Cloud Adoption by Local Government: Promise, Progress and Pitfalls International Conference on Cloud Security Management October 17, 2013 Michael Hamilton.

Cloud Adoption by Local Cloud Adoption by Local Government: Promise, Progress Government: Promise, Progress

and Pitfallsand Pitfalls

International Conference on Cloud Security Management

October 17, 2013

Michael HamiltonCISO, City of Seattle

Local GovernmentLocal Government

Services that affect quality of life, and lifeWe’d like them to be there

2

CRITICAL INFRASTRUCTURECRITICAL INFRASTRUCTURE

It’s good business sense!

• Desktop

• Network

• Help Desk

• Server

• Development

• Security

• Procurement

• Telephony

PUBLIC IT TODAYPUBLIC IT TODAY

Many of these are

the same roles

sought by SBUX,

AMZN, MSFT, etc.

They have this though >>

• Security

• Procurement

• Legal

• Audit

PUBLIC IT TOMORROWPUBLIC IT TOMORROW

We already buy more

than we build, and

the evolution is

underway to develop

IT resources into new

roles

• Disaster recovery and business

continuity – DDOS readiness

• Security through collective intelligence

• SAAS very clear value – oversight needed

• Starting to store more sensitive data

• Remember what happened to L.A.

LOCAL GOVERNMENT AND THE LOCAL GOVERNMENT AND THE CLOUDCLOUD

• A separate finance system for each local

jurisdiction is not a good use of our taxes

• Inter-local agreements

• Regional monitoring

• King County data center

• IBM Smarter Cities initiative

THE SHARED SERVICE MODELTHE SHARED SERVICE MODEL

PRISEMPublic Regional Information Security Event Management

PRISEMPublic Regional Information Security Event Management

• DHS S&T funding to initiate; Five grants total

• Participants contribute firewall logs, netflow, botnet

alerts (Einstein); arbitrary devices under monitoring

• Commercial SIEM infrastructure at UW APL

• Cities of Seattle, Lynnwood, Bellevue, Kirkland,

Redmond; Thurston and Kitsap Counties; Seattle

Children’s Hospital, Snohomish PUD

PRISEM HistoryPRISEM History

• Postini, now FOPE for e-mail security

• VRSN DDOS protection

• Office 365 on deck

• Video streaming

• Over 65 SAAS applications

• data.seattle.gov

• Health data warehouse analytics

CoS CLOUD EXAMPLESCoS CLOUD EXAMPLES

• Development using PAAS

• Cloud as SAN

• Data analytics with sensitive information

• The Smart Grid and energy consumption data

• Why not IAAS?

• Competition for OpenStack coders

UNDER INVESTIGATIONUNDER INVESTIGATION

• Vendor requirements

• Must demonstrate product security

• That data center SAS-70 won’t do it

• Changes to procurement language

• RFP, Contract, focused on vendor reqs

• Data classification and storage policy

• Confidential, Sensitive, Public

POLICY UNDERPINNINGSPOLICY UNDERPINNINGS

• BYOC and the Internet shelf

• Whitelisting all but impossible

• File sync services as example

• Nth parties and regulatory requirements

• HITECH Act

• Security and continuity

• Got SEIM?

• Public disclosure and E-Discovery

BARRIERS AND PROBLEMSBARRIERS AND PROBLEMS

Web App Authentication Context Diagram

Types of UsersCity Employees

Regional Gvmt Partners

Ap

plic

atio

ns

Facebook(make a comment)

Constituents

Smartphones Cell phones Laptops Netbooks Tablets

Types of Devices

CRM(request service)

Portal (PEP)(personalize a page)

Epayment apps(pay a bill)

Data.Seattle.gov Seattle.govLow

Trust level

Crowdsourcing(advocate/rank)

Customer Accounts(change my info)

SCADA control(open a floodgate)

Authentication Strength

Medium

High

ReallyHigh

PUBLIC DISCLOSUREPUBLIC DISCLOSURE

• Control systems

• 911 and CAD/RMS

• Critical infrastructure information

• Regulated information

• Anything exempt from public disclosure

• So incident data with metadata is a

nonstarter

STUFF THE CLOUD CAN’T HAVESTUFF THE CLOUD CAN’T HAVE

• Regionalized shared services

• IAAS/PAAS meet inter-local agreements

• Desktop services - VDI in the cloud

• Cloud forensics service

• More video streaming and archive service

• Traffic cameras

• For those awesome City Council meetings

• PD body cameras?

OPPORTUNITIESOPPORTUNITIES

• Better reliability - we are not a start-up

• Humane rules on unauthorized disclosure

• Interfaces for public disclosure and e-disc

• Improved standards for vendors to meet,

as a competitive differentiator

Applications that help us govern better, use resources more

wisely, and create efficiencies that are reflected in savings

WHAT WILL IT TAKE?WHAT WILL IT TAKE?

• There are 89,003 of us

• We require security as a market force

• Authentication, encryption, auditing if you

want our good stuff

• Better analytical interfaces

• Public Disclosure and E-Discovery pain

abatement

LOCAL GOVERNMENT AS LOCAL GOVERNMENT AS MARKETMARKET

• Mass exodus to the cloud reduces the

number of points of attack and increases the

efficiency of threat activity

• Largest DDOS attack 191Gbps

• An organized crime operation may be

sharing physical hardware with your server

LASTLY, I WILL POINT OUT…LASTLY, I WILL POINT OUT…

My Contact InformationMy Contact Information(for one more week)(for one more week)

Michael Hamilton Chief Information Security Officer

City of [email protected]

206.684.7971 (D)