local government goes google
DESCRIPTION
Presented by Brig Otis for the 2011 InnoTech Oregon conference.TRANSCRIPT
Local GovernmentGoes Google
Brig Otis, IT Security
Office of Information Technology
IntroductionIntroduction
• In October 2010 Multnomah CountyIn October, 2010, Multnomah County migrated over 3,600 county employees to Google Apps Government EditionGoogle Apps Government Edition.
• One of the first local governments nationwide to use cloud based email andnationwide to use cloud-based email and calendaring services.
Office of Information Technology
IntroductionIntroduction
• Brig Otis IT SecurityBrig Otis, IT Security• Dan Cole, Project Manager
St J h I f t t M• Stan Johnson, Infrastructure Manager
Office of Information Technology
AgendaAgenda
• Why Google?Why Google?• Implementation Team
V d M t• Vendor Management• Implementation Considerations• End Users• MigrationMigration• Support Plan
Office of Information Technology
Why Google?Why Google?
• Budget ShortfallsBudget Shortfalls• Growing Demand for IT Services
A i E t i E il S t• Aging Enterprise Email System
Office of Information Technology
Implementation TeamImplementation Team
• Core TeamCore Team– PM plus Subteam Leaders
Subteams• Subteams– Technical
C– Communications– Security– Training– Contracting
Office of Information Technology
Implementation TeamImplementation Team
• End Users (county employees)End Users (county employees)• Cloud Service Team
S t I t t• System Integrator
• Technical Steering Committee
Office of Information Technology
Implementation TeamImplementation Team
• Security ConsiderationsSecurity Considerations– Representation
Core and Subteam communications– Core and Subteam communications– System Integrator
• Responsibilities• Responsibilities• Product/Service Maturity• Cryptographic controlsCryptographic controls• Development and Support Processes• Change Control
Office of Information Technology
Vendor ManagementVendor Management
• ContractingContracting– References to dynamic policies at URLs
SLA– SLA• DR
Exit strategy– Exit strategy• Data Escrow• OwnershipOwnership
– Data Classification (yours; not theirs)• Encryption
Office of Information Technology
yp
Vendor ManagementVendor Management
• ContractingContracting– Change Management
• Musical Features• Musical Features– Provider Certification
• Understand the certification (the package)Understand the certification (the package)• Does not certify your use of the service
– Example: Sharing of Google Objects
Office of Information Technology
Vendor ManagementVendor Management• Advanced PlanningAdvanced Planning
– Time– Get the actual support team involvedGet the actual support team involved – Project management methodology
• Security Considerations– Unauthorized access– Breach of confidentiality– Laws and regulations
Office of Information Technology
Implementation ConsiderationsImplementation Considerations
• Paradigm ShiftParadigm Shift– Control Set (technical controls)
• Built-in• Built-in• Design yourself
– Organizational Policy (administrative controls)Organizational Policy (administrative controls)– Refresh organizational consciousness
Office of Information Technology
Implementation ConsiderationsImplementation Considerations
• Fit With Existing TechnologyFit With Existing Technology– Authentication/Authorization Mechanisms
Dual Delivery– Dual Delivery– Internet Connectivity
Endpoints (including Mobile Devices)– Endpoints (including Mobile Devices)– Directory Services
Wh t t / h ?• What to expose / how?– MCSO free/busy calendar synchronization
Office of Information Technology
Implementation ConsiderationsImplementation Considerations
• Fit With Technology RoadmapFit With Technology Roadmap– Mobile Strategy
Identity Management– Identity Management– Other Cloud Services
Network Convergence– Network Convergence
Office of Information Technology
Implementation ConsiderationsImplementation Considerations
• Fit With Existing ProcessesFit With Existing Processes– Basic Account Management
• Integration with HR/Payroll• Integration with HR/Payroll– Work Unit Communications
Shared Calendars– Shared Calendars– Shared Inboxes
Office of Information Technology
Implementation ConsiderationsImplementation Considerations• Fit With Existing ProcessesFit With Existing Processes
– Security Considerations• Identity lifecycle issues
– accounts– inboxes– calendars– other cloud-based objects and artifacts
• Data in Transit– TLS / Encryption
• Confidentiality and Availability (user-managed content)• Unauthorized Access due to sharing
Office of Information Technology
Implementation ConsiderationsImplementation Considerations
• Fit With CultureFit With Culture– What is the nature of the data?
How information systems are used– How information systems are used (information handling)
– Security Policy governing use of Google Apps– Security Policy governing use of Google Apps
Office of Information Technology
End UsersEnd Users
• Security Responsibilities are IncreasedSecurity Responsibilities are Increased• Awareness Training
C t D t t l P li• County Departmental Policy– Departmental Business Processes
• End User/Department Security Concerns– Portable Media– Operations - Patch Management– Economies of Scale
Office of Information Technology
MigrationMigration
• Phase: Pilot ProgramPhase: Pilot Program– Security Considerations
• Early adopters running too far too fast• Early adopters running too far too fast– Including Privileged Users (Admins)
• Representation of Security and other IT leaders in the Pilot
Office of Information Technology
MigrationMigration
• Phase: Planning/PreparationPhase: Planning/Preparation– Communications (time to overcommunicate)
Training (classes using the SAaS)– Training (classes using the SAaS)– Support
• Self help• Self-help• Google Guides - Staff & Googlers• Core TeamCore Team
– Load Testing
Office of Information Technology
MigrationMigration• Phase: Planning/PreparationPhase: Planning/Preparation• Security Considerations
– Awareness TrainingAwareness Training– Consistent Organizational Message– Accurate ResponsesAccurate Responses– Accidental Deletion of Data– Old thinking; new Process Issuesg;– How much Analysis is Enough? – Dialog with Other Departments (fit)
Office of Information Technology
g p ( )
MigrationMigration
• Phase: Dress RehearsalPhase: Dress Rehearsal• Phase: Big Move
S it C id ti– Security Considerations• Unplanned ISP outage• Out of band communications• Out of band communications
• Phase: Decommission
Office of Information Technology
Support PlanSupport Plan• Service AdministrationService Administration
– All or Nothing– Google Apps Marketplace - abstract theGoogle Apps Marketplace abstract the
admin layer– Who to Trust?
• Trust But Verify model– Does not impede work– Provides an audit trail– In active state, it monitors for privileged rights use
– User Inboxes (Postini)
Office of Information Technology
Support PlanSupport Plan
• Service AdministrationService Administration– Security Considerations
• Privileged Access• Privileged Access– Confidentiality– Availability of Systems
• Email archives available to admins?– Unauthorized (unintended) access
• Transparency• Transparency– Admin Activity– User Activity
Office of Information Technology
Support PlanSupport Plan
• Account AdministrationAccount Administration– Integration with Directory Services
• GAL• GAL• Accounts• Groupsp
– License Limitations– User Terminations (end-of-life)User Terminations (end of life)
• Transference of Google Artifacts
Office of Information Technology
Support PlanSupport Plan
• Account AdministrationAccount Administration– Security Considerations
• Accidental deletion of data• Accidental deletion of data• Account sharing• Transparencyp y
Office of Information Technology
Support PlanSupport Plan
• Customization and AutomationCustomization and Automation– Have programming support available
• Technical Control Set• Technical Control Set• APIs
– Your organization is uniqueYour organization is unique• No cloud service is a universal answer
– You will customize– Your organization will change
Office of Information Technology
QuestionsQuestions
Office of Information Technology