Missouri Chief Information Security Officer Michael Roling was shocked when he learned from a newly installed monitoring software program that state employees were using more than 2,500 different unauthorized cloud services.
But a year after the governance tool from Skyhigh Networks uncovered those electronic indiscretions, Roling said the information helped him cut down on this “shadow IT” and make the state’s networks considerably more secure.
“That was a real eye opener, I don’t think any one of us would’ve guessed that the number would be that high,” Roling told StateScoop. “So that quickly helped me and [interim Chief Information Officer Rich Kliethermes] gain more traction in terms of governance around the situation and the importance of the direction that we were heading.”
Roling said the state had long used a “content gateway solution” to understand what websites workers were visiting on state devices, but it was an imperfect fit.
“It categorized URLs, social networking, information technology, the whole nine yards, but it didn’t show risk,” Roling said. “It didn’t show that this service categorized as social networking was higher risk than this other website that’s also social networking.”
After all, Roling noted that the state’s public information officers have to use popular sites like Facebook and Twitter as part of their daily routines, but the old service couldn’t distinguish between the danger posed by “overseas social networking sites” that might be less secure and those established platforms.
“Being CISO, that’s a very uncomfortable thing, knowing this activity is going on, but without the proper tool set, there’s no way to really detect it,” Roling said.
He added that the importance of getting a handle on the services employees were using became increasingly clear.
“We had all these other services that state agencies wanted to use, and they were coming at us quickly, the velocity continued to increase,” Roling said.
Then, early in 2015, Roling heard about Skyhigh, and when he learned that a variety of private sector companies that he considers “very innovative, very cutting edge,” were using the service, “that gave us the trust that we needed to look at potentially partnering with Skyhigh.”
Once the state struck a deal with Skyhigh, Roling started using the tool to analyze how employees used the Web. After those initial results, Roling finally felt that he could get a better handle on the risks he was dealing with on a daily basis.
“Before we entered into this partnership, there was a lot of myth, a lot of vapor, no pun intended, when it came to understanding the risks involved in using the cloud,” Roling said. “We’ve been able to show our reduced risk across the organization and that has been tremendous. That’s my No. 1 job, trying to reduce IT risk, and this partnership has done just that.”
As Roling and the rest of his Information Technology Services Division has used the tool over the last few months, he said it’s helped the state craft an approach toward ensuring compliance with various security standards that’s “reactive and proactive.”
“On the proactive side, we’ve leveraged Skyhigh to help us formulate better decisions about acceptable cloud services providers,” Roling said. “But we can also go back and show auditors or whomever that we’ve maintained our compliance by using secure solutions.”
Roling expects the pace of Missouri’s adoption of cloud services will only accelerate over the next year, and he hopes to use the governance tool at every step to keep the state secure.
“As we continue to grow in terms of adopting the cloud, we’ll continue to grow with Skyhigh,” Roling said.
StateScoop’s “One Year In” series evaluates people, projects and programs that are a year into their life cycle. Check back with StateScoop for more installments in the coming weeks. To read more installments in this series, click here.
Contact the reporter at firstname.lastname@example.org, and follow him on Twitter @AlexKomaSNG.