Agencies should only deal with what they can tolerate as a risk, the U.S. Postal Service's Chuck McGann tells a FedScoop audience.
For the U.S. Postal Service, moving applications to the cloud is determined by the data more than anything else, the agency’s chief information security officer told a Washington audience.
“One thing about data: Make sure you understand what is important to you,” said Chuck McGann, the agency's CISO, during a discussion May 2 at FedScoop’s Cloud Shoot-Out and CyberSecurity Summit, held at the Newseum in Washington, D.C.
Agencies should only deal with what they can tolerate as a risk within cloud environments, he said, noting that USPS has data in public and private clouds.
“Think about what you can risk going into the cloud,” McGann said.
The Postal Service has put ZIP code information in the public cloud, giving citizens the ability to look them up. There was no point in USPS storing that information, he said.
However, there should be alternative paths to cloud data if there is a disruption in cloud-based services. For example, the Postal Service has other ways for citizens to get the ZIP code information besides the cloud.
When moving to the cloud, agency managers should establish who is responsible for breaches and exposure. They should establish what kinds of controls exist for the data, such as whether the cloud provider’s environment can be audited. Another aspect to keep in mind is the recovery of encryption keys. Who holds the encryption recovery keys, especially if an agency wants to switch cloud providers?
Before moving data to the cloud, USPS goes thorough a data discovery process to find which data is being used and who owns it. During this process, USPS has discovered data that no longer has owners because people have moved on to different jobs. Now, if data does not have an owner, it is gone, he said.
USPS has all kinds of technology that can make data accessible to employees and citizens. “But it is all about the data,” McGann said. USPS has 330,000 users, so access control is imperative, he added.
“We have to change the culture of people who use and own data,” in the cloud paradigm, controlling access to only the data they need, McGann said.
NEXT STORY: Data.gov launches developer community