Montgomery County Leverages Professional Certifications to Enable Secure Cloud Computing Services

Introduction
Three years ago, Montgomery County IT officials foresaw the coming fiscal crisis and began looking at how they could continue to deliver highquality but cost-effective access to the enterprise infrastructure, applications and data required by the governments 34 departments and approximately 10,000 employees. The solution? Cloud computing, whereby endusers store, manage and process data and access applications on a network of remote servers hosted on the Internet, rather than on a local server or PC. The model has a number of benefits including flexible costs based on usage, access to more storage and computing power without the need for major capital investment, a greater ability for employees to work remotely, greater flexibility and the ability for the IT department to shift their focus to other, higher-priority tasks. For Montgomery County, the primary benefit driver was the ability to cut costs without cutting IT personnel. But the greatest challenge was security: How to develop an effective security plan Fortunately, Keith Young, the Security Official within Montgomery Countys IT Department, and his team, most of whom had been certified under (ISC)2s Certified Information Systems Security Professional (CISSP) credential, were able to draw on their fundamental knowledge of security to develop a plan and an implementation schedule that not only successfully safeguarded applications and data but actually improved overall security and compliance. within an industry that, at the time, had essentially no security standards? In fact, the 2011 (ISC)2 Global Information Security Workforce Study, conducted by Frost and Sullivan, found that while government agencies are demanding access to more technologies, there exists a significant gap in the skills needed to protect these services. The study further called for more education of information security specialists to close this gap, specifically imparting a more detailed technical understanding of cloud computing, enhanced technical knowledge, and contract negotiation skills.

Cloud computing requires a change in mindset; and for us, having that certification always forces us to go back to the basics of security and think organically about the challenges, Young explains. So you go back to the elementary tenets of security, keeping the system simple and looking at user management, looking at authentication, and putting on that hat rather than going down a traditional checklist for desktop security. That, in and of itself, makes the change in mindset a lot easier, and the challenge of securing a cloud environment much more straightforward to address.

credit card paymentsa situation that requires compliance with the PCI Data Security Standards.

When Young decided to look into cloud computing, however, he determined that it would be best to use the security team as a guinea pig. We kind of figured we had better eat our own dog food, so we migrated about 80 percent of the enterprise services that my team provides to our departments out to various cloud vendorsmore or less what I would call best-of-breedto see what the challenges were.

Having that certification always forces us to go back to the basics of security and think organically about the challenges.

The biggest challenge was clearly security, Young says, noting that cloud vendors, at that time, had not yet begun to focus on developing security standards. A lot of our discussion initially with these vendors

BACK TO BASICS
A major concern for the IT and security team at Montgomery County is the range of organizations and missions they must deal with on a daily basis, including fire, police, recreation, finance, environmental protection and liquor control. The job also involves protecting data that is highly regulated. The countys Department of Health and Human Services, for example, deals routinely with information protected under the Federal Health Information Portability and Accountability Act (HIPAA) law, while another 19 local agencies handle credit card numbers and take

was, How do you build your security? Young recalls. They would give us a report showing that they were accredited under the SAS-70, type-2 audit [a set of auditing standards devised by the American Institute of Certified Public Accountants as a way to measure their handling of sensitive data]. Well, that was so high level and generic that it didnt do us any good, so back we went to more or less a bar napkin approach to assessing each cloud vendors information security.

Thats where the teams professional credentials came in.Young is himself a CISSP as are all but two members of his team, and they soon fell back on the fundamentals of security strategy. We basically used the knowledge of the certification to go out and do the research of what needed to be done for the cloud because there wasnt a lot of information available, Young says. So we were able to determine what was realistic and how we should approach the problem. That meant putting away prescriptive tasks like antivirus programs and smartphone encryption, and looking to the organic roots of effective security. Not only were we going to be administrators of this type of solution but also consumers, Young explains. So we were able to go in and say: Heres how to do proper setup and configuration of users, heres how to look at change control. Its the fundamentals that become important, not the specific controls that people are used to doing. A key part of their solution was to rely on strong authentication controls while also setting a policy to utilize only standard Web-based applications built specifically for the cloud, rather than trying to transfer traditional legacy and PC-based applications to the cloud.

In this way, a lot of the traditional security concerns become unnecessary and shifts the mindset in terms of how you think about risk, Young says. It also shifts much of the security burden to the cloud vendor, who can enjoy economies of scale by investing once in various security technologies and controls, and reaping the benefits many times over. However, the IT team does not rely solely on the vendor, but instead oversees the process and utilizes their own appropriate controls and strategies to ensure that the best security practices are in place and are always being followed.

We basically used the knowledge of the certification to go out and do the research of what needed to be done for the cloud.

LOOKING AHEAD
Moving enterprise-level IT applications to the cloud worked so well and included such strong security for the Montgomery County IT team that within a year, they began approaching department officials about putting some of their own vertical applications into the cloud.

One of the earliest projects was one for the Department of Fire and Rescue, which enabled emergency medical technicians and paramedics to input required information while en route to a call or at the scene. Traditionally, after they were done, they would spend 45 minutes standing at the hospital filling out forms with patient data, vitals, treatment and so forth, Young explains. Now, its automated through the cloud and they no longer spend all that extra time with their paperwork. A year ago, Young and his team started looking at piloting enterprise applications and how to take on more collaborative functions, such as email and document storage, to move them out to the cloud. After a long study of the performance of those applications in the new environment, combined with further research into the security implications of adding personal and corporate handhelds and smartphones into the mix, the county now has a small group of users utilizing cloud-based enterprise applications. Were basically just looking to continue to ramp up from there, Young explains. He notes that one of the conundrums of security is working with users and departments to give them the functionality they want without introducing more risk into the system.The key, he says, is to rely on certification and education to bring fundamental

security knowledge and tenets to every new challenge, whether that be cloud computing or smartphone applications.

If you say no, people will do it anywayonly without the benefit of your security expertise, Young states, noting the workarounds that employees came up with and the security problems that resulted when many organizations instituted a policy of disabling flash drives. But by relying on the basics of security that we developed through the certification process and continuing education, and then doing your research and figuring out a way to meet the organizations business objectives and user needs, you have the opportunity to design the security from the ground up in the most effective way possible.

You have the opportunity to design the security from the ground up in the most effective way possible.