cloud adoption by local government: promise, progress and pitfalls international conference on cloud...
TRANSCRIPT
Cloud Adoption by Local Cloud Adoption by Local Government: Promise, Progress Government: Promise, Progress
and Pitfallsand Pitfalls
International Conference on Cloud Security Management
October 17, 2013
Michael HamiltonCISO, City of Seattle
Local GovernmentLocal Government
Services that affect quality of life, and lifeWe’d like them to be there
2
• Desktop
• Network
• Help Desk
• Server
• Development
• Security
• Procurement
• Telephony
PUBLIC IT TODAYPUBLIC IT TODAY
Many of these are
the same roles
sought by SBUX,
AMZN, MSFT, etc.
They have this though >>
• Security
• Procurement
• Legal
• Audit
PUBLIC IT TOMORROWPUBLIC IT TOMORROW
We already buy more
than we build, and
the evolution is
underway to develop
IT resources into new
roles
• Disaster recovery and business
continuity – DDOS readiness
• Security through collective intelligence
• SAAS very clear value – oversight needed
• Starting to store more sensitive data
• Remember what happened to L.A.
LOCAL GOVERNMENT AND THE LOCAL GOVERNMENT AND THE CLOUDCLOUD
• A separate finance system for each local
jurisdiction is not a good use of our taxes
• Inter-local agreements
• Regional monitoring
• King County data center
• IBM Smarter Cities initiative
THE SHARED SERVICE MODELTHE SHARED SERVICE MODEL
PRISEMPublic Regional Information Security Event Management
PRISEMPublic Regional Information Security Event Management
• DHS S&T funding to initiate; Five grants total
• Participants contribute firewall logs, netflow, botnet
alerts (Einstein); arbitrary devices under monitoring
• Commercial SIEM infrastructure at UW APL
• Cities of Seattle, Lynnwood, Bellevue, Kirkland,
Redmond; Thurston and Kitsap Counties; Seattle
Children’s Hospital, Snohomish PUD
PRISEM HistoryPRISEM History
• Postini, now FOPE for e-mail security
• VRSN DDOS protection
• Office 365 on deck
• Video streaming
• Over 65 SAAS applications
• data.seattle.gov
• Health data warehouse analytics
CoS CLOUD EXAMPLESCoS CLOUD EXAMPLES
• Development using PAAS
• Cloud as SAN
• Data analytics with sensitive information
• The Smart Grid and energy consumption data
• Why not IAAS?
• Competition for OpenStack coders
UNDER INVESTIGATIONUNDER INVESTIGATION
• Vendor requirements
• Must demonstrate product security
• That data center SAS-70 won’t do it
• Changes to procurement language
• RFP, Contract, focused on vendor reqs
• Data classification and storage policy
• Confidential, Sensitive, Public
POLICY UNDERPINNINGSPOLICY UNDERPINNINGS
• BYOC and the Internet shelf
• Whitelisting all but impossible
• File sync services as example
• Nth parties and regulatory requirements
• HITECH Act
• Security and continuity
• Got SEIM?
• Public disclosure and E-Discovery
BARRIERS AND PROBLEMSBARRIERS AND PROBLEMS
Web App Authentication Context Diagram
Types of UsersCity Employees
Regional Gvmt Partners
Ap
plic
atio
ns
Facebook(make a comment)
Constituents
Smartphones Cell phones Laptops Netbooks Tablets
Types of Devices
CRM(request service)
Portal (PEP)(personalize a page)
Epayment apps(pay a bill)
Data.Seattle.gov Seattle.govLow
Trust level
Crowdsourcing(advocate/rank)
Customer Accounts(change my info)
SCADA control(open a floodgate)
Authentication Strength
Medium
High
ReallyHigh
• Control systems
• 911 and CAD/RMS
• Critical infrastructure information
• Regulated information
• Anything exempt from public disclosure
• So incident data with metadata is a
nonstarter
STUFF THE CLOUD CAN’T HAVESTUFF THE CLOUD CAN’T HAVE
• Regionalized shared services
• IAAS/PAAS meet inter-local agreements
• Desktop services - VDI in the cloud
• Cloud forensics service
• More video streaming and archive service
• Traffic cameras
• For those awesome City Council meetings
• PD body cameras?
OPPORTUNITIESOPPORTUNITIES
• Better reliability - we are not a start-up
• Humane rules on unauthorized disclosure
• Interfaces for public disclosure and e-disc
• Improved standards for vendors to meet,
as a competitive differentiator
Applications that help us govern better, use resources more
wisely, and create efficiencies that are reflected in savings
WHAT WILL IT TAKE?WHAT WILL IT TAKE?
• There are 89,003 of us
• We require security as a market force
• Authentication, encryption, auditing if you
want our good stuff
• Better analytical interfaces
• Public Disclosure and E-Discovery pain
abatement
LOCAL GOVERNMENT AS LOCAL GOVERNMENT AS MARKETMARKET
• Mass exodus to the cloud reduces the
number of points of attack and increases the
efficiency of threat activity
• Largest DDOS attack 191Gbps
• An organized crime operation may be
sharing physical hardware with your server
LASTLY, I WILL POINT OUT…LASTLY, I WILL POINT OUT…
My Contact InformationMy Contact Information(for one more week)(for one more week)
Michael Hamilton Chief Information Security Officer
City of [email protected]
206.684.7971 (D)