Seth Kulakow, CISO of the State of Colorado, tackles the topic, offering insight on:
Kulakow is the State of Colorado Chief Information Security Officer for the Governor's Office of Information Technology. His group manages policies, consults with agencies on technical matters, and manages enterprise projects to meet security requirements. He is responsible for enterprise-wide cyber security governance and management for the State. Kulakow was selected as the Chief Information Security Officer (CISO) in November 2008. As the CISO, he is responsible for the State's Information Assurance and Compliancy programs. Prior to joining the Governor's Office of Information Technology, he was the Information Security Officer for Denver International Airport (DIA), ranked the 4th busiest airport in the nation and the 10th busiest in the world.
TOM FIELD: What are the skills needed today for security professionals in cloud computing? Hi, this is Tom Field, Editorial Director with Information Security Media Group. I am talking with Seth Kulakow, the CISO for the State of Colorado. Seth, it is a pleasure to talk to you today.
SETH KULAKOW: Hi, Tom, how are you?
FIELD: Seth, just for context, why don't you tell us a little bit about yourself, your role with the state, and your key challenges today.
KULAKOW: Well I'm the Chief Information Security Officer for the State of Colorado. My role is basically to ... well, we do risk management from an enterprise prospective. We are actively moving into a consolidated environment, where all security functions reside within one group, the Office of Cybersecurity. We are bringing in other agencies that have been siloed for so long, we're bringing in those resources together to handle consolidation, pretty much on the executive side, the cybersecurity policies that were created by law effect the judicial and legislation branches, too. So there is some residing authoritative rule from the cybersecurity side from the executive branch, but it was brought in by the legislative side. So it's kind of ... let's just say it is all of us doing it together.
FIELD: Well, Seth, cloud computing -- tell us about how Colorado is taking to cloud computing and what your initiatives are?
KULAKOW: Well, I think every state has been looking at cloud computing in one context or another. I'm not trying to say everybody is doing it, but it is just kind of a blanket statement. We've taken a look at it. We've got economic conditions that a lot of states have. We are experiencing a drastic reduction in tax dollars and things like that. So you've got to look at any type of opportunities to maximize your efficiencies. Consolidation is really the focus of that. And when you can take consolidation and you look at providing a service in one location, the next step is possibly a cloud imitative, too. So what we are trying to take a look at is a possibly pilot project with a group called the Statewide Portal Authority, or SPA, which has put out an RFP.
So we are going to take a pilot and take some commodity types of services, such as possibly email, desktop applications, and things like that, and move them to the cloud. Now this provides obvious benefits and all sorts of advantages that have already been probably talked to death out there on the internet. So I won't go into that detail, but what I look at from a cybersecurity perspective is that the cost of business continuity and disaster recovery, if you take that risk associated with some of the risk-based analysis information that I am putting into this project to make sure that our vendor follows our current cybersecurity policies that are mandated throughout all branches. We believe that -- and I have yet to finish this off -- but we believe there are some significant benefits to moving to a secure cloud environment for commodity services.
FIELD: Seth, how do you expect you are going to manage these initiatives? Will you do it in- house, will you outsource?
KULAKOW: Well, in managing the contractual pieces, that is what the Statewide Portal Authority is. They're an authority, and what we would be doing is we would be going to that authority to say 'Hey, this is the service that we want. We want to get it from you.' We currently use SPA for a variety of different purposes such as payment credit card types of things where they take the PCI initiative and all the compliances associated with it, and we allow them to do some of the PCI for State of Colorado instead of us having that liability for those agencies. So, we will have the Statewide Internet Portal Authority take over some of that management of that initiative.
FIELD: Well, the topic up front was the skills needed for security professionals in cloud, so give us a sense as you have investigated this. What are going to be the unique staffing demands created by cloud computing? What are the skills the security professionals will need?
KULAKOW: Well, that is a good question, Tom. I think skill set wise, it takes it to a different level. I think that if you look at us, and maybe we are a unique breed in what we do and how we do it, but we're specialized generalist. We try to specialize in generally everything that we possibly can. In a lot of cases, we've never had the opportunity to really specialize in a lot of different things, and what cloud computing is going to do is it takes it to really a different level of not just cyber. It takes it to physical, too. So you've got to know SAS-70, you've got to know how to go inside a data center and really kind of look around to say, just because you're SAS-70 does this really fulfill what I feel is the acceptable risk to that data center? Are they able to provide enough humidity in there and so on? Those types of things are called up time, but that is all associated with the performance of the system, and the system meaning that cloud initiative. So, I think you take your skill sets to a different level. It's just not firewalls. It's physical security. It's the storage of now cameras and the video feeds from those cameras. Whose going to do it, how is it done? It's making sure that you've got access controls in, not for just your own inside area, but now you've got to sync that up with another group that possibly has different access controls to make sure that you are seeing their logs and that it is following compliance. So I think you are taking it to a different level, and it's actually spreading out a little bit more. I think it's making us even more -- it's giving us a broader view of a physical side that in some cases people haven't had that opportunity to look at.
FIELD: Well, Seth, what kind of challenges does this pose to you? Are these skills that you have sort of in house now, or are those skills you're going to have to develop?
KULAKOW: Wow, that's a really good question again. I don't know. I think in-house, there are pieces to the puzzle. Can you put it all together and then make it work in a consolidated environment? In some cases, I would say yes, immediately we can do some of those pieces. But then in another case I would say no, we can't. For instance, the storage requirements to do a DVR type of scenario digital video recording, we haven't taken into account another vendor and taken their storage of their video or the ability to get into that piece. So in some cases I would say yes. It does provide some challenges, but then again there is a lot of compensating controls that you can do if that vendor allows you to get into their DVR system with a requirement of, you're allowed to "read only" type of scenario. Then you can see that maybe they do with three days online, maybe they don't. I think there are ways to work with vendors out there to kind of get beyond these kinds of gaps, but I don't think that we are -- I'm not going to just call out Colorado. I think in general a lot of organizations probably will not have that full in-house ability to do so. Or you know what; they might have just created their own private cloud instead of going to a public cloud.
FIELD: Sure. Last question here for you. One of the things that we have told people consistently is that cloud computing is one of the areas to go into, and you've got lots of people now that are trying to develop their competencies there. What advice would you give to information security professionals that are now starting to look toward specializing in cloud computing?
KULAKOW: Well, I think if I'm looking at that, if I'm looking for as myself trying to get out into this cloud field, there are a million other things to look at. To me, and this is my own personal opinion, the controls for secure cloud are the same type of controls you are going to have in any security program. They might be morphed a little bit differently, but controls are controls. So, those professionals trying to get in there should know those security controls. Now from step one to the step end is different. I mean, are you going to want to learn about desktop security and stuff like that on a cloud? Probably not because you'll probably be working on a server environment. Well, how do you get to security of servers, and how do you get your career to that? Well, my feeling is that you have to start out with the desktops. You've got to know how that works. A-Plus certification, desktop, call center, those types of things -- and then you branch to the server side. So once you get into that server area, I think you're going to see a lot of cloud providers looking for those types of things. The other thing is virtualization is going to be huge, and virtualization security is pretty new out there. I think that is kind of the cusp of a really big, kind of the next big security piece within the cloud. It goes on and on. Personally, I think all of us should be cross-trained in a variety of different types of controls. And it all leads back to privacy. So if you can understand privacy and understand the compliances related to privacy whether it's PII or HIPAA or PCI, it is really a privacy thing. If you can really understand privacy and you can take that compliancy and map the stringent components to that policy of those compliancy requirements, then everything compliance should work in there. So if you can get that knowledge of the operational side, the architectural side, and then the compliance and the privacy side, I think that will really balance somebody out as a specialized generalist.
FIELD: Seth, I appreciate your time and your insight today. Thank you so much.
KULAKOW: Thank you, Tom, for asking.
FIELD: We were talking about cloud computing and I've been talking with Seth Kulakow, State of Colorado. For Information Security Media Group, I'm Tom Field. Thank you very much.