Cloud Computing Case
-
Upload
juan-jose-ortiz-copa -
Category
Documents
-
view
217 -
download
0
Transcript of Cloud Computing Case
7/29/2019 Cloud Computing Case
http://slidepdf.com/reader/full/cloud-computing-case 1/6
7/29/2019 Cloud Computing Case
http://slidepdf.com/reader/full/cloud-computing-case 2/6
1
Montgomery County Leverages Proessional Certifcationsto Enable Secure Cloud Computing Services
Introduction
Three years ago, Montgomery County IT ofcials
foresaw the coming scal crisis and began looking
at how they could continue to deliver high-
quality but cost-effective access to the enterprise
infrastructure, applications and data required by the
government’s 34 departments and approximately
10,000 employees.
The solution? Cloud computing, whereby end-
users store, manage and process data and access
applications on a network of remote servers
hosted on the Internet, rather than on a local
server or PC. The model has a number of benets
including exible costs based on usage, access to
more storage and computing power without the
need for major capital investment, a greater ability
for employees to work remotely, greater exibility
and the ability for the IT department to shift their
focus to other, higher-priority tasks.
For Montgomery County, the primary benet
driver was the ability to cut costs without
cutting IT personnel. But the greatest challenge was
security: How to develop an effective security plan
within an industry that, at the time, had essentially
no security standards?
In fact, the 2011 (ISC)2 Global Information
Security Workforce Study, conducted by Frost and
Sullivan, found that while government agencies
are demanding access to more technologies,
there exists a signicant gap in the skills needed
to protect these services. The study further
called for more education of information security
specialists to close this gap, specically imparting
a more detailed technical understanding of cloud
computing, enhanced technical knowledge, and
contract negotiation skills.
Fortunately, Keith Young, the Security Ofcial within
Montgomery County’s IT Department, and his team,
most of whom had been certied under (ISC)2’s
Certied Information Systems Security Professional
(CISSP®) credential, were able to draw on their
fundamental knowledge of security to develop a
plan and an implementation schedule that not only
successfully safeguarded applications and data but
actually improved overall security and compliance.
7/29/2019 Cloud Computing Case
http://slidepdf.com/reader/full/cloud-computing-case 3/6
2
“Cloud computing requires a change in mindset; and
for us, having that certication always forces us to go
back to the basics of security and think organically
about the challenges,” Young explains. “So you go
back to the elementary tenets of security, keeping
the system simple and looking at user management,
looking at authentication, and putting on that hat
rather than going down a traditional checklist for
desktop security. That, in and of itself, makes the
change in mindset a lot easier, and the challenge
of securing a cloud environment much more
straightforward to address.”
BACK TO BASICS
A major concern for the IT and security team at
Montgomery County is the range of organizations and
missions they must deal with on a daily basis, including
re, police, recreation, nance, environmental
protection and liquor control. The job also involves
protecting data that is highly regulated. The county’s
Department of Health and Human Services, for
example, deals routinely with information protected
under the Federal Health Information Portability and
Accountability Act (HIPAA) law, while another 19
local agencies handle credit card numbers and take
credit card payments—a situation that requires
compliance with the PCI Data Security Standards.
When Young decided to look into cloud computing,
however, he determined that it would be best to
use the security team as a guinea pig. “We kind of
gured we had better eat our own dog food, so
we migrated about 80 percent of the enterprise
services that my team provides to our departments
out to various cloud vendors—more or less
what I would call best-of-breed—to see what the
challenges were.”
The biggest challenge was clearly security, Young
says, noting that cloud vendors, at that time, had not
yet begun to focus on developing security standards.
“A lot of our discussion initially with these vendors
was, ‘How do you build your security?’” Young
recalls. “They would give us a report showing that
they were accredited under the SAS-70, type-2
audit [a set of auditing standards devised by the
American Institute of Certied Public Accountants
as a way to measure their handling of sensitive
data]. Well, that was so high level and generic that
it didn’t do us any good, so back we went to more
or less a ‘bar napkin’ approach to assessing each
cloud vendor’s information security.”
“Having that certication always forces
us to go back to the basics of security and
think organically about the challenges.”
7/29/2019 Cloud Computing Case
http://slidepdf.com/reader/full/cloud-computing-case 4/6
3
That’s where the team’s professional credentials
came in. Young is himself a CISSP® as are all but two
members of his team, and they soon fell back on
the fundamentals of security strategy.
“We basically used the knowledge of the
certication to go out and do the research of what
needed to be done for the cloud because there
wasn’t a lot of information available,” Young says.
“So we were able to determine what was realistic
and how we should approach the problem.”
That meant putting away prescriptive tasks like anti-
virus programs and smartphone encryption, and
looking to the organic roots of effective security.
“Not only were we going to be administrators of
this type of solution but also consumers,” Young
explains. “So we were able to go in and say: ‘Here’s
how to do proper setup and conguration of
users, here’s how to look at change control.’ It’s
the fundamentals that become important, not the
specic controls that people are used to doing.”
A key part of their solution was to rely on strong
authentication controls while also setting a policy to
utilize only standard Web-based applications built
specically for the cloud, rather than trying to transfer
traditional legacy and PC-based applications to
the cloud.
“In this way, a lot of the traditional security concerns
become unnecessary and shifts the mindset in
terms of how you think about risk,” Young says.
It also shifts much of the security burden to the
cloud vendor, who can enjoy economies of scale
by investing once in various security technologies
and controls, and reaping the benets many times
over. However, the IT team does not rely solely
on the vendor, but instead oversees the process
and utilizes their own appropriate controls and
strategies to ensure that the best security practices
are in place and are always being followed.
LOOKING AHEAD
Moving enterprise-level IT applications to the
cloud worked so well and included such strong
security for the Montgomery County IT team that
within a year, they began approaching department
ofcials about putting some of their own vertical
applications into the cloud.
“We basically used the knowledge of
the certication to go out and do the
research of what needed to be done for
the cloud.”
7/29/2019 Cloud Computing Case
http://slidepdf.com/reader/full/cloud-computing-case 5/64
One of the earliest projects was one for the
Department of Fire and Rescue, which enabled
emergency medical technicians and paramedics
to input required information while en route to a
call or at the scene. “Traditionally, after they were
done, they would spend 45 minutes standing at the
hospital lling out forms with patient data, vitals,
treatment and so forth,” Young explains. “Now, it’s
automated through the cloud and they no longer
spend all that extra time with their paperwork.”
A year ago, Young and his team started looking at
piloting enterprise applications and how to take
on more collaborative functions, such as email and
document storage, to move them out to the cloud.
After a long study of the performance of those
applications in the new environment, combined
with further research into the security implications
of adding personal and corporate handhelds and
smartphones into the mix, the county now has a
small group of users utilizing cloud-based enterprise
applications. “We’re basically just looking to
continue to ramp up from there,” Young explains.
He notes that one of the conundrums of security is
working with users and departments to give them
the functionality they want without introducing
more risk into the system. The key, he says, is to rely
on certication and education to bring fundamental
security knowledge and tenets to every new
challenge, whether that be cloud computing or
smartphone applications.
“If you say no, people will do it anyway—only
without the benet of your security expertise,”
Young states, noting the workarounds that
employees came up with and the security problems
that resulted when many organizations instituted a
policy of disabling ash drives. “But by relying on
the basics of security that we developed through
the certication process and continuing education,
and then doing your research and guring out a way
to meet the organization’s business objectives and
user needs, you have the opportunity to design the
security from the ground up in the most effective
way possible.”
“You have the opportunity to design the
security from the ground up in the most
effective way possible.”
7/29/2019 Cloud Computing Case
http://slidepdf.com/reader/full/cloud-computing-case 6/6