Security

NASCIO Midyear 2022: CISOs Advocate Consolidated Cloud Management

Centralized administration of contracting and security operations benefits all agencies, panelists said.

Mickey McCarter is the senior editor of StateTech Magazine.

A Texas procurement officer has a sticker on his laptop that says, “The cloud is just another computer someplace else.”

Texas CISO Nancy Rainosek shared the quippy observation Monday in a session of the midyear conference of the National Association of State Chief Information Officers in National Harbor, Md., to demystify moving resources to the cloud. In a panel on cloud security, Rainosek and fellow state CIOs argued for the pooling of state agency assets to improve the efficient operations and cybersecurity posture of those “computers someplace else.”

Rainosek pointed to the experiences of Texas state agencies. Texas is a federal state, and each agency has its own CISO responsible for data and applications, Rainosek said. Some time ago, Texas established a central data center and required 28 state agencies to join it. Once the data center centralized those 28 agencies, she estimated, it accounted for roughly 85 percent of the state’s total computing.

The Texas Department of Information Resources established its Technology Solution Services to manage the shared services in the data center. From there, DIR allocated responsibilities for various workloads to specific vendors. DIR bundled application services, private cloud, public cloud, mainframe and print mail and awarded contracts accordingly. The agency also hired a designated security operations contractor.

EXPLORE: GET CRITICAL INSIGHTS INTO RISKS WITH CYBERSECURITY SERVICES FROM CDW.

Agencies participating in the data center must utilize the consolidated resources. “We expect them to use our public cloud manager,” Rainosek said. With the public cloud operating model, agencies evolve their architecture and services through the adoption of cloud-native solutions. DIR integrates security operations into all services.

This arrangement results in an overall better security posture, Rainosek added, as agencies gain use of best of industry tools at the network and host levels, security posture management and validation with logs and alerts, next-generation cloud edge security services protecting ingress and egress to networks, vulnerability management, privileged access management and more.

Click the banner below to discover more cloud resources and customized content by becoming an Insider.

DIR’s contracting requirements divide responsibilities for service delivery among agency customers, the public cloud manager and the public cloud provider. Generally, the agency itself has the largest share of responsibility with Infrastructure as a Platform offerings and the least burden with Software as a Service solutions.

The data center supports direct connections to cloud solutions from Google, Microsoft Azure and AWS, Rainosek said. And the DIR public cloud manager regularly assesses workloads to ensure delivery in the most cost-effective manner available.

Rainosek related a story about an agency that didn’t go through DIR to acquire some services during the height of the pandemic. The agency saved money, declined to engage specific security services and suffered a distributed denial-of-service attack that took services offline. DIR stepped in to help. Rainosek suggested agencies face significantly fewer such problems when following the prescribed procedures and pooling their resources in the combined data center with the state’s public cloud manager.

Pooled Resources Boost Cybersecurity Across State Enterprises

During the NASCIO cloud security panel, West Virginia CISO Danielle Cox described a cloud addendum that automatically attaches to every cloud computing contract executed by a state agency.

“It’s not just for our office’s technology purchases,” Cox said. “We worked with our purchasing office and privacy office to make this available for every state agency.”

The cloud computing contract addendum stipulates terms for how information is created, transferred, executed, stored and finally destroyed, Cox said. The addendum defines the responsibilities of the West Virginia Office of Technology, the cloud vendor and the customer agency.

Vendors occasionally challenge the addendum, but it is generally embraced. And the addendum sparks conversations among agencies about the protection of data throughout its lifecycle.

Arizona Deputy CISO Ryan Murray noted that the other CISOs had focused on “security of the cloud or security within the cloud, but I’m going to talk about security from the cloud.”

Arizona’s Department of Homeland Security is moving all security tools that aren’t already in the cloud to cloud-based platforms, Murray said. The CISO was once housed within the Arizona Department of Administration like the CIO, but the state recently moved the office into Arizona DHS. Adopting cloud-based tools supported this “decoupling,” as the CISO and CIO both turn to cloud providers to manage solutions, he added.

From within Arizona DHS, the CISO’s office focuses on providing security tools to state agencies and also plans to expand the availability of those tools to all Arizona cities and counties. That goal would be “impossible” with an on-premises data center or perhaps even a private cloud data center, Murray said.

“Bringing in tens of thousands or even hundreds of thousands of new users for our cybersecurity users is going to be instrumental to the success of this program,” Murray said.

Arizona is hoping to combine several funding streams — including funds from state executive branch appropriations, federal homeland security grants and upcoming grants from the Infrastructure Investment and Jobs Act — to pay for its local government security support program, Murray added.

Check out more coverage from the NASCIO 2022 Midyear Conference and follow us on Twitter at @StateTech, or the official conference Twitter account, @NASCIO, and join the conversation using the hashtag #NASCIO22.

Photography by Mickey McCarter