In 2012, we developed Cloud Guidance for the State agencies that served to educate and identify considerations that should be given before moving to cloud solutions. These considerations now seem fairly straightforward now. Things like security, data protection and encryption, auditing and access, as well as a pre-defined exit strategy. However the one major component was an agency seeking a cloud solution needed to work through DAS before moving to the cloud. We felt strongly that we needed to know where our data lives and didn’t wish to replicate the historical sprawl we had in 26 agencies with physical hardware across a variety of differing or incompatible cloud solutions. We now work closely with agencies on these considerations and workloads to determine the best solution for the State. Currently, we have over 20 cloud solutions that align with the enterprise strategy that agencies can leverage with an additional 35 or so that are specific to agency missions.
"Creation of a collaboration between agencies has always been a challenge for Governments, but if you can get over that hurdle the teams you create can move mountains"
Benefits of e-Governance
It is imperative that we start with the user experience when providing services to our constituents-citizens and businesses within our states. We need to do more than just offer online services. We need predictive services which are transparent to the user. Millennials expect digital and “near instantaneous gratification”. Our constituents need to be presented with services which are relevant to them without having to search. This implies thinking from an enterprise perspective not just a program or even agency perspective. Go out and try to figure out which state agency has a program for heating and energy assistance? This is buried somewhere in our web presence. eGovernment efforts need to reduce the complexity of a navigating 26 agencies and 120 boards and commission websites to “discover” services our citizen and business require. To do this effectively, we believe a strong identity, authorization and fraud detection process must be in place. These are complex and challenging issues to work through but getting it right is critical and will provide significant benefits for all.
Impact of Social Media, Mobile, Cloud and Tablets
We encouraged a Mobile First mentality in Ohio. Any new program has to be mobile in its design so that access from any device can be accomplished. This requires rethinking on what and how we deliver secure services. We have adopted a new set of tools and mindset for these technology trends. From a security control standpoint it is certainly a game changer. We developed Maser Cloud Service Agreements (MCSAs) to ensure approved solutions met standards like NIST 800-53 and certifications like FEDRamp. These MCSAs also defined service levels, escalation processes and compliance audit functions that allow us to verify solutions are staying current on their controls. These solutions also require our traditional perimeter security defense to be incorporated into the cloud as a natural extension of the Enterprise. We adopted a Cloud Access Security Broker (CASB) as one of our new perimeter controls. We adopted a Mobile Device Management (MDM) solution so when state devices are lost or stolen we have the ability to verify encryption and can remotely disable and erase content.
Effective Use of Data
We are currently pursuing statutory language that classifies data as a State asset. The point is to encourage data sharing from programs and departments where possible and with consideration of the data privacy and restrictions necessary and bring them to bear on the complex issues we face. In Ohio, we see data analytics as one of our most promising tools which will require anonymization of data and will allow us to unlock the 4 petabytes of data associated with over 1600 applications and systems to provide insight and answers on some of our toughest problems. Societal challenges such as infant mortality, opiates, workforce, fraud, waste and abuse to name a few.
Our approach has 4 elements:
1) creation of data sharing agreements between agencies (while protecting the privacy of our citizens and businesses)
2) normalizing and anonymizing data in a readily consumable format
3) obtaining private and public cloud analytics platforms to perform projects and
4) access to the best data analytics talent and tools to perform projects.
Again, we believe that many of the answers-things that make better policy, things that allow us to focus taxpayer dollars on making a difference, things that can save lives-reside within the data of our systems, the combination of data across systems and the incorporation of externally available data sources.
Changing Role of CIOs
Clearly we wear numerous hats from operations to innovations and change agents to strategists but the one consistent component with the hats we wear is the move to be closer to the business side of things. In 2010, the State of Ohio spent over 80 percent of our IT infrastructure and Operations and less than 20 percent on applications. Today, we have flipped that to 45 percent on IT Infrastructure and Operations and 55 percent on applications that matter. Our goal is to have this at 30/70. The cloud solutions provide us with tremendous leverage in to how technology can be applied and considerations given for the total costs of an effort.
Advice for CIOs
From an enterprise perspective, identifying the most talented people across the State and putting them in front of our toughest problems has been a rewarding lesson. The most durable change and leadership almost always comes from within and our agencies are a wealth of talent and creativity. Creation of collaboration between agencies has always been a challenge for Governments, but if you can get over that hurdle the teams you create can move mountains! On a personal level, I would say block out and protect time every day for critical thinking and reflection. Once our meeting schedules start it is easy to be dragged into the minutiae you have to be able to lean back and use your head for something other than a hat rack.
Need to do the due diligence on security and auditing and always be thinking about the exit strategy and plan for if you need to pull your data back Governments seem to fall prey to “reinventing the wheel” rather than relying on well established standards such as encryption and access management from NIST and others like FEDRAMP that are essential “table stakes.”