Earlier this week it was announced than an international hacker had successfully made off with over 3 million social security numbers and almost 400,000 credit and debit card numbers from the state of South Carolina. State and local governments have collectively spent billions of dollars trying to secure their data systems. In spite of this investment, a hacker was able to identify and exploit a weak spot in their armor. As public sector budgets are continuing to shrink, there is pressure to add more software applications to automate tasks and lower costs; increasing pressure to cut costs on security for these applications; and increasing pressure to extend the life of less secure and aging legacy computer applications. The result is that our government agencies are at increasing risk of successful cyber-terrorism through a greater number of applications, lower security standards, and aging applications that should be replaced.
How could South Carolina and other state and local governments cost-effectively protect vital citizen, business and government records? The answer comes from an emerging private-sector technology: cloud computing.
Cloud computing enables organizations to migrate their computer applications and/or associated data to servers on the internet.
A simple example is SkyDrive (www.skydrive.com) from Microsoft. If you get a SkyDrive account, you can store documents, images and data online. Data that would normally be stored on your local computer, on a memory stick or on a corporate server, can now be stored on a virtual hard drive hosted by Microsoft. You can access this data anywhere, you don’t need to worry about backups, and you leave the security to Microsoft. SkyDrive also enables you to edit your documents using web versions of Word, Excel or PowerPoint in the cloud – those applications do not need to be on your local computer.
The cloud now includes applications for infrastructure as a service (Iaas), platform as a service (PaaS) and software as a service (SaaS). Infrastructure includes the core technology “plumbing” that every organization needs as a foundation such as email servers, data storage and backups. Platform as a service provides new application development platforms in the cloud, allowing public sector organizations to develop their own fully-customized applications in the cloud. Software as a service refers to the availability of the day-to-day software applications that state and local governments need to run their organizations in the cloud (the reference in the preceding paragraph to the Microsoft Office applications is an example of SaaS).
Microsoft isn’t the only game in town when it comes to cloud computing either. Salesforce.com, Google, Amazon.com and many other large players offer a full array of cloud computing options covering all three of the service areas outlined above. In other words, it is now possible for public sector organizations to migrate 100% of their data centers to the cloud.
For a more detailed primer on the cloud, click here.
So what does cloud computing have to do with improved security at the state and local government level? Every server, every application, every database and every connection in any data center needs to be secured. And security is a constantly moving target. In order to stay on top of security public sector organizations have to employ enough individuals to secure every potential vulnerability, they need to employ enough people to stay on top of evolving security threats and standards, they need to employ the right people to constantly test and improve their security standards. In other words, only the very largest of organizations can afford the appropriate amount of investment required to fully protect their data centers. State and local governments are likely to be particularly vulnerable because they are large enough to present attractive targets to cyber-terrorists, but small enough to have insufficient protections in place to thwart all attacks.
The cloud computing giants, however, employ extremely large security groups. They are constantly evolving their security provisions based on the latest available intelligence. In fact, the success of their business model is linked directly to the success of their security. If security is lacking, then their customer base will quickly find different options.
In state and local government, it can sometimes take weeks or months for a known security breach to be fully resolved. In the recent case of South Carolina, the security breach wasn’t even reported for over two weeks. Who knows how long it will take for all other states to assess, understand, fix and test the breach in their own data centers. In a cloud data center if a breach is detected it can be repaired for all participants in that cloud center at once – taking weeks or even months of risk out of the formula.
What’s more, public sector organizations such as state and local governments and their various institutions such as health and human services, prison management, citizen services and others, can negotiate contracts with their cloud vendors to shift the risk to the private sector. In the case of South Carolina, the government may end up spending millions of taxpayer dollars providing identity theft insurance to their citizens who were impacted by this issue. If there is a breach in security, the government institution and its citizens will be shielded from additional costs – the budget for cloud computing remains flat and predictable regardless of the situation.
Can the public sector become dependent on private sector partners for something as critical as information technology? If past history is any indication, then the answer is a clear “yes”.
The earliest versions of modern-day IT systems were ink, paper and candles. Governments of all kinds depended on these items to run effectively. But they did not need to employ the producers of these items. Rather, they depended on the private sector to produce these at a reasonable price.
More recently, the introduction of electrical power delivered a technology that the government quickly became reliant upon to improve productivity. If government offices lost their electrical supply for more than a brief period, the results would be disastrous. When electricity was still a cutting-edge technology, it wasn’t clear how the government should manage their electrical needs. As time went by, however, it became clearly that state and municipal governments could plug into the same electrical “cloud” that private citizens and businesses used. If the power goes down, they know that their private sector partners are on the hook to take care of it quickly.
Twenty years from now, we will view computer applications the same way. When a public sector organization needs an IT application, they will plug into the cloud to get it; if it does down or there is a security issue, they will know that their private sector cloud partner is on the hook to take care of it.
Jumping into the cloud is not as easy as signing a contract with a cloud partner. Making the move will be an evolutionary process that public sector organizations will gradually evolve into over the next five to twenty years. Here are a few pointers for getting started.
One option that won’t work is business as usual. A new generation of technologies and software has emerged that promises to shore up security risks and lower costs for the public sector. Every state and local government should begin evaluating their options and modernizing their applications to ensure we don’t see more reports of successful cyber-crime in the public sector.
The complementary paper includes over 12 years of research, recent survey results, and CRM turnaround success stories.
This 60-second assessment is designed to evaluate your organization's collaboration readiness.
Learn how you rank compared to organizations typically in years 1 to 5 of implementation - and which areas to focus on to improve.
This is a sandbox solution which can be activated per site collection to allow you to easily collect feedback from users into a custom Feedback list.
Whether you are upgrading to SharePoint Online, 2010, 2013 or the latest 2016, this checklist contains everything you need to know for a successful transition.