As California ventures into cloud computing, the state’s rules have come from established structures and standards developed by the federal government, a top state official said.
Ron Hughes, deputy director of The Department of Technology’s Data Center Services, said the federal Cloud First policy has inspired the state government as it designs its program for writing bids for cloud-based services. The department recently signed a letter of intent on a contract with AT&T and IBM to develop Cal Cloud in the state’s data center, with private, public and hybrid clouds.
"We believe that it will change the way services are delivered in the future in the state of California," Hughes said in a Q&A in Techwire’s winter issue. The cloud infrastructure scheduled to go online in the
second quarter of 2014 will be managed on state premises and have several different offerings for customers, Hughes said.
"The customer will have self-service capabilities and would be responsible for managing their application, their databases and any management software that they utilize," Hughes said.
Though California’s venture into cloud computing has been too slow for some, like Lt. Gov. Gavin Newsom, Hughes urged caution in moving forward. His caution may be warranted. A February 2013 study from the Cloud Security Alliance showed the top five cloud computing threats—data breaches, data loss, account or service traffic hijacking, insecure interfaces and APIs and denial of service attacks—are "security issues whose full impact is still emerging."
"Establishing a cloud-first policy is certainly something that I believe Director Ramos would consider in the future. However, there are a number of things government is obligated to figure out first," Hughes said. "For example, contracting models, data security and confidentiality, reporting protocols for IT security incidents when a third party owns the cloud infrastructure and much more."
The federal government’s example has helped in developing security standards, Hughes said. But, he added the state needs more experience working with the cloud before it implements any policy change that mandates its use.