Earlier this week it was announced than an international hacker had successfully made off with over 3 million social security numbers and almost 400,000 credit and debit card numbers from the state of South Carolina. State and local governments have collectively spent billions of dollars trying to secure their data systems. In spite of this investment, a hacker was able to identify and exploit a weak spot in their armor. As public sector budgets are continuing to shrink, there is pressure to add more software applications to automate tasks and lower costs; increasing pressure to cut costs on security for these applications; and increasing pressure to extend the life of less secure and aging legacy computer applications. The result is that our government agencies are at increasing risk of successful cyber-terrorism through a greater number of applications, lower security standards, and aging applications that should be replaced.
How could South Carolina and other state and local governments cost-effectively protect vital citizen, business and government records? The answer comes from an emerging private-sector technology: cloud computing.
A Quick Backgrounder on Cloud Computing
Cloud computing enables organizations to migrate their computer applications and/or associated data to servers on the internet.
A simple example is SkyDrive (www.skydrive.com) from Microsoft. If you get a SkyDrive account, you can store documents, images and data online. Data that would normally be stored on your local computer, on a memory stick or on a corporate server, can now be stored on a virtual hard drive hosted by Microsoft. You can access this data anywhere, you don’t need to worry about backups, and you leave the security to Microsoft. SkyDrive also enables you to edit your documents using web versions of Word, Excel or PowerPoint in the cloud – those applications do not need to be on your local computer.
The cloud now includes applications for infrastructure as a service (Iaas), platform as a service (PaaS) and software as a service (SaaS). Infrastructure includes the core technology “plumbing” that every organization needs as a foundation such as email servers, data storage and backups. Platform as a service provides new application development platforms in the cloud, allowing public sector organizations to develop their own fully-customized applications in the cloud. Software as a service refers to the availability of the day-to-day software applications that state and local governments need to run their organizations in the cloud (the reference in the preceding paragraph to the Microsoft Office applications is an example of SaaS).
Microsoft isn’t the only game in town when it comes to cloud computing either. Salesforce.com, Google, Amazon.com and many other large players offer a full array of cloud computing options covering all three of the service areas outlined above. In other words, it is now possible for public sector organizations to migrate 100% of their data centers to the cloud.
For a more detailed primer on the cloud, click here.
Security, the Public Sector and Cloud Computing
So what does cloud computing have to do with improved security at the state and local government level? Every server, every application, every database and every connection in any data center needs to be secured. And security is a constantly moving target. In order to stay on top of security public sector organizations have to employ enough individuals to secure every potential vulnerability, they need to employ enough people to stay on top of evolving security threats and standards, they need to employ the right people to constantly test and improve their security standards. In other words, only the very largest of organizations can afford the appropriate amount of investment required to fully protect their data centers. State and local governments are likely to be particularly vulnerable because they are large enough to present attractive targets to cyber-terrorists, but small enough to have insufficient protections in place to thwart all attacks.
The cloud computing giants, however, employ extremely large security groups. They are constantly evolving their security provisions based on the latest available intelligence. In fact, the success of their business model is linked directly to the success of their security. If security is lacking, then their customer base will quickly find different options.
In state and local government, it can sometimes take weeks or months for a known security breach to be fully resolved. In the recent case of South Carolina, the security breach wasn’t even reported for over two weeks. Who knows how long it will take for all other states to assess, understand, fix and test the breach in their own data centers. In a cloud data center if a breach is detected it can be repaired for all participants in that cloud center at once – taking weeks or even months of risk out of the formula.
What’s more, public sector organizations such as state and local governments and their various institutions such as health and human services, prison management, citizen services and others, can negotiate contracts with their cloud vendors to shift the risk to the private sector. In the case of South Carolina, the government may end up spending millions of taxpayer dollars providing identity theft insurance to their citizens who were impacted by this issue. If there is a breach in security, the government institution and its citizens will be shielded from additional costs – the budget for cloud computing remains flat and predictable regardless of the situation.
Back to the Future: A Case Study in Public Sector Cloud Security
Can the public sector become dependent on private sector partners for something as critical as information technology? If past history is any indication, then the answer is a clear “yes”.
The earliest versions of modern-day IT systems were ink, paper and candles. Governments of all kinds depended on these items to run effectively. But they did not need to employ the producers of these items. Rather, they depended on the private sector to produce these at a reasonable price.
More recently, the introduction of electrical power delivered a technology that the government quickly became reliant upon to improve productivity. If government offices lost their electrical supply for more than a brief period, the results would be disastrous. When electricity was still a cutting-edge technology, it wasn’t clear how the government should manage their electrical needs. As time went by, however, it became clearly that state and municipal governments could plug into the same electrical “cloud” that private citizens and businesses used. If the power goes down, they know that their private sector partners are on the hook to take care of it quickly.
Twenty years from now, we will view computer applications the same way. When a public sector organization needs an IT application, they will plug into the cloud to get it; if it does down or there is a security issue, they will know that their private sector cloud partner is on the hook to take care of it.
Cloudy But No Storms: Getting Started with the State and Local Government Cloud
Jumping into the cloud is not as easy as signing a contract with a cloud partner. Making the move will be an evolutionary process that public sector organizations will gradually evolve into over the next five to twenty years. Here are a few pointers for getting started.
- Start building all applications on cloud-enabled platforms. You don’t have to move applications to the cloud in order to use cloud technologies. There are options for continuing to host applications in your own data center, while building them on the same frameworks that are used in the cloud. This means that when you are ready to move to the cloud you will not have to rewrite your applications – you can simply migrate them.
- Begin with some low-risk applications. Initial public sector applications in the cloud should be those that pose a very low risk in the event that there is a problem. In other words, don’t put critical data into the cloud first. Use these low-risk probes as a way to begin to understand the cloud and iron the wrinkles out prior to moving more mission critical applications.
- Find the proven partners. There are many businesses that are willing to host public sector applications in the cloud, but only those with large security investments should be entrusted with public data. Similarly, public sector organizations need to partner with development firms that have already been using the cloud for many years to help them to navigate into this new territory, develop the next generation of public sector applications, and get their teams trained.
One option that won’t work is business as usual. A new generation of technologies and software has emerged that promises to shore up security risks and lower costs for the public sector. Every state and local government should begin evaluating their options and modernizing their applications to ensure we don’t see more reports of successful cyber-crime in the public sector.