Governments Take Different Paths to Cloud Security

Carl Purdy is used to making special trips to handle a variety of IT issues. Although he may have to venture out from time to time, the IT Manager of Jefferson County, Montana, says he no longer has to drive across the county to manage security servers.

About two years ago, Purdy moved security management from physical servers running Panda’s antimalware product to the cloud. Today, he relies on Panda Cloud Office Protection, a cloud security service that lets him connect via the web and renew virus definitions. That’s much easier than the previous system, which required Purdy to travel throughout the county to manage the security on servers, desktops and notebooks.

“I can sit at my dining room table, which is 30 miles from my office, and take care of whatever needs to be taken care of,” Purdy says. “If a user gets a new notebook, I just send them an e-mail with instructions to click on a link. When they do, it automatically installs the antimalware products on the notebook with all of our credentials set. I never need to have their notebook in my hands.”

“Security is always up to date and installed with the protection I want, with the ports open and closed that I want open and closed,” he says. “It’s much easier to manage.”

For any organization with software, infrastructure or platforms in the cloud, it’s critical to identify threats and vulnerabilities in real time so they can be acted on and resolved quickly, says Renell Dixon, a managing director at PricewaterhouseCoopers, a global consultancy firm.

“When you’re talking about the cloud, the window of opportunity between the time a threat is located and the time you are fully protected is very small,” she says. “It’s important to put something in place that manages that process in real time by continuously monitoring and fixing problems as they occur.”

A Familiar Tune

Dan Srebnick, New York City’s chief information security officer, looks at cloud security a bit differently. He says security issues in the cloud can be handled much the way they are in the data center.

“My philosophy is that a data center is a data center, so aside from the methods you use to run and provision it, we set out to see if we could apply some of the tools we use internally to the cloud,” Srebnick says.

Srebnick uses the same security tools he runs in the data center — the McAfee Vulnerability Manager host vulnerability scanning system and IBM Rational AppScan for application vulnerability scanning. He also set up a special instance of the McAfee tool outside the firewall to manage cloud traffic.

So far, the system is working well. Earlier this year, the department set up a public cloud using Microsoft Azure to let people register for a limited number of tickets to a parade for the New York Giants after they won the Super Bowl. The site was deployed very quickly to handle a large anticipated load. Using the same security tools deployed internally, the IT team could identify and remove security vulnerabilities.

“When it comes to the cloud, it’s important not to forget that it’s the basics of IT security that are the ‘gotchas,’” Srebnick says. “If you fail to do the basics within your own environment or within the cloud environment, the bite marks are the same.”