Government Technology caught up with the Center for Internet Security (CIS), the National Association of Chief Information Officers (NASCIO) and StateRAMP to find out.
The Cloud Giants
These kinds of events have sparked concerns overseas. During a September 2021 meeting, U.K. financial regulators said banks’ reliance on a handful of third-party cloud providers for critical services “pose[s] a threat to financial stability,” unless more regulatory oversight is enacted.
But states don’t necessarily need to be afraid of turning to the cloud giants.
For one, outsourcing is often the best path for states, which usually lack the IT staff and intensive resources needed to build and secure their own clouds, said Curtis Dukes, CIS executive vice president and general manager of its best practices and automation group.
And major providers have the budgets to invest heavily in security, said J.R. Sloan, state CIO of Arizona and president of StateRAMP.
“The cloud is inherently more secure because of the investments that cloud providers are making,” Sloan told GovTech. “If you’re working with some of the hyperscale providers … the great thing is they have expertise on their side. They’ve done a lot to invest in the security capabilities and the resiliency of their platforms and they have the expertise to know how to configure it to meet your requirements.”
THE CONFIGURATION MISCONCEPTION
As states migrate to a cloud environment, they must ensure they understand the roles they and their cloud providers will play in monitoring its security, Sloan and Dukes said. That will look different depending on whether states use a public or hybrid cloud, too.
“The misconception revolves around that [idea] that I can just offload my high security responsibilities to the cloud service provider. And it’s simply not the case,” Dukes told GovTech. “The state entity still has responsibilities to protect that data, they’re just using the cloud to augment or facilitate the security for that data.”
Security responsibilities and options will also vary depending on whether the offering is software, infrastructure or platform as a service, Sloan noted.
Providers set up their clouds with standard configurations, and states need to actively check those and ask for tweaks to meet their specific needs, Dukes said. That includes ensuring settings keep data encrypted at rest and in transit and apply the appropriate access controls.
Sloan spoke similarly, “As a state, you need to come knowing, what's my responsibility in this model? What are the things I’m responsible for ensuring I’m doing for proper security and hygiene? What is my responsibility for configuring?”
Misconfigurations are a serious issue, although hyperscalers can often advise about basic security configurations and help monitor for misconfigurations, Sloan said.
MULTICLOUD RESILIENCE
Dukes said states could avoid keeping all their eggs in one basket by relying on multiple cloud providers so that if one goes down, only some — not all — of the state’s cloud operations are disrupted.
But trying to learn to use different clouds at the same time can be overwhelming, and not something states need to tackle from the get-go, Dukes said.
He recommended states focus first on learning the ins and outs of working with a single provider. New adopters need time to see how cloud use changes their workflows and understand the configurations and partner relationships needed to keep everything secure.
Only after nine to 18 months should they start considering diversifying, Dukes said.
“Once you’ve settled on one [cloud provider] and have that up and running and feel very comfortable with that, then I’d look at maybe offloading some of those information resources that you have in the cloud and moving a portion of that to a second cloud provider, for resiliency purposes,” Dukes said.
A multicloud approach sees states use each of their cloud providers to support different services — rather than, say, procuring duplicate services from Azure to serve as a backup should AWS go down. Differences in how each providers’ cloud handles would impede a smooth handoff from one service to its duplicate, Dukes explained.
Cloud resiliency also depends on more than the cloud providers.
Digital services cannot function in an Internet outage, after all, and states should contract several Internet service providers (ISPs) to protect against such an eventuality, Dukes said.
States also need to focus on their abilities to recover after an incident, Sloan said. That can mean keeping backups air gapped or otherwise isolated and regularly scanning the backups for infection.
THE CIO AS BROKER
States are actively turning to multiple providers, with a May 2021 NASCIO survey of 35 states finding CIOs tapping a mean of 22 cloud services providers.
With so many services engaged, CIOs are increasingly relying on contracted or in-house cloud portfolio brokers to manage them all, said Eric Sweden, NASCIO program director of enterprise architecture and governance.
This shift to acquiring technology services over creating them in-house also means CIOs need fewer hard-tech skills and more business skills, Sweden said. Being able to evaluate vendors carefully and craft the right contracts is becoming key to meeting state needs around privacy, security and resiliency.
“Where the skills come in for today's state workforce in the CIO's office, is the ability to write those contract terms and conditions [and] negotiate with our providers,” Sweden told GovTech.
States also need to be sure that cloud procurements go through the CIO’s office, where teams are better prepared to assess contracts for risk management implications.
There are resources to help. StateRAMP, for one, provides lists of vetted cloud vendors, sparing each state from having to do its own assessment and validation. NASCIO, too, recently released a “cloud capability process assessment” tool for states to assess their maturities and paths to improvement.
