California IT Security Officials Still Wary of Cloud Computing

A panel of government chief information security officers at the Managing Technology conference talk about the risks of cloud computing and the need for background checks.

by / March 19, 2010

Photo: Dale Jablonsky, CIO, California Employment Development Department. Photo by GMP Digital

SACRAMENTO, Calif. -- How secure is sensitive data that's hosted offsite? Should IT workers and contractors be required to pass background checks? Will legislation ever catch up to the nonstop momentum that pushes technological advances?

These and other topics were discussed at the Managing Technology conference Thursday, March 18. On-hand to share their expertise and experiences were Nevada Chief Information Security Officer (CISO) Christopher Ipsen, California CISO Mark Weatherford, Los Angeles County CISO Robert Pittman, and Dale Jablonsky, CIO of the California Employment Development Department.

"Public trust is what we're all about," Jablonsky said. Governments must protect citizens' private information, such as Social Security numbers, addresses and health information, before databases are hacked and the press gets wind. "It's up to the government to prevent those headlines."

The panel seemed to conclude that there aren't clear-cut answers for exactly how to do that, as legal requirements vary by state and new technologies constantly add more work to already overburdened IT departments. But one common answer to the complex issues seems simple enough: drive awareness about the value of data protection.

Of course, awareness will never be enough, and legislation may be needed for real change to occur, the officials said. For example, California's higher education system once tracked students by their Social Security numbers, and even printed those numbers on student identification cards. But with the passage of SB 25 in 2004, which prohibited making identification data publicly accessible, those unsecure methods changed, Weatherford said.

Recently Weatherford wrote the security standard guidelines that were incorporated into California's telework policy. The standards had to be strict enough to mean something, he said, but "it's a fine line between being overly dictatorial and having appropriate security measures in place."

According to Ipsen, writing laws to "encourage people to do the right thing" like its encryption law, seems to work. The encryption law applies to any Nevada business that collects an individual's first name or initial and last name, plus Social Security number, employee identification number, driver's license number, credit/debit card number, or financial account number with any required security code.

"It's the only law in the last legislative session that had 100 percent approval," Ipsen said.

Pittman points to L.A. County's mobile device standards, which are constantly catching up to the latest gizmos. There are standards specific to smartphones, such as BlackBerrys and Windows mobile devices, he said.

Background Checks Needed?

Some areas of state government have potential privacy holes, however, including California's policy against conducting background checks for IT workers and others with access to sensitive data. Weatherford acknowledges the potential compromise and notes that state employment conditions need to change in that respect.

Data security workers are the watchers, he said, but who's watching the watchers? "Really, a lot of the 'nasties' that can happen are us," he said. For instance, while Weatherford was the CISO of Colorado, an employee was terminated after it was discovered that she was on parole after recently getting out of jail for embezzlement. That security risk could have been avoided if the state mandated background checks, he said.

Another can of worms -- a phrase often repeated during the session -- is cloud computing. While Ipsen loves the concept, he's wary of external controllers that could be offshore. If there's a data breach on foreign soil, what level of enforcement do U.S. agencies have, he asked. "The risk model there starts to accelerate," Ipsen said.

Weatherford agreed that cloud computing is too ambiguous at this point to trust with citizens' personal information. He compared the concept of putting data in the cloud to dropping your kids off at day care, only to phone later and be told they're not there, but will be back at 4 p.m.

"This is the topic du jour," he said, adding while there are financial incentives to cloud computing, questions about its vulnerability need to be asked up front and policies created. "The laws have not nearly kept up."



Karen Wilkinson

Karen is a former staff writer for Government Technology magazine.

Platforms & Programs