the client.

“It’s up to the end user to maintain the security of that data,” at the appropriate level depending on regulations and the type of data involved, Paddock said.

Cloud file transfer benefits

Providing Secure File Transfer as a cloud-based service can help improve security for agencies and create financial savings.

“It allows the centralization of expertise,” Thielens said. In the cloud there is one infrastructure that can be managed and secured by a dedicated staff rather than distributing the task among multiple agencies. “It blends with the economy of scale.”

This is not always apparent to potential users, Paddock said. They have their own security staffs that they are used to depending on. “What they don’t understand is that we can free them up,” by moving some of their responsibilities to the OTS.

The key to making Secure File Transfer a success is persuading customers to use it. The service is available to any state agency, as well as to cities, counties and schools, on a pay-as-you-go basis.

“As long as one of the parties is a California government entity, they can subscribe to the service,” Paddock said. Subscribers then can sign up their own nongovernmental partners such as contractors and vendors to use the service as well.

But the state’s executive branch does not have direct authority over all government entities, so potential customers have be persuaded to use the service. The service’s first big customer was the Department of Motor Vehicles.

“DMV was the customer who broke it wide open for us,” Paddock said. The department came on board in late 2008, when the system began supporting delegated administration.

“DMV was not a hard sell. They had done their homework,” and were interested in buying the Tumbleweed product for themselves. When they heard about the service being offered through OTS with the Axway successor, they were eager to take advantage of it.

Today, all IT capital plans are reviewed and agencies are directed to the OTS for Secure File Transfer services rather than building their own, although they are not required to use it.

Self-sufficiency

Although OTS still is marketing its service, it now serves 35 state departments with 135 unique business groups and one county, with about user 4,300 accounts. Bringing new customers on board is important because these customers support the office, which receives no money from the state’s general fund.

“We only generate revenue from the services we provide,” Paddock said.

Supporting a system that operates on a cost recovery mode with a broad base of distributed customers was another challenge for Axway, Thielens said. As each new customer is brought on, not only does the data being housed and used by that customer need to be identified and managed, but the data needed for the billing system also must be identified and tracked. Charge-back codes are implemented and usage information is logged and reported for each customer.

In the case of California and Axway, the need of the state to implement a cloud-based system with delegated management matched well with the company’s desire to extend its offerings into a cloud environment. Many of the customizations the state requested have become standard features in Axway’s SecureTransport offering. Paddock said agencies should look for this synergy with vendors.

“If you are shopping for solutions, consider very strongly the vendor-partner relationship,” he said.

NEXT STORY: Got research? NIST could show you the money.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.