Achieving a Successful "Cloud Smart" Strategy
Govciooutlook

Achieving a Successful "Cloud Smart" Strategy

By Andy Hanks, Chief Information Security Officer, State of Montana

Andy Hanks, Chief Information Security Officer, State of Montana

What are some of the more widely prevalent challenges that you notice in the Cloud Space?

Security is the first challenge that comes to mind when considering cloud service adoption. Prospective cloud service adopters should not assume that security is built into the cloud or that security it is no longer their concern when they transition to the cloud. Organizations must carefully consider data classification and regulatory requirements that may limit how their data should be transmitted, processed, and stored. Security in the cloud is a shared responsibility between the cloud service adopter and the cloud service provider; however, the cloud service adopter should always retain ownership of their data. Security teams classically trained to secure on-premise computing need to be appropriately trained to secure cloud computing. Organizations should have specific clauses in their contracts for adopting cloud services that address all these concerns as well as right to audit and periodically review the cloud service provider’s applicable certifications and attestations of compliance. Even though security responsibilities shift depending on the cloud service model utilized, an organization’s security team should retain responsibility for ensuring their organization’s data is properly protected. Other challenges in adopting cloud services include costs and governance. Comparing costs between on-premise and cloud services is not as straight forward as it may appear. Costs can be allocated differently between on-premise and cloud service models, and one could end up comparing apples and oranges without realizing it. The first place I would invest any cost savings realized by transitioning to cloud services would be into cloud security training for the security team. Governance is another challenge when adopting cloud computing. Many organizations find themselves managing multiple cloud service providers and losing perspective of how their data is being transmitted, processed, and stored. Organizations must carefully consider the appropriate cloud service provider and cloud service model for each unique business problem while maintaining enterprise vision. Losing strategic focus on these elements could negatively impact the business through inefficient use of assets and inappropriate allocation of resources.

"Many government enterprises have adopted a cloud-first approach but Montana’s looks at being cloud-smart"

What are some of the predominant trends in the Cloud space?

Cloud adoption has been growing exponentially over the last ten years, most organizations have at least some services delivered from the cloud. The enterprises technologies I have seen experiencing the most growth in this space are mobile, social, and collaborative applications; making it easier for organizations to deliver services directly to their clients by shifting those consumer-facing services to the cloud. Many vendors are transitioning their legacy solutions from on-premise to the cloud, and in some cases, offering more functionality in their cloud solutions. Adoption of cloud services can be driven by local infrastructure, business objectives, market competition, and consumer base; however mobile, social, and collaborative uses of cloud services are ubiquitous to all organizations.

 

Could you shed some light on the approach that you follow while choosing the right solution provider?

Many organizations have adopted either a cloud-first or a cloud-last philosophy, the State of Montana has adopted a cloud-smart approach to consuming cloud services. Cloud-smart means considering the strategic implications of the proposed cloud solution: (1) does the business problem require: (a) on-demand self-service, (b) broad network access, (c) resource pooling, (d) rapid elasticity, and (e) measured service; (2) does the proposed cloud solution meet our security, privacy, and regulatory requirements; (3) does the proposed cloud solution align with our IT strategic plan; (4) can we achieve governance of the proposed cloud solution; and (5) does our private cloud match or exceed the proposed cloud solution. Our Chief Technology Officer, Matt Van Syckle, and his team have built an exceptional private cloud-offering in our data centers, so in practice, we typically will only adopt Software as a Service (SaaS) solutions since our private cloud meets or exceeds most of these requirements. Our Chief Financial Officer, April Grady, and her team have implemented savings, transparency, and governance that have enabled our private cloud solutions to be cost-effective alternatives to most other cloud solutions.

What are the strategic points that you go by to steer the company forward?

In July of 2018, our Chief Information Officer, Tim Bottenfield, established a “Service First” philosophy throughout the State Information Technology Services Division (SITSD). This means that every employee in SITSD is continuously focused on service to our clients, which include State agencies and Montana citizens. Tim rebranded the names of our organizations under the CFO, CTO, and CISO as Business Services, Technology Services, and Security Services. This organizational nomenclature helps us all be mindful of our commitment to “Service First”. Over the last two years, Tim established a foundation for SITSD that is grounded in five guiding principles: fiscal responsibility, shared services, cybersecurity, digital government, and a service-first. SITSD builds on this foundation to provide standardized, strategic, secure, and state-of-the art IT to advance the efficiency and delivery of government services to citizens.

How would you see the evolution a few years from now with regard to disruptions and transformations within the arena?

When we look at what smart phones could do ten years ago compared to what they can do today, it is hard to imagine what they will be able to do in ten more years; but it is easy to imagine that cloud services will play a major role in their evolution. Cloud computing can transform the way organizations deliver services to their clients. Mobile, social, and collaborative applications are already benefiting from cloud computing and they will continue to mature over time. Enterprise applications will extend offerings to any customer, using any device, anywhere on the planet; and competition between organizations will intensify, driving differentiators such as customer service, user experience, and functionality. Organizations will need to embrace the proper cloud service model to enable their business to compete in a market where technology is no longer limited to their in-house technical expertise, but instead is only limited by their creativity and innovation in utilizing cloud services to further their business objectives. I think more interoperability and transparency from cloud service providers is the catalyst that is needed to reach the next evolution of cloud services.

What would be the single piece of advice that you could impart to your colleagues to excel in this space?

Cloud computing is not an all-purpose solution with built-in security, information technology and security leaders must carefully consider the business problem they are trying to solve and the strategic implications for implementing any technical solution. Too often, organizations lose their holistic perspective when selecting a technology to solve a single business problem, these decisions should not be made in a vacuum, rather they should be made with an enterprise vision and focus on key integration points and governance of enterprise information technology. Many times business will come to IT procurement with a predetermined technical solution. Instead of approving or rejecting the proposed technical solution on its own merits, IT procurement should ask the business what problem they are trying to solve. An organization’s IT, security, and business must partner together to understand the business problem and identify the technical solution that aligns with the IT strategic plan and the organization’s risk appetite.

Weekly Brief

Top 10 Security Solution Companies - 2020

Read Also

The Digital Transformation Playbook

The Digital Transformation Playbook

Jon Townsend, CIO, National Trust
Time to Pop the

Time to Pop the "Bubble of Trust"

Paul jones, CIO, city of west palm Beach,FL
Achieving a Successful

Achieving a Successful "Cloud Smart" Strategy

Andy Hanks, Chief Information Security Officer, State of Montana
The Challenges of Cloud Adoption

The Challenges of Cloud Adoption

Michael Mayta, CIO, City of Wichita Kansas
Importance of User Authentication with Cloud Services

Importance of User Authentication with Cloud Services

George Khalil, CIO, City of Riverside
Paving Ways for a Smart Traveler

Paving Ways for a Smart Traveler

Bill Taylor, CIO & Deputy Director, Ohio Department of Transportation