Local Government Goes Google

Local GovernmentGoes Google

Brig Otis, IT Security

Office of Information Technology

IntroductionIntroduction

• In October 2010 Multnomah CountyIn October, 2010, Multnomah County migrated over 3,600 county employees to Google Apps Government EditionGoogle Apps Government Edition.

• One of the first local governments nationwide to use cloud based email andnationwide to use cloud-based email and calendaring services.


IntroductionIntroduction

• Brig Otis IT SecurityBrig Otis, IT Security• Dan Cole, Project Manager

St J h I f t t M• Stan Johnson, Infrastructure Manager


AgendaAgenda

• Why Google?Why Google?• Implementation Team

V d M t• Vendor Management• Implementation Considerations• End Users• MigrationMigration• Support Plan


Why Google?Why Google?

• Budget ShortfallsBudget Shortfalls• Growing Demand for IT Services

A i E t i E il S t• Aging Enterprise Email System


Implementation TeamImplementation Team

• Core TeamCore Team– PM plus Subteam Leaders

Subteams• Subteams– Technical

C– Communications– Security– Training– Contracting



• End Users (county employees)End Users (county employees)• Cloud Service Team

S t I t t• System Integrator

• Technical Steering Committee



• Security ConsiderationsSecurity Considerations– Representation

Core and Subteam communications– Core and Subteam communications– System Integrator

• Responsibilities• Responsibilities• Product/Service Maturity• Cryptographic controlsCryptographic controls• Development and Support Processes• Change Control


Vendor ManagementVendor Management

• ContractingContracting– References to dynamic policies at URLs

SLA– SLA• DR

Exit strategy– Exit strategy• Data Escrow• OwnershipOwnership

– Data Classification (yours; not theirs)• Encryption


yp

Vendor ManagementVendor Management

• ContractingContracting– Change Management

• Musical Features• Musical Features– Provider Certification

• Understand the certification (the package)Understand the certification (the package)• Does not certify your use of the service

– Example: Sharing of Google Objects


Vendor ManagementVendor Management• Advanced PlanningAdvanced Planning

– Time– Get the actual support team involvedGet the actual support team involved – Project management methodology

• Security Considerations– Unauthorized access– Breach of confidentiality– Laws and regulations


Implementation ConsiderationsImplementation Considerations

• Paradigm ShiftParadigm Shift– Control Set (technical controls)

• Built-in• Built-in• Design yourself

– Organizational Policy (administrative controls)Organizational Policy (administrative controls)– Refresh organizational consciousness



• Fit With Existing TechnologyFit With Existing Technology– Authentication/Authorization Mechanisms

Dual Delivery– Dual Delivery– Internet Connectivity

Endpoints (including Mobile Devices)– Endpoints (including Mobile Devices)– Directory Services

Wh t t / h ?• What to expose / how?– MCSO free/busy calendar synchronization



• Fit With Technology RoadmapFit With Technology Roadmap– Mobile Strategy

Identity Management– Identity Management– Other Cloud Services

Network Convergence– Network Convergence



• Fit With Existing ProcessesFit With Existing Processes– Basic Account Management

• Integration with HR/Payroll• Integration with HR/Payroll– Work Unit Communications

Shared Calendars– Shared Calendars– Shared Inboxes


Implementation ConsiderationsImplementation Considerations• Fit With Existing ProcessesFit With Existing Processes

– Security Considerations• Identity lifecycle issues

– accounts– inboxes– calendars– other cloud-based objects and artifacts

• Data in Transit– TLS / Encryption

• Confidentiality and Availability (user-managed content)• Unauthorized Access due to sharing



• Fit With CultureFit With Culture– What is the nature of the data?

How information systems are used– How information systems are used (information handling)

– Security Policy governing use of Google Apps– Security Policy governing use of Google Apps


End UsersEnd Users

• Security Responsibilities are IncreasedSecurity Responsibilities are Increased• Awareness Training

C t D t t l P li• County Departmental Policy– Departmental Business Processes

• End User/Department Security Concerns– Portable Media– Operations - Patch Management– Economies of Scale


MigrationMigration

• Phase: Pilot ProgramPhase: Pilot Program– Security Considerations

• Early adopters running too far too fast• Early adopters running too far too fast– Including Privileged Users (Admins)

• Representation of Security and other IT leaders in the Pilot


MigrationMigration

• Phase: Planning/PreparationPhase: Planning/Preparation– Communications (time to overcommunicate)

Training (classes using the SAaS)– Training (classes using the SAaS)– Support

• Self help• Self-help• Google Guides - Staff & Googlers• Core TeamCore Team

– Load Testing


MigrationMigration• Phase: Planning/PreparationPhase: Planning/Preparation• Security Considerations

– Awareness TrainingAwareness Training– Consistent Organizational Message– Accurate ResponsesAccurate Responses– Accidental Deletion of Data– Old thinking; new Process Issuesg;– How much Analysis is Enough? – Dialog with Other Departments (fit)


g p ( )

MigrationMigration

• Phase: Dress RehearsalPhase: Dress Rehearsal• Phase: Big Move

S it C id ti– Security Considerations• Unplanned ISP outage• Out of band communications• Out of band communications

• Phase: Decommission


Support PlanSupport Plan• Service AdministrationService Administration

– All or Nothing– Google Apps Marketplace - abstract theGoogle Apps Marketplace abstract the

admin layer– Who to Trust?

• Trust But Verify model– Does not impede work– Provides an audit trail– In active state, it monitors for privileged rights use

– User Inboxes (Postini)


Support PlanSupport Plan

• Service AdministrationService Administration– Security Considerations

• Privileged Access• Privileged Access– Confidentiality– Availability of Systems

• Email archives available to admins?– Unauthorized (unintended) access

• Transparency• Transparency– Admin Activity– User Activity



• Account AdministrationAccount Administration– Integration with Directory Services

• GAL• GAL• Accounts• Groupsp

– License Limitations– User Terminations (end-of-life)User Terminations (end of life)

• Transference of Google Artifacts



• Account AdministrationAccount Administration– Security Considerations

• Accidental deletion of data• Accidental deletion of data• Account sharing• Transparencyp y



• Customization and AutomationCustomization and Automation– Have programming support available

• Technical Control Set• Technical Control Set• APIs

– Your organization is uniqueYour organization is unique• No cloud service is a universal answer

– You will customize– Your organization will change


QuestionsQuestions


Local Government Goes Google

Technology

Transcript of Local Government Goes Google