local government goes google

Local GovernmentGoes Google

Brig Otis, IT Security

Office of Information Technology

IntroductionIntroduction

• In October 2010 Multnomah CountyIn October, 2010, Multnomah County migrated over 3,600 county employees to Google Apps Government EditionGoogle Apps Government Edition.

• One of the first local governments nationwide to use cloud based email andnationwide to use cloud-based email and calendaring services.


IntroductionIntroduction

• Brig Otis IT SecurityBrig Otis, IT Security• Dan Cole, Project Manager

St J h I f t t M• Stan Johnson, Infrastructure Manager


AgendaAgenda

• Why Google?Why Google?• Implementation Team

V d M t• Vendor Management• Implementation Considerations• End Users• MigrationMigration• Support Plan


Why Google?Why Google?

• Budget ShortfallsBudget Shortfalls• Growing Demand for IT Services

A i E t i E il S t• Aging Enterprise Email System


Implementation TeamImplementation Team

• Core TeamCore Team– PM plus Subteam Leaders

Subteams• Subteams– Technical

C– Communications– Security– Training– Contracting



• End Users (county employees)End Users (county employees)• Cloud Service Team

S t I t t• System Integrator

• Technical Steering Committee



• Security ConsiderationsSecurity Considerations– Representation

Core and Subteam communications– Core and Subteam communications– System Integrator

• Responsibilities• Responsibilities• Product/Service Maturity• Cryptographic controlsCryptographic controls• Development and Support Processes• Change Control


Vendor ManagementVendor Management

• ContractingContracting– References to dynamic policies at URLs

SLA– SLA• DR

Exit strategy– Exit strategy• Data Escrow• OwnershipOwnership

– Data Classification (yours; not theirs)• Encryption


yp

Vendor ManagementVendor Management

• ContractingContracting– Change Management

• Musical Features• Musical Features– Provider Certification

• Understand the certification (the package)Understand the certification (the package)• Does not certify your use of the service

– Example: Sharing of Google Objects


Vendor ManagementVendor Management• Advanced PlanningAdvanced Planning

– Time– Get the actual support team involvedGet the actual support team involved – Project management methodology

• Security Considerations– Unauthorized access– Breach of confidentiality– Laws and regulations


Implementation ConsiderationsImplementation Considerations

• Paradigm ShiftParadigm Shift– Control Set (technical controls)

• Built-in• Built-in• Design yourself

– Organizational Policy (administrative controls)Organizational Policy (administrative controls)– Refresh organizational consciousness



• Fit With Existing TechnologyFit With Existing Technology– Authentication/Authorization Mechanisms

Dual Delivery– Dual Delivery– Internet Connectivity

Endpoints (including Mobile Devices)– Endpoints (including Mobile Devices)– Directory Services

Wh t t / h ?• What to expose / how?– MCSO free/busy calendar synchronization



• Fit With Technology RoadmapFit With Technology Roadmap– Mobile Strategy

Identity Management– Identity Management– Other Cloud Services

Network Convergence– Network Convergence



• Fit With Existing ProcessesFit With Existing Processes– Basic Account Management

• Integration with HR/Payroll• Integration with HR/Payroll– Work Unit Communications

Shared Calendars– Shared Calendars– Shared Inboxes


Implementation ConsiderationsImplementation Considerations• Fit With Existing ProcessesFit With Existing Processes

– Security Considerations• Identity lifecycle issues

– accounts– inboxes– calendars– other cloud-based objects and artifacts

• Data in Transit– TLS / Encryption

• Confidentiality and Availability (user-managed content)• Unauthorized Access due to sharing



• Fit With CultureFit With Culture– What is the nature of the data?

How information systems are used– How information systems are used (information handling)

– Security Policy governing use of Google Apps– Security Policy governing use of Google Apps


End UsersEnd Users

• Security Responsibilities are IncreasedSecurity Responsibilities are Increased• Awareness Training

C t D t t l P li• County Departmental Policy– Departmental Business Processes

• End User/Department Security Concerns– Portable Media– Operations - Patch Management– Economies of Scale


MigrationMigration

• Phase: Pilot ProgramPhase: Pilot Program– Security Considerations

• Early adopters running too far too fast• Early adopters running too far too fast– Including Privileged Users (Admins)

• Representation of Security and other IT leaders in the Pilot


MigrationMigration

• Phase: Planning/PreparationPhase: Planning/Preparation– Communications (time to overcommunicate)

Training (classes using the SAaS)– Training (classes using the SAaS)– Support

• Self help• Self-help• Google Guides - Staff & Googlers• Core TeamCore Team

– Load Testing


MigrationMigration• Phase: Planning/PreparationPhase: Planning/Preparation• Security Considerations

– Awareness TrainingAwareness Training– Consistent Organizational Message– Accurate ResponsesAccurate Responses– Accidental Deletion of Data– Old thinking; new Process Issuesg;– How much Analysis is Enough? – Dialog with Other Departments (fit)


g p ( )

MigrationMigration

• Phase: Dress RehearsalPhase: Dress Rehearsal• Phase: Big Move

S it C id ti– Security Considerations• Unplanned ISP outage• Out of band communications• Out of band communications

• Phase: Decommission


Support PlanSupport Plan• Service AdministrationService Administration

– All or Nothing– Google Apps Marketplace - abstract theGoogle Apps Marketplace abstract the

admin layer– Who to Trust?

• Trust But Verify model– Does not impede work– Provides an audit trail– In active state, it monitors for privileged rights use

– User Inboxes (Postini)


Support PlanSupport Plan

• Service AdministrationService Administration– Security Considerations

• Privileged Access• Privileged Access– Confidentiality– Availability of Systems

• Email archives available to admins?– Unauthorized (unintended) access

• Transparency• Transparency– Admin Activity– User Activity



• Account AdministrationAccount Administration– Integration with Directory Services

• GAL• GAL• Accounts• Groupsp

– License Limitations– User Terminations (end-of-life)User Terminations (end of life)

• Transference of Google Artifacts



• Account AdministrationAccount Administration– Security Considerations

• Accidental deletion of data• Accidental deletion of data• Account sharing• Transparencyp y



• Customization and AutomationCustomization and Automation– Have programming support available

• Technical Control Set• Technical Control Set• APIs

– Your organization is uniqueYour organization is unique• No cloud service is a universal answer

– You will customize– Your organization will change


QuestionsQuestions


local government goes google

Technology

information systems

security otis

ssecurity considerations

migration phase

support processes

actual support team

band communications

google apps marketplace