Cloud Computing Case

7/29/2019 Cloud Computing Case

http://slidepdf.com/reader/full/cloud-computing-case 1/6

https://www.isc2.org/



1

Montgomery County Leverages Proessional Certifcationsto Enable Secure Cloud Computing Services

Introduction

Three years ago, Montgomery County IT ofcials

foresaw the coming scal crisis and began looking

at how they could continue to deliver high-

quality but cost-effective access to the enterprise

infrastructure, applications and data required by the

government’s 34 departments and approximately

10,000 employees.

The solution? Cloud computing, whereby end-

users store, manage and process data and access

applications on a network of remote servers

hosted on the Internet, rather than on a local

server or PC. The model has a number of benets

including exible costs based on usage, access to

more storage and computing power without the

need for major capital investment, a greater ability

for employees to work remotely, greater exibility

and the ability for the IT department to shift their

focus to other, higher-priority tasks.

For Montgomery County, the primary benet

driver was the ability to cut costs without

cutting IT personnel. But the greatest challenge was

security: How to develop an effective security plan

within an industry that, at the time, had essentially

no security standards?

In fact, the 2011 (ISC)2 Global Information

Security Workforce Study, conducted by Frost and

Sullivan, found that while government agencies

are demanding access to more technologies,

there exists a signicant gap in the skills needed

to protect these services. The study further

called for more education of information security

specialists to close this gap, specically imparting

a more detailed technical understanding of cloud

computing, enhanced technical knowledge, and

contract negotiation skills.

Fortunately, Keith Young, the Security Ofcial within

Montgomery County’s IT Department, and his team,

most of whom had been certied under (ISC)2’s

Certied Information Systems Security Professional

(CISSP®) credential, were able to draw on their

fundamental knowledge of security to develop a

plan and an implementation schedule that not only

successfully safeguarded applications and data but

actually improved overall security and compliance.



2

“Cloud computing requires a change in mindset; and

for us, having that certication always forces us to go

back to the basics of security and think organically

about the challenges,” Young explains. “So you go

back to the elementary tenets of security, keeping

the system simple and looking at user management,

looking at authentication, and putting on that hat

rather than going down a traditional checklist for

desktop security. That, in and of itself, makes the

change in mindset a lot easier, and the challenge

of securing a cloud environment much more

straightforward to address.”

BACK TO BASICS

A major concern for the IT and security team at

Montgomery County is the range of organizations and

missions they must deal with on a daily basis, including

re, police, recreation, nance, environmental

protection and liquor control. The job also involves

protecting data that is highly regulated. The county’s

Department of Health and Human Services, for

example, deals routinely with information protected

under the Federal Health Information Portability and

Accountability Act (HIPAA) law, while another 19

local agencies handle credit card numbers and take

credit card payments—a situation that requires

compliance with the PCI Data Security Standards.

When Young decided to look into cloud computing,

however, he determined that it would be best to

use the security team as a guinea pig. “We kind of

gured we had better eat our own dog food, so

we migrated about 80 percent of the enterprise

services that my team provides to our departments

out to various cloud vendors—more or less

what I would call best-of-breed—to see what the

challenges were.”

The biggest challenge was clearly security, Young

says, noting that cloud vendors, at that time, had not

yet begun to focus on developing security standards.

“A lot of our discussion initially with these vendors

was, ‘How do you build your security?’” Young

recalls. “They would give us a report showing that

they were accredited under the SAS-70, type-2

audit [a set of auditing standards devised by the

American Institute of Certied Public Accountants

as a way to measure their handling of sensitive

data]. Well, that was so high level and generic that

it didn’t do us any good, so back we went to more

or less a ‘bar napkin’ approach to assessing each

cloud vendor’s information security.”

“Having that certication always forces

us to go back to the basics of security and

think organically about the challenges.”



3

That’s where the team’s professional credentials

came in. Young is himself a CISSP® as are all but two

members of his team, and they soon fell back on

the fundamentals of security strategy.

“We basically used the knowledge of the

certication to go out and do the research of what

needed to be done for the cloud because there

wasn’t a lot of information available,” Young says.

“So we were able to determine what was realistic

and how we should approach the problem.”

That meant putting away prescriptive tasks like anti-

virus programs and smartphone encryption, and

looking to the organic roots of effective security.

“Not only were we going to be administrators of

this type of solution but also consumers,” Young

explains. “So we were able to go in and say: ‘Here’s

how to do proper setup and conguration of

users, here’s how to look at change control.’ It’s

the fundamentals that become important, not the

specic controls that people are used to doing.”

A key part of their solution was to rely on strong

authentication controls while also setting a policy to

utilize only standard Web-based applications built

specically for the cloud, rather than trying to transfer

traditional legacy and PC-based applications to

the cloud.

“In this way, a lot of the traditional security concerns

become unnecessary and shifts the mindset in

terms of how you think about risk,” Young says.

It also shifts much of the security burden to the

cloud vendor, who can enjoy economies of scale

by investing once in various security technologies

and controls, and reaping the benets many times

over. However, the IT team does not rely solely

on the vendor, but instead oversees the process

and utilizes their own appropriate controls and

strategies to ensure that the best security practices

are in place and are always being followed.

LOOKING AHEAD

Moving enterprise-level IT applications to the

cloud worked so well and included such strong

security for the Montgomery County IT team that

within a year, they began approaching department

ofcials about putting some of their own vertical

applications into the cloud.

“We basically used the knowledge of

the certication to go out and do the

research of what needed to be done for

the cloud.”




One of the earliest projects was one for the

Department of Fire and Rescue, which enabled

emergency medical technicians and paramedics

to input required information while en route to a

call or at the scene. “Traditionally, after they were

done, they would spend 45 minutes standing at the

hospital lling out forms with patient data, vitals,

treatment and so forth,” Young explains. “Now, it’s

automated through the cloud and they no longer

spend all that extra time with their paperwork.”

A year ago, Young and his team started looking at

piloting enterprise applications and how to take

on more collaborative functions, such as email and

document storage, to move them out to the cloud.

After a long study of the performance of those

applications in the new environment, combined

with further research into the security implications

of adding personal and corporate handhelds and

smartphones into the mix, the county now has a

small group of users utilizing cloud-based enterprise

applications. “We’re basically just looking to

continue to ramp up from there,” Young explains.

He notes that one of the conundrums of security is

working with users and departments to give them

the functionality they want without introducing

more risk into the system. The key, he says, is to rely

on certication and education to bring fundamental

security knowledge and tenets to every new

challenge, whether that be cloud computing or

smartphone applications.

“If you say no, people will do it anyway—only

without the benet of your security expertise,”

Young states, noting the workarounds that

employees came up with and the security problems

that resulted when many organizations instituted a

policy of disabling ash drives. “But by relying on

the basics of security that we developed through

the certication process and continuing education,

and then doing your research and guring out a way

to meet the organization’s business objectives and

user needs, you have the opportunity to design the

security from the ground up in the most effective

way possible.”

“You have the opportunity to design the

security from the ground up in the most

effective way possible.”






Documents

Cloud Computing Case