Print 🖨

The House Committee on Government Transparency & Operation met on April 5 to hear invited testimony over interim charges concerning cyber security, cloud computing, and technology procurement.
 
Interim Charge 1
Identify and address potential gaps in the state's cyber security policies and ensure that personal information held by state agencies is secure.
 
John Dickson, Denim Group

  • Has extensive experience with cyber security and legislative concerns relating to cyber security
  • Participated in a recent symposium over emerging needs of cyber security policy
  • Legislature did not act after CPA breach during 82nd legislature, many interested in policy had not taken action to correct or discover additional problems
  • Thus, cyber security is largely an agency issue and has not been on the legislature’s agenda until recently
  • Pockets of “security excellence” exist in certain agencies, but many agencies still have very inadequate security, perhaps due to lack of coordinated public policy initiatives
  • Unless legislature changes its approach to cyber security, Texas is very vulnerable to another security event like the CPA breach
  • Security issues lead to increased distrust in the Texas government’s infrastructure, can negatively impact relations with federal government, other states, citizens etc.
  • Texans will remember security breaches, will definitely remember the government personnel involved
  • Because of its importance, cyber security should be dealt with at a state policy level, private companies understand this and tend to deal with this at board and CEO levels
  • State should have a mechanism in place to sign-off on the risk of cyber security at the highest level
  • Other states have needed to divert funds away from public projects to handle cyber security issues, would like Texas to avoid this
  • Increased cyber security standards are also a cost-saving mechanism, increased transparency efforts can also lead to making secured information vulnerable
  • Clarity is needed for the committees that govern this issue, should consolidate authority over cyber security issues
  • Gonzales – Points to written testimony that Dickson was surprised at how little elected officials care about cyber security, asks what the root of this problem is? How do other states hold officials accountable?
    • Observation is asked upon years of working with state agencies, some like DIR have been working to change this
    • However, this has not been a priority, e.g. interim charges on cyber security have not appeared until recently
  • Gonzales – So would the commissioner sign-off on threats, rather than the IT department?
    • Yes
    • Benefit is that government becomes more aware of potential costs for releasing unsecured information
    • Former agency action has been guesswork in implementing public policy, legislative intent needs to be clear
  • Gonzales – Does every agency need to take cyber security protection steps?
    • No, smaller agencies do not need biometric scans, etc. as some of the larger and more influential ones do
  • Gonzales – So at some point different security needs of different agencies needs to be worked out
    • Correct, some effort has been made, but largely agencies have not been assessed for scale of risk
  • Elkins – Mentioned that more boards and CEOs have called on Dickson recently, is this influenced by the cost of dealing with security threats
    • Companies have become increasingly concerned given the recent security problems
    • Real problem in commercial world is not defacement or credit card data loss, but losing out on day-to-day operations to deal with security problems (e.g. Sony lost 2 or 3 weeks of work time due to leaks)
  • Elkins – Banking industry has PCI compliance, etc., is there a standard the Texas government can look to? Seems that standards are tailor-made for certain industries
    • PCI compliance does not ensure security, merchant credit card data leaks came from sources outside of PCI compliance
    • Real issue is that most vulnerable and critical entities use compliance as a starting point
    • DIR does a good job of setting standards, biggest issue is if any given agency follows the letter and spirit of existing security regulations
  • Walle – How much would hardening cyber security cost?
    • Last session, risk assessments were determined to cost $500,000 to $1 million, however this would only scratch the surface of quantifying risk
    • Numbers for actual hardening exist, but other priorities are in the forefront
  • Walle – Again asks how much it would cost?
    • Mike Wyatt, Deloitte – Private sector it tends to be 7%-8% of total IT money spent, state governments tend to only spend between 1%-2% now
    • When state’s look to fund
  • Walle – Asks for a solid dollar amount
    • Gonzales – His committees have had difficulty keeping up with the actual number, technological advances mean that government is trying to catch up regularly
    • Gonzales – Sen. West had an entire subcommittee looking at IT, back funded much of this, but changing technology made it difficult
    • Elkins – This seems to be a constant back-and-forth issue, legislative fix would be to find a framework to let individuals be more responsive

 
President of Innovae Solutions

  • Cyber security acculturation programs are important, security is more than just an IT problem and other sectors should be aware of the issues
  • Security threats can include nations, “hacktivists,” organized crime, and insiders, all with differing objectives, security needs are relative to the threat and the entity at risk
  • In constrained budget environments, prioritization and focus on key issues will be important
  • Risk can never be reduced down to “zero,” this view is just unrealistic and this would be large and costly
  • Agencies should authorize cyber security spending to manage risk on their highest priority assets
  • Critical Systems and Data Assets (CSDA) – Elements that ensure safety, security, and privacy of citizens or ensure the effectiveness of an entity
  • As state puts more information and service access on the internet, risk increases
  • Considering all of this, it is important to identify critical risks, think in terms of reducing rather than eliminating risk, continually assessing risk, and increasing awareness of risks outside of state’s control
  • Cyber security policy must go beyond security compliance, must be reactive and anticipate future security threats, fully “compliant” entities can still be vulnerable to breach
  •  Rapidly changing technology can also present new cost-effective and tailored security approaches
  • Gutierrez – Highlights written testimony stressing importance of state and business relationship for security, asks for clarification on this
    • State and businesses should be aware of security in other organizations, businesses should feel confident that state held data is secure
  • Gutierrez – Doesn’t Texas make itself more vulnerable as more public-private partnerships are formed
    • Dickson – Yes, this changes risk profile, upfront risk assessment is important and agencies like the RRC should be very aware of this
  • Gutierrez – Will important to figure out how public policy can encourage private entities to increase their security
    • Dickson – Also consider how businesses might not want to deal with a state government that cannot secure its data
  • Gutierrez – Would like to be kept updated on ideas to protect consumers and defend against threats outside of the state’s control
  • Elkins – Is “zero” risk possible?
    • “Zero” risk is not possible, most security experts would agree
    • More beneficial to think about resiliency and reduction of risk
  • Elkins – Highlights FBI and Apple battle and how FBI dropped case against Apple, Apple commented that it was “impossible” to make an unbreakable phone
  • Elkins – Most personally identifying information collected by the state is collected automatically, does the state need to look at obfuscating collection data, “virtualizing” the data? Asks for advice on making personally identifying information secure
    • PII is a CSDA that should be protected, encryption and encrypted transfer is one way to do this and likely the most applicable method
  • Elkins – Seems to be a battle with the federal government, they do not seem to like encryption
    • McCall is setting up a committee to study this dispute
    • This problem might be solved mathematically, differing developments like “block chains” could be used, but none of these methods are a “panacea” and should be used in concert with other security approaches
  • Elkins – Does not understand the “block chain” concept

 
Michael Wyatt, Deloitte

  • Key issues include the budget and strategy disconnect, the difficulty of security, and the lack of crucial talent in IT departments
  • Considering how state government is involved with the internet, internet was developed to share information, not keep it secure
  • Creation of risk is fine so long as the risk is acknowledged and planned for, important to ask how much it will cost to implement appropriate and adequate security
  • Security must be paired with vigilance and resiliency, i.e. the ability to quickly respond to and recover from threats
  • Monitoring is equally important to be able to track entries into secure environments
  • State agencies have a difficult job, must comply with budgets, federal regulations if they receive funds, and state requirements, difficult to balance this with limited amounts of funding, but DIR has made great strides in revamping the security framework
  • Elkins – Recently became aware that people with health issues will steal the medical information of others to receive care under another’s insurance, can lead to deadly medical records issues
    • Understanding data and threats is critical before spending money to address issues, medical records are very important, but perhaps other issues in the agency are not
    • Dickson – Important to look at companies who have not been breached, see how they maintain this and ensure they adopt proactive security practices
  • Turner – Where do you find knowledgeable entities skilled in security
    • Key is to find those with a legal and security/technology background
  • Galindo – Do current federal state and security requirements meet what the private sector does to protect data?
    • Federal government standards are being adopted by critical elements in private industry, federal standards are risk-based
    • Reason being that common regulatory schemes help collaboration
    • Dickson – Federal agencies and large companies alike have asked for clarity in regulation
  • Important to develop classification and encryption standards, understand how this data moves through an organization and how to detail with certain types at a glance
  • Gonzales – How much of this is legislative and how much of this is good agency IT hygiene? Legislation doesn’t seem to be the answer, rather education and awareness of the leadership personnel at agencies
    • Agrees, has seen the importance of involved and educated agency leadership in other states
    • Dickson – The crucial legislative initiatives would be to make agency directors responsible for cyber security risks and have a separate position that risks and assessments are reported to
    • LBB could also be involved
  • Gonzales – Very interested in this approach, has questions for the LBB when they testify and if LARs are properly reflective of cyber security needs
  • Best time to “bake in” security awareness is when organizations go through structural renewals
  • Funding exists beyond general appropriations, federal government is paying in large quantities for HHSC security improvements
  • Organizations should run extensive threat modeling and simulations, practice how to prevent and control security problems and related protocols

 
Eddie Block, CISO and Cyber Security Coordinator, DIR

  • DIR has made many improvements to state’s security procedures, including 50 security penetration tests per year, 15 non-technical security assessments, and adopting a new Texas security framework (revised TAC §202) that details roles and responsibilities and references a separate technical document
  •  DIR revamps are modeled on NIST to ensure compatibility
  • TAC §202 has accountability incorporated for any sufficiently high-risk events
  • Gonzales – Is this defined somewhere?
    • Yes, high, medium, and low security threats are defined
  • Gonzales – As more P3s are established, is there an issue with resetting or revoking security clearances and standards?
    • Agencies deal with this directly, some are better than others
    • Those that tend to do well tend to have some sort of third-party accountability piece
  • Walle – What are your thoughts on having a Chief Privacy Officer?
    • A very necessary thing, especially for a state as large as Texas
  • Walle – This seems like a large and overwhelming job
    • Similar approach to the statewide Data Coordinator, one role was made first and then staff assessments were made later
    • Very beneficial to have one person who understands all of the applicable rules, can help other agencies answer critical security questions
  • Walle – Is “hacktivism” common on a state government level?
    • Yes, groups attempt to discredit Texas or its personnel quite frequently across all state services
  • Nations and organized crime threats tend to target certain agencies regularly
  • Galindo – How many attacks are reported against state systems?
    • This is reported, attacks can be defined in many terms
    • Automatically blocked events occur roughly 2 billion times per month, scripted, brute-force attacks that do not require human response
    • Incidents requiring a response occur roughly 25 times per month
    • Denial of service attacks happen regularly, these can stop government services temporarily
  • DIR reporting helps to track security threats and effectiveness of response, training is also provided continually for many different state and local personnel
  • Also runs an “InfoSec Academy” to get all agencies’ ISOs up to date
  • DIR also issues security licenses and credentialing
  • Gonzales – And how many people take advantage of this?
    • Not that many, 40,000 license exist out of roughly 300,000 personnel
  • Gonzales – Would like to get more agencies to participate in security education, does not think a legislative action will fix this
    • DIR struggles with the same thing, constantly working on more participation
  • Galindo – Is every agency now using Windows?
    • For the most part, some dummy terminals still exist
    • Running some outdated Microsoft software is a potential security risk as Microsoft does not support this software
  • Elkins – Last year 50,000 personnel were identified as still using Windows 95, has this been corrected yet?
    • Not to his knowledge
  • Galindo – But Texas now runs on mostly web-based program, correct?
    • Yes
  • Galindo – Is there an inventory list of software obsolescence?
    • Not here, but yes
  • Elkins – Believes that legislature previously gave DIR authority to sovle legacy software problems
    • Yes, currently capturing legacy software usage information
  • Elkins – Is part of the problem that hardware will not run newer software
    • Two problems, hardware and crucial software that will not operate in newer software environments
  • Gonzales – Part of this problem is that legacy software is custom-made, correct? Cannot just buy off-the-shelf replacements
    • Correct
  • Elkins – Well at least these legacy programs are not open to the internet and would be hard to hack
    • This approach is very broken in reality, needs to be fixed
  • Turner – Problem exists where knowledge of code for these legacy programs will eventually disappear, also comments that Texas’ security infrastructure is less advanced than many of the attackers’, difficult to secure
    • Important to identify critical security holes and how to address those

 
Lena Conklin, DIR

  • HB 2738 required legacy systems studies, found that over half of agencies’ business applications were legacy and were an increased security risk
  • DIR is due to submit a report on legacy systems and required updates to the LBB this year
  • Other security updates are forthcoming, DIR report will summarize the efforts of these updates and bulk purchases required
  • $11.5 million for biennium is dedicated to improving security postures at various agencies
  • $700,000 for the biennium is dedicated for the operations of the network security center and various network security assessments
  • Funded largely through DIR’s cooperative contracts program
  • Gonzales – So these strategies exist in DIR’s budget?
    • Yes

 
Mary Dickerson, Texas Cyber Security Education Economic Development Council

  • Council was designed during 82nd legislature to look at state cyber security infrastructure, cyber security industry, and educational needs for workforce and citizens
  • In 2012, there was no statewide cyber security coordination beyond DIR, lack of coordinated effort allowed cyber crime to outpace infrastructure
  • Effective programs tended to be localized and were not adapted to work statewide
  • Council identified 10 recommendations listed in written testimony, including:
    • Establish Texas Coordinator of Cyber Security, role has been created in DIR, concern remains that position responds to many different attacks and DIR may be overloaded with these additional responsibilities
    • Establish a business advisory council to solicit opinions and approaches from industry to benefit Texas economically and from a security perspective
    • Encourage best practices amongst agencies, education of best practices has been effective through DIR
    • Address education component that ensures workforce is aware of security threats and appropriate response
  • Gonzales – What are the credentials of the security-minded IT workforce?
    • Looking for all hires given general lack of security personnel, trying to identify the range of appropriate education and cyber security experience

 
Dr. Gregory White, UTSA, NTCP

  • UTSA runs several programs to encourage cyber security awareness in the up and coming workforce
  • Also conducted several cyber security exercises focusing on general workforce and management security awareness
  • Community Cyber Security Model, designed to inform states of general cyber security progress and preparedness, allows for different authorities to share and collaborate on security approaches
  • Security threat absolutely exists, entities attack Texas for a wide variety of reasons and use widely different approaches exploiting weak security measures
  • Important for states to understand that security issues disrupting public services are incredibly damaging to public relations, public will look to elected officials
  • Texas is not prepared, however no state is “truly” prepared
  • Recent DIR steps have been tremendous, but there is still room for improvement and encouraging a “culture of security”
  • Texas should be implementing a cyber security information sharing program and continue to advance the improvements DIR started
  •  Important to consider that bad actors targeting Texas do not have to attack Texas’ governance directly, attacks against infrastructure and industry can be just as effective
  • There are many no-cost and low-cost measures Texas can take to improve security including security simulations involving IT students, advisory boards, etc.
  • Elkins – How successful were your students?
    • Very successful, when students from different disciplines collaborate they can be very effective
  • NTCP is paid for by the federal Department of Homeland Security, limited budget, but many educational courses are offered to help increase cyber security awareness
  • Gutierrez – Recently budget was cut in UT for a department that looks at fraud protection
    • NTCP has not received any state funding, majority of funding comes from DHS
  • Gutierrez – Is there a similar center at different institutions?
    • Most centers are not funded or only partially funded by state dollars
    • Centers tend to follow the source of funding, focus on state action would require increased state support
  • Gutierrez – Thinks that legislature has something to start talking about from a budgetary perspective

 
Interim Charge 2
Examine purchasing practices by state agencies to ensure such practices are efficient and transparent.
 
Jennifer Saha, CompTIA

  • Texas is currently the second largest state for tech employment
  • CompTIA advocates for efficient and transparent technology procurements
  • Texas state agencies have been working to implement changes from the 84th session’s contracting discussions, most important thing CompTIA noticed from this is an increased need for communication between agencies and vendors
  • Agencies acting under the impression that communication with vendors is not allowed has negatively impacted procurement within the state
  • DIR and CPA have provided guidance on contracting requirements, but different agencies are free to interpret these requirements differently
  • Procurement Oversight Agencies have been effective within other states, likewise legislation could work to help educate agencies on best practices
  • Working with CPA to provide input on vendor portion of CPA procurement study
  • Standards to make regulations and performance measures more objective will help contracting generally
  • Texas Vendor Performance Tracking System is better than other systems observed in other states, however Texas still has clarity problems with contracting requirements

 
Bobby Pounds, Comptroller of Public Accounts Office

  • CPA was charged with examining state agencies to ensure efficiency and transparency in procurement
  • Contracting study was designed to examine cost savings by abolishing separate purchasing offices within agencies and ability of state to leverage consolidated purchasing power
  • Award was made to RSM to conduct the study, CPA has begun working with RSM to identify and collect relevant data
  • Walle – Why were the higher education entities excluded from these studies?
    • Higher education has different requirements, primary study agencies were trimmed down to 110 agencies via object codes by the data transparency division
  • Preliminary report from RSM is due in June, from July-December of this year analysis staff will be compiling data
  • Vendor study also being conducted with help from CompTIA

 
Sandra Woodruff, Comptroller of Public Accounts Office

  • SB 20 from the 84th charged CPA with studying CAPS reporting from different agencies in the state
  • CPA is working to allow oversight agencies to access data directly from CAPS to oversee purchasing across the state
  • CAPS deployment is advancing across the state in groups of agencies
  • With continued funding, CAPS will conclude in 2020

 
Jake Pugh, Contracts Oversight Team, LBB

  • Two major provisions in General Appropriations Act, including mandatory reporting of contracts exceeding $50,000 and widening the definition of contracts generally, also requirements to report and attest to contracts over $10 million and single source contracts over $1 million
  • Dollar value and procurement issues can lead to further reporting requirements
  • While exemptions to post documents exist, these exemptions do not exempt agencies from providing information to the LBB on request
  • LBB now has a single web-based system for hosting contract information, close work with the CPA office will ensure more contracting data being available
  • Currently working with high volume agencies (e.g. HHSC) to help complete contract reporting
  • Walle – HHSC is high volume as it primarily manages contracts, how is this proceeding?
    • HHSC reporting has been going a little slow, working on methods to render all contracts compatible with the LBB system
  • Walle – IS this a manpower or a technology issue?
    • A little bit of both
  • Walle – Is there anything this committee can do?
    • No, in constant communication with HHSC and working to get this done
  • LBB is also training personnel over reporting requirements and the function of the new database
  • LBB goal is to mediate and mitigate risk, will be making budget and policy recommendations to improve contracting requirements
  • Gutierrez – DPS had around $16 million in “emergency items” in the old contracting system, what is the status of the reporting of these items? Are agencies required to report the use of the emergency exemption
    • Yes, any contract over $1 million requires an attestation, and contract using this exemption over $50,000 is flagged as such
    • Can get detailed data on emergency use
  • Gutierrez – Lack of transparency for this item is concerning, contracts should be generally open to the public
  • Gutierrez – Is there anyone else out there using the emergency exemption?
    • Will look into this and the status of DPS reporting

 
Dana Collins, Contract Management, DIR

  • Beginning September 1, state agencies are now required to follow two requirements of SB 20 including thresholds for cooperative contracting ($50,000-$150,000 requires 3 vendors, $150,000-$1 million requires 6 vendors, etc.) and statements of work for services for contracts over $50,000 (certain services not related to hardware or software require submission)
  • DIR reviews the statements of work to ensure they are in line with services contracts and that these contracts do not also include procurement of hardware of software
  • Also looks to see if contracts require background checks and other administrative requirements
  • Begins with a dialogue with the agency to review the vendors they have solicited, continues to statement of work development, and concludes with a final review process to ensure contract is still within scope
  • Agencies are required to post executed statements of work on their websites
  • DIR has also conducted training programs and panels to educate customers in the new requirements and procedures
  • DIR has been monitoring via vendor sales reports over $50,000 and the Electronic State Business Daily
  • Walle – Does the legislation have enough force to tackle those not complying with the law?
    • A lot of agencies are asking really good questions, DIR is able to explain the correct process for reporting
    • General procedure involves writing a letter to leading authority in case of noncompliance
  • Walle – What happens if a contract is missing an attestation letter
    • Agency is contacted and relevant agency authorities are informed
    • Generally, guidance to agencies has been preferred over enforcement
  • Gonzales – A lot of previous contracting issues have involved poor terms and conditions formulation, is the state getting better at this? Is the state getting better at management? Does SB 20 help?
    • CPA says yes, agency communication is much higher than previously
    • Other states have inquired about Texas’ new model
  • Gonzales – So for contracts over $1 million, the agency conducts their own solicitation
    • Correct, agencies may not use the cooperative contracts program
  • Gonzales – DIR used to be involved in large value contracts, correct?
    • Contract advisory team review does have DIR participation
    • Review team likewise has some review authority

 
Interim Charge 3
Study the use of commercial cloud computing by state agencies and institutions of higher education, including efficiencies surrounding a utility-based model, security impacts of transitioning to cloud computing, and cost-savings achieved by the utilization of commercial cloud computing services.
 
Buddy Garcia, NEC

  • Public Cloud – Infrastructure provided by provider, least amount of overhead costs
  • Hybrid Cloud – Infrastructure maintained partly by provider equipment and partly by local equipment, can be a good transition for organizations with large traditional computing networks
  • Private Cloud – Organization maintain all of the cloud computing equipment, does not offer many advantages as investments will still need to be made to update the equipment periodically
  • Texas is in a good position to move into a Hybrid system
  • LAR strategy and budget can provide a barrier to moving away from traditional computing techniques

 
Jennifer Saha, CompTIA

  • Not a question of “if,” but “when,” many state governments already use cloud systems
  • Cloud is dynamic, flexible, and potentially cost-saving
  • Elkins- Is cloud computing as secure as non-cloud systems?
    • Question is difficult to answer, depends on a lot of actors
    • Cloud providers typically have a suite of security tools, cloud systems can have a smaller “surface” for security threats to attack
  • Elkins – Can cloud systems be used to help solve staffing gaps?
    • Can be used to offset the gap, however cloud support personnel will need to be hired to maintain the system

 
Mark Ryland, Amazon

  • Utilizing a private cloud removes many of the benefits of cloud computing as it requires investments of capital
  • However, none of the models are a perfect fit
  • Cloud computing is a mega trend across the industry
  • Organizations implementing cloud technology have seen increased cost-savings and increased productivity by combining computing power
  • Some municipalities in Texas have decided to pursue cloud computing, has allowed more spending on public services and infrastructure improvements
  • Agility of cloud’s infrastructure to adapt to change can be very beneficial, previously this was only possible with software
  • Can be a challenge to work mid-level procurements into the overall large-purchase focused government technology procurement structure; traditionally large procurements came with incentives
  • Problem with the large procurement model include difficulty of adaption to changing technology
  • This problem has increased, and it is more important now to have a computing system that is adaptable, cost of replacing large procurement systems has become burdensome
  • Vendors are highly invested in securing cloud systems they provide, business rests upon reliability and security of their systems
  • Cloud systems also provide benefits by consolidating technologies that need to be serviced by personnel
  • Additional studies over total cost of ownership might be beneficial
  • Texas should strengthen the cloud first policy, US Government requires considering cloud services before considering other computing solutions
  • Elkins – Who are Amazon’s biggest competitors?
    • Amazon got an early start in a trending industry, biggest competition is the traditional computing solutions
  • Elkins – Are Microsoft or Google jumping into your space?
    • Yes, big technology providers
  • Elkins – Do you provide PCI data security?
    • Absolutely, Amazon maintains this and was one of the first to provide PCI compliance
    • Capital One Bank is transferring their mission critical services to Amazon’s system
  • Elkins – Does your solution allow for use of different operating systems?
    • Yes
  • Elkins – Does the state have to buy all of the licenses for software when using the cloud?
    • Two options exist, per hour use and entities can run their own licensed software on the cloud
    • Per hour use comes with regular update over rates
  • Gonzales – Highlights that DSHS reduced administrative costs by 75% by utilizing cloud services, can this be expected across the board?
    • Cost savings tend to range from 1/3 to 2/3s of current IT spending
    • Cost savings most apparent for variable load environments
  • Gonzales – Huge fan of cloud services and supports Texas moving in this direction
  • Elkins – Agrees that there is a positive side to this, must be a downside however, what is the barrier for other states?
    • Some of it is a skills issue and adapting to the IT needs of cloud systems
  • Elkins – How would the state audit Amazon when they provide this service?
    • Amazon works with various governmental and financial entities to audit the cloud environments and produce reports on security
  • Elkins – Have you ever been hacked?
    • Customers have had issues when they make mistakes, providers themselves have not been hacked
  • Elkins – What would a customer do to expose themselves to security threat?
    • There are still locally run firewalls, etc. Amazon’s service sends warnings when it detects minor security faults
    • Likewise, storage systems can be left open and this leads to vulnerabilities
  • Elkins – Are you using AI?
    • Amazon has a very large machine learning organization

 
Cam Beasley, UT Austin

  • UT Austin believes that cloud computing would provide many benefits for the state, however it is important to consider how the network is secured, how the software run on the network is secured, and how data stored and transferred is secured
  • UT Austin has found significant holes in cloud provider services, very important that state performs a security evaluation and properly develops contract terms and conditions
  • For contracting, it is important to understand who has access to the data, oftentimes many different entities can have access to the stored data and regulations can affect who is able to access, etc.
  • UT Austin has been very successful in consolidating data centers and providing private cloud computing services for their network
  • Costs exist for transferring data between the cloud and ensuring security of the data, likewise for evaluating applications on the cloud

 
Gerry Caffey, LBB

  • State agency use of cloud computing is growing, but it is important to properly examine all aspects before moving forward
  • infrastructure support
  • Providers can also provide some front end support for databases
  • Last type is actual application support where provider
  • Likely 100% usage of cloud services amongst large state agencies, IT departments tend to have usage that does not get noticed
  • Benefits of cloud computing include location independent application usage, scale and cost savings, and LBB has noticed agencies improve outcomes when using third-party applications
  • Security highly depends upon the cloud provider and vendor, large providers who strictly provide hardware infrastructure support are likely very secure
  • Study found that 8% of cloud providers were at high risk for security issues, 37% were at low risk for security issues
  • Health and criminal justice records require special handling, not all cloud providers are not compliant with these handling requirements
  • Could computing also involves a loss of control, data can sometime be not easy to release or utilize, likewise applications are often not customizable
  • Some cloud providers state that data belongs to them, could cause issues if agreements are ending
  • Elkins – Where did you see this?
    • Nothing specific, but has seen this before
  • Elkins – This would be an issue
  • Cloud computing is like any technology, needs to be managed intelligently

 
Dale Richardson, DIR

  • Agencies can use two contracting vehicles to procure cloud services, cooperative contracts program and data center services program
  • Adoption has been slow, agencies are citing security concerns and lack of competent personnel
  • Total sales volume  on cloud contracts is roughly $3.5 million, training and education is needed if adoption is to accelerate
  • However, DIR expects adoption to rise
  • Data center services program is a fully managed IT service, but not all need to be fully managed, when the program completes Texas will have one of the first hybrid cloud computing
  • Utility-based cloud computing, pay per use, is a new service model that is taking hold in the industry, will likely continue to grow and could be useful for Texas to adapt to varying workloads
  • Would be good for agencies with less sensitive information to move those data services to the cloud and get some work experience
  • DIR has seen a 30% cost reduction for some cloud services

 
Next hearing scheduled for Tuesday May 24th, possible additional hearing on May 25th