Pa. CISO shares concerns with free cloud services
The use of free clouds for computing and storage is becoming more popular, but the state of Pennsylvania is one not buying the hype.
In an interview with StateScoopTV, Erik Avakian, the state’s chief information security officer, said Pennsylvania prohibits the use of these services for state-owned data and applications, unless a state agency gets special permission from the Pennsylvania chief information officer and sign a waiver.
Otherwise, the sites are blocked.
“The free cloud, and the inherent nature of it, is extremely risky,” Avakian said, mentioning the lack of confidentiality, integrity or availability assurance for the data, meaning data managers do not know where it is being backed up. There is also no terms and conditions, so there is no assurance of what the provider is doing with that data.
Free cloud services are becoming more and more popular, especially in people’s private lives where companies like Apple and Amazon allow them to store their own data virtually and that’s bleeding over to state public sector organization’s as well.
On the outside they look great: free storage, easy access to data and applications and easier use of mobile devices, but Avakian said there are too many privacy and legal issues for them to be used effectively – at least as they are currently constructed.
What Avakian suggests for states is partnering with one or two vendors and getting quality terms and conditions in place that are in the states’ best interest. Also, states should look at an internal solution they can host themselves, but if they need an external cloud provider, Avakian said one can be enabled through solid contracts and solid terms and conditions.
Avakian said Pennsylvania already has an internal solution and is piloting an external one with the vendor community that will allow state workers to access data on mobile devices.
“We really wanted to develop a cloud storage service that can be done with any device, so anywhere you are going, you can access your data,” Avakian said. “That’s somewhere we are going and what I think it the future as people are going to want to have their files wherever they go.”
He said it’s key to negotiate terms and conditions with a vendor before launching a pilot program instead of trying to reverse engineer or the pilot could become wasted if the state and vendor cannot work out an agreement after the fact.
Items to look at when negotiating terms and conditions:
- States should where their data is being held and make clear that the data remains in the ownership of the states.
- States should also look at having solid controls in place such as data encryption and a plan in place for data breaches.