As chief information security officer (CISO) for the state of Georgia, Mark Reardon is intimately involved with cloud computing security. His job is a delicate one: to assess risk and balance it against the needs of state employees and citizens, while remaining in line with federal compliance regulations and best practices. Given that charge, it's easy to imagine the word no passing his lips regularly.
A lot of this comes down to something very few get involved with: How do you do your IT governance?
In reality, however, the opposite is true. Reardon doesn't see himself as standing in the way of technology movements like cloud computing. Rather, he sees his role as ushering them in in the safest way possible. Here he talks about how the state of Georgia -- specifically its executive branch, which is headed by the governor's office -- is taking advantage of cloud computing while mitigating risk.
SearchCIO.com: Can you talk a little bit about how you're utilizing the cloud?
Reardon: We're moving over [to the cloud] what we call public-facing information sites. We want that content to be accurate; but it's also not life or death, it's not financial damage. If it gets corrupted, the big impact is that it's embarrassing. We don't want to be embarrassed, but you have to balance that with the cost aspect.
If I can lower my costs on these low-impact
In my agency we use Software as a Service for continuity of operations planning. No matter what happens, the state needs to have its critical functions operational. That is all run by a vendor out of state. If something happens here, different agencies can log into that machine and execute their plans. If the data center is offline or down, you're basically dead in the water and you're not taking care of your citizens. So, we use it to help us with those types of requirements. It also is a more cost-effective way for us to run that particular application. The vendor supports it and applies patches when they do upgrades or fixes, and we simply log in and use it.
What guides your decision making when it comes to cloud computing security?
Before we make any decision, we follow the Risk Management Framework, created by the National Institute for Standards and Technology, of the Federal Information Security Management Act. Operating any computing system has a risk. And then there's an impact if you don't operate them, so the business has to look at that as part of the overall risk associated with delivering a service. If you put it into that context, now you can start making decisions, and tying them to your budget and your other needs.
Going back to continuity of operations: We used to run that software in the state, but found that it was actually much cheaper doing it at the vendor's location. It allowed state agencies to share one instance of the software. There was a bunch of plusses to it. Then I had to look at what kind of information is in there; and if it gets exposed, am I exposing people to identity fraud? The answer there was no. It would have a negative impact only if it got corrupted at the same time we had a disaster. You have to look at all of the different threats and weigh them, and decide which risks you're willing to accept.
How is 'the business' involved in cloud computing security and other risk management decisions?
A lot of this comes down to something we all like to talk about, but very few get involved with: How do you do your IT governance? I work in our governance and planning division, and we try to get the agencies to make these decisions at the business level. That's the state of Georgia approach -- it's not uniform and I've worked at organizations in the past where security decisions were made by the security officer, who could just say, "No, we're not going to use the cloud" and the business just had to toe the line. I've also worked at organizations where the business ignored security, then said to the security officer, "Go make it secure." That doesn't work very well either, because you're trying to apply security to the decision after the fact.
More about cloud computing security
Our belief is, the major component of security we're talking about is information risk management, and that needs to be considered by the business when they're considering all the other risks. And another part of it is the requirements for compliance. They're different considerations; they have a lot of related information, but they get managed in a different way.
The next step is managing the residual risks and deciding, do I try and eliminate those risks, reduce those risks, accept those risks? Can I transfer that risk to someone else, say through a contract with a vendor or buying insurance? Those decisions are business decisions, and that's where I look at the cloud. If I run into a regulatory issue and I just can't make the decision, I can't go to the cloud. If I'm looking at it from a risks perspective because the regulatory requirements have all been met, then it's a business decision.
Is there any area where the cloud computing security risk is so great that you'll never 'go there'?
No options are off the table. We will approach these decisions based on the types of information involved, and the protections afforded by the cloud provider. Never indicates a very long time. I have been in computers for 34 years and remember the days before the PC. I programmed computers with 1K of memory or less. If you work in the computer industry, the one constant is change.
As a security officer for a state, my role does not include denying the future. My role is to enable the state to make informed decisions regarding information risk. From personal cell phones in the workplace to outsourced services in their various forms, my job is to understand the implications and provide proper counsel to the decision makers.
Let us know what you think about the story; email Karen Goulart, Features Writer.