NASCIO's 12 tips to states considering the cloud
For state CIOs, leveraging cloud technology has the potential to optimize system efficiency, reduce costs, and enhance service delivery. The journey to joining the cloud, however, is not without issue; acclimating demands the careful consideration and involvement of state CIOs.
To that end, the National Association of State Chief Information Officers (NASCIO) recently released a report on the issues related to cloud privacy and security.
“The general state approach to cloud adoption has been in the development of private cloud solutions and in the migration to enterprise email solutions in both private and public cloud scenarios,” NASCIO explained in the report. “In these initiatives, states are learning from each other.”
[Related: NIST's 10 cloud computing requirements.]
Beyond this state-to-state collaboration, individual agencies within the state infrastructure are aligning as cloud computing is examined. “All of this activity is converging on a developing government strategy for maturing and harvesting the value of cloud computing,” according to NASCIO.
To clarify this strategy, NASCIO outlined twelve recommendations for state CIOs as they maneuver onto the cloud. State leaders must:
- Mobilize internal support for cloud adoption through education and awareness, while clearly articulating the new security and privacy risks
- Weigh the benefits and risks of cloud computing in terms of cost versus security and privacy concerns
- Continue to temper expectations about savings opportunities and to examine risks and requirements
- Educate policy makers on the differences between consumer cloud requirements versus the industrial-strength requirements of state government
- Examine the state’s standard terms and conditions for procurement and consider modifications to address cloud computing
- Communicate and educate government officials on the terms of service presented and assumed for third-party cloud services
- Start with a private cloud solution first where state data is highly sensitive; this will ensure protection early in the adoption process of cloud technology
- Develop an enterprise security policy that controls unauthorized use of cloud services while enabling legitimate business needs
- Continually scan network traffic to uncover the use of unauthorized cloud services; work to determine the reasons for non-compliance and the use of unauthorized cloud services
- Consider a cloud broker approach: develop roles specific for cloud management, like “broker” and “service portfolio manager” to enhance security and efficiency
- Work with the federal government to develop common interpretation of security requirements so that comprehensive cloud requirements can be identified and relied upon
- Stay tuned to the Federal Risk and Authorization Management Program (FedRAMP) as it evolves and leverages approved vendors; the program will provide a list of approved cloud providers for beginning states
The FedRAMP program referenced in the final tip is headed by the Office of Management and Budget. FedRAMP “provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services,” according to NASCIO’s report.
[Related: Mitigating PHI danger in the cloud.]
Beyond maintaining an awareness of FedRAMP, NASCIO urged states to practice an overall consciousness of the changing requirements and lessons related to the cloud adoption process.
“This report has provided a discussion of some of the issues regarding cloud security and privacy,” NASCIO explained. “The discussion will continue going forward as new lessons are learned and new requirements arrive.”