DIR’s contracting requirements divide responsibilities for service delivery among agency customers, the public cloud manager and the public cloud provider. Generally, the agency itself has the largest share of responsibility with Infrastructure as a Platform offerings and the least burden with Software as a Service solutions.
The data center supports direct connections to cloud solutions from Google, Microsoft Azure and AWS, Rainosek said. And the DIR public cloud manager regularly assesses workloads to ensure delivery in the most cost-effective manner available.
Rainosek related a story about an agency that didn’t go through DIR to acquire some services during the height of the pandemic. The agency saved money, declined to engage specific security services and suffered a distributed denial-of-service attack that took services offline. DIR stepped in to help. Rainosek suggested agencies face significantly fewer such problems when following the prescribed procedures and pooling their resources in the combined data center with the state’s public cloud manager.
Pooled Resources Boost Cybersecurity Across State Enterprises
During the NASCIO cloud security panel, West Virginia CISO Danielle Cox described a cloud addendum that automatically attaches to every cloud computing contract executed by a state agency.
“It’s not just for our office’s technology purchases,” Cox said. “We worked with our purchasing office and privacy office to make this available for every state agency.”
The cloud computing contract addendum stipulates terms for how information is created, transferred, executed, stored and finally destroyed, Cox said. The addendum defines the responsibilities of the West Virginia Office of Technology, the cloud vendor and the customer agency.
Vendors occasionally challenge the addendum, but it is generally embraced. And the addendum sparks conversations among agencies about the protection of data throughout its lifecycle.
Arizona Deputy CISO Ryan Murray noted that the other CISOs had focused on “security of the cloud or security within the cloud, but I’m going to talk about security from the cloud.”
Arizona’s Department of Homeland Security is moving all security tools that aren’t already in the cloud to cloud-based platforms, Murray said. The CISO was once housed within the Arizona Department of Administration like the CIO, but the state recently moved the office into Arizona DHS. Adopting cloud-based tools supported this “decoupling,” as the CISO and CIO both turn to cloud providers to manage solutions, he added.
From within Arizona DHS, the CISO’s office focuses on providing security tools to state agencies and also plans to expand the availability of those tools to all Arizona cities and counties. That goal would be “impossible” with an on-premises data center or perhaps even a private cloud data center, Murray said.
“Bringing in tens of thousands or even hundreds of thousands of new users for our cybersecurity users is going to be instrumental to the success of this program,” Murray said.
Arizona is hoping to combine several funding streams — including funds from state executive branch appropriations, federal homeland security grants and upcoming grants from the Infrastructure Investment and Jobs Act — to pay for its local government security support program, Murray added.
Check out more coverage from the NASCIO 2022 Midyear Conference and follow us on Twitter at @StateTech, or the official conference Twitter account, @NASCIO, and join the conversation using the hashtag #NASCIO22.
