Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Local Government Goes Google


Published on

Presented by Brig Otis for the 2011 InnoTech Oregon conference.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Local Government Goes Google

  1. 1. Local Government Goes Google Brig Otis, IT Security Office of Information Technology
  2. 2. Introduction• In October 2010 Multnomah County October, 2010, migrated over 3,600 county employees to Google Apps Government Edition Edition.• One of the first local governments nationwide to use cloud based email and cloud-based calendaring services.Office of Information Technology
  3. 3. Introduction• Brig Otis IT Security Otis,• Dan Cole, Project Manager• St Johnson, Infrastructure Manager Stan J h I f t t MOffice of Information Technology
  4. 4. Agenda• Why Google?• Implementation Team• Vendor Management V d M t• Implementation Considerations• End Users• Migration• Support PlanOffice of Information Technology
  5. 5. Why Google?• Budget Shortfalls• Growing Demand for IT Services• A i E t Aging Enterprise E il S t i Email SystemOffice of Information Technology
  6. 6. Implementation Team• Core Team – PM plus Subteam Leaders• Subteams – Technical –CCommunications – Security – Training – ContractingOffice of Information Technology
  7. 7. Implementation Team• End Users (county employees)• Cloud Service Team• S t System Integrator I t t• Technical Steering CommitteeOffice of Information Technology
  8. 8. Implementation Team• Security Considerations – Representation – Core and Subteam communications – System Integrator • Responsibilities • Product/Service Maturity • Cryptographic controls • Development and Support Processes • Change ControlOffice of Information Technology
  9. 9. Vendor Management• Contracting – References to dynamic policies at URLs – SLA • DR – Exit strategy • Data Escrow • Ownership – Data Classification (yours; not theirs) • Encryption ypOffice of Information Technology
  10. 10. Vendor Management• Contracting – Change Management • Musical Features – Provider Certification • Understand the certification (the package) • Does not certify your use of the service – Example: Sharing of Google ObjectsOffice of Information Technology
  11. 11. Vendor Management• Advanced Planning – Time – Get the actual support team involved – Project management methodology• Security Considerations – Unauthorized access – Breach of confidentiality – Laws and regulationsOffice of Information Technology
  12. 12. Implementation Considerations• Paradigm Shift – Control Set (technical controls) • Built-in • Design yourself – Organizational Policy (administrative controls) – Refresh organizational consciousnessOffice of Information Technology
  13. 13. Implementation Considerations• Fit With Existing Technology – Authentication/Authorization Mechanisms – Dual Delivery – Internet Connectivity – Endpoints (including Mobile Devices) – Directory Services • Wh t to expose / how? What t h ? – MCSO free/busy calendar synchronizationOffice of Information Technology
  14. 14. Implementation Considerations• Fit With Technology Roadmap – Mobile Strategy – Identity Management – Other Cloud Services – Network ConvergenceOffice of Information Technology
  15. 15. Implementation Considerations• Fit With Existing Processes – Basic Account Management • Integration with HR/Payroll – Work Unit Communications – Shared Calendars – Shared InboxesOffice of Information Technology
  16. 16. Implementation Considerations• Fit With Existing Processes – Security Considerations • Identity lifecycle issues – accounts – inboxes – calendars – other cloud-based objects and artifacts • Data in Transit – TLS / Encryption • Confidentiality and Availability (user-managed content) • Unauthorized Access due to sharingOffice of Information Technology
  17. 17. Implementation Considerations• Fit With Culture – What is the nature of the data? – How information systems are used (information handling) – Security Policy governing use of Google AppsOffice of Information Technology
  18. 18. End Users• Security Responsibilities are Increased• Awareness Training• C County D t Departmental Policy t t l P li – Departmental Business Processes• End User/Department Security Concerns – Portable Media – Operations - Patch Management – Economies of ScaleOffice of Information Technology
  19. 19. Migration• Phase: Pilot Program – Security Considerations • Early adopters running too far too fast – Including Privileged Users (Admins) • Representation of Security and other IT leaders in the PilotOffice of Information Technology
  20. 20. Migration• Phase: Planning/Preparation – Communications (time to overcommunicate) – Training (classes using the SAaS) – Support • Self help Self-help • Google Guides - Staff & Googlers • Core Team – Load TestingOffice of Information Technology
  21. 21. Migration• Phase: Planning/Preparation• Security Considerations – Awareness Training – Consistent Organizational Message – Accurate Responses – Accidental Deletion of Data – Old thinking; new Process Issues g; – How much Analysis is Enough? – Dialog with Other Departments ( ) g p (fit)Office of Information Technology
  22. 22. Migration• Phase: Dress Rehearsal• Phase: Big Move –S Security Considerations it C id ti • Unplanned ISP outage • Out of band communications• Phase: DecommissionOffice of Information Technology
  23. 23. Support Plan• Service Administration – All or Nothing – Google Apps Marketplace - abstract the admin layer – Who to Trust? • Trust But Verify model – Does not impede work – Provides an audit trail – In active state, it monitors for privileged rights use – User Inboxes (Postini)Office of Information Technology
  24. 24. Support Plan• Service Administration – Security Considerations • Privileged Access – Confidentiality – Availability of Systems • Email archives available to admins? – Unauthorized (unintended) access • Transparency – Admin Activity – User ActivityOffice of Information Technology
  25. 25. Support Plan• Account Administration – Integration with Directory Services • GAL • Accounts • Groups p – License Limitations – User Terminations (end-of-life) (end of life) • Transference of Google ArtifactsOffice of Information Technology
  26. 26. Support Plan• Account Administration – Security Considerations • Accidental deletion of data • Account sharing • Transparency p yOffice of Information Technology
  27. 27. Support Plan• Customization and Automation – Have programming support available • Technical Control Set • APIs – Your organization is unique • No cloud service is a universal answer – You will customize – Your organization will changeOffice of Information Technology
  28. 28. QuestionsOffice of Information Technology