Chicago Initiates a Cloud StrategyE-mail, Productivity Apps for 30,000 Employees Moving to the Cloud
By moving to a new cloud computing strategy, Chicago's city government intends to reduce complexity of its IT systems and improve its information security posture.
The city is adopting a cloud computing strategy for its 30,000 employees' e-mail and desktop applications, a move that Chief Security Officer Arlan McMillan says will advance the overall infrastructure.
"Just like most enterprises and like many government agencies, we're a couple of revisions behind in a couple areas," he says in an interview with Information Security Media Group [transcript below].
The 4-year, $3.7 million contract with Microsoft will allow Chicago to move to the front of the line in terms of being able to implement the most secure products, McMillan says.
"It's going to not only quickly advance us to the front of the line in terms of security, but then also increase our agility and ability to deploy new security measures," he says.
In implementing its new cloud strategy, Chicago followed provisions in the Federal Information Security Management Act, implemented practices outlined in the federal government's FedRAMP cloud vetting program, and instituted controls detailed in guidance from the National Institute of Standards and Technology.
In the interview, McMillan explains how the:
- Cloud initiative provides additional security to the city's e-mail and productivity applications;
- City vetted cloud providers;
- Basic components of the program will work.
McMillan, with 16 years of IT security experience, became Chicago's CSO and director of IT security last August. Previously, he held IT security managerial positions with PricewaterhouseCoopers, Symantec and ABN AMRO Bank. McMillan holds a number of IT, IT security and auditing certifications, and received a Bachelor of Arts degree in art and architecture history from the University of Illinois at Chicago.
Chicago's Cloud Computing Strategy
ERIC CHABROW: Before we discuss the security aspects of the cloud strategy, take a few moments to outline the gist of the city's cloud computing strategy?
ARLAN MCMILLAN: We've taken a look at some of our primary applications that are used across the city, focused on our mail. We took a look at what we were doing across the city in our multiple agencies and within our corporate headquarters. We were mostly interested in identifying areas where we can consolidate multiple platforms, consolidate multiple different products, and really deliver it in a much more reliable, cost-effective way, while at the same time enhancing the overall security with the Microsoft Office 365 cloud solution for governments.
CHABROW: Why did the city go with Microsoft?
MCMILLAN: We took a look at a couple of different products. We currently had relationships with Microsoft. In the end, just after taking a look at their product set and comparing it against our need set, we decided it was the most appropriate solution. There are a couple of other good products out there, but we think this one is the best one for our needs.
CHABROW: How much is the city spending on cloud computing?
MCMILLAN: The total cost of the contract over four years is right around $3.7 million, and this is $400,000 savings per year over the cost of the contract.
CHABROW: Of the contract, is there anyway to quantify how much of that's going towards security?
MCMILLAN: No. You really can't break it out that way because security is really weaved into the whole offering. You can't really just break out and say 20 percent is security and the other 80 percent there's no security in there at all. It's really an integrated component of the whole contract and of the whole product that we'll be implementing this year.
Improving Security through the Cloud
CHABROW: According to the statement [issued by the city], the cloud strategy is designed to improve security. How so?
MCMILLAN: You do so in a couple of very key ways. We were running multiple different solutions. By going to a single cloud solution, we're able to reduce complexity. That reduction, just in itself, will improve security. Another key way is that we're really improving and advancing the overall architecture of our e-mail and productivity app solutions. Just like most enterprises and like many government agencies, we're a couple of revisions behind in a couple areas. I think going through this product set, we're able to go right to the front of the line and we're able to now implement the most secure products available right away and then be able to deploy patches and security solutions across our new cloud solution and across the enterprise in a very rapid manner. It's going to not only quickly advance us to the front of the line in terms of security, but then also increase our agility and ability to deploy new security measures.
CHABROW: Are there any hesitations about going to the cloud?
MCMILLAN: Sure. Of course there are hesitations. There are hesitations with taking a look at any new product. You always have to take a risk-based approach and analyze costs versus risks. We spent quite a bit of time looking at all of these different issues and we're confident that those issues are addressed and that the risk is well understood.
Vetting Cloud Providers
CHABROW: How does the city go about identifying cloud providers, and how are those providers vetted to assure that they provide a secure environment?
MCMILLAN: There are a couple of different ways. Cloud is a big topic and there are a lot of different cloud providers out there, so you asked a big question there. To limit that to specifically this product that we're looking at, we looked at Microsoft. We looked at a couple of others and we identified those as best of breed, took a look at industry papers and industry analysis, and then we went directly to those vendors and we began our conversations.
CHABROW: Was Microsoft the only vendor that you felt provided the proper security, or were there other factors that decided this contract?
MCMILLAN: There were a variety of things that we looked at there. It was a full analysis. I don't want to get into naming names of who else we looked at. Microsoft came out ahead, not only security, but also the best deal for the taxpayers. We always have to look at costs as well.
FISMA and FedRAMP
CHABROW: What processes does the city have to assure security of cloud computing initiatives?
MCMILLAN: This is a great thing. This is one of the great things that's happening out of the federal government right now. By taking a look at FISMA, what has been done within the FISMA ATOs that have been provided to Microsoft, as well as to a couple others, and what federal government is ramping up with their FedRAMP product, what FISMA and FedRAMP are really providing is transparency and predictability with the evaluating cloud vendors, which for us was very helpful. It really provided a single pane of glass with which you can view all of these different vendors and compare vendors' apples to apples. FISMA and the upcoming FedRAMP, they're leveraging the NIST 800-53 framework, which is a well-established, well-respected framework and we used [it] as well.
CHABROW: How important is what happens in Washington, in the federal government, whether it's through FISMA or through FedRAMP, which is a program to vet cloud providers, or through NIST, the National Institute of Standards and Technology, and their guidance? How important is that to local governments in helping to guide them to making security decisions?
MCMILLAN: I think it's very important. FISMA and FedRAMP are set up so that the different federal agencies don't have to completely rebuild the wheel, so that they can go to one source and have app stores vet a cloud solution. Do it once and implement many times. That strategy is a very good strategy. For us, we're leveraging much of the same methodology with how we look at these types of questions and when we do these types of evaluations. Currently, within the city, we're also looking at examining our technology against the 800-53. We're not required to do so, but again because it's such a great product set, because it's such a great framework, we're bringing it into the city and it's very helpful to us.
CHABROW: The framework you're referencing is NIST Special Publication 800-53: Recommended Security Controls for Federal Information Systems and Organizations. This is part of risk management. What's the role of risk management in making decisions like choosing a cloud provider?
MCMILLAN: Information security is risk management. Risk management is part of nearly every decision, and it's a core component of making security-based decisions. Having a robust methodology to perform that type of risk assessment and the frameworks to leverage to aide in those decisions, 800-53, a set of controls, is part of that process.