Florida's Emails Move to the Cloud
CIO David Taylor discusses his state moving all Executive Branch agencies’ email to a private cloud — law enforcement included.
Last year, Florida went live on a statewide private cloud email system for 115,000 mailboxes -- making it possibly the largest such implementation in the country thus far, says state CIO David Taylor. The most unique part about Florida's ongoing implementation: the FBI signed off on the state's planned security approach for protecting its law enforcement data.
Given the security challenges that cities like Pittsburgh and Los Angeles faced in attempts to move law enforcement agencies to the cloud, Florida's ability to do so statewide is impressive. I spoke to Taylor about the Sunshine State's cloud and implementation challenges imposed in this edited transcript.
Why did Florida decide to move all statewide email to the cloud?
We had to provide an email system that would meet the business needs of all executive branch agencies and that would include law enforcement. It had to save the state money over the current cost and it had to eliminate the need for the state to retain its own email staff. When we looked into strategies to do it ourselves, it was very unlikely that we were going to get the one-time appropriation to put the entire infrastructure that we needed to stand up such a massive email system and house 115,000 mailboxes. We really felt that we had to go to a "pay-by-the-drink" model -- a utility model -- and we framed our procurement document around that. When we did that document, we didn't specify [a cloud-based system]. We were perfectly willing for a vendor to come into our own data center, build the environment and turn it over to us. It just turned out that the bidders were focused on a private class solution -- every one of them -- so that's what we ended up with, and it seemed to be a good fit for Florida.
What did that transition entail on the part of IT?
I am a believer that you need to eat your own cooking first before you subject it to anyone else. So my agency went first. It was a pretty smooth transition, though it was not without some problems and some lessons learned. I am on it right now; it runs faster than the old system and I am enjoying it quite a bit.
Being the lead agency, what sort of hiccups and bumps did you come across?
Most of them were related to migrating our old account information over to the new. We were on a shared email system among a bunch of users, and that system had been around for a lot of years. There were many different sets of address lists and distribution lists, and there was a bit of confusion about which of those needed to be moved to the new system and which could be left behind. In some cases, the correct call wasn't made on what to bring over, so we just had to sort that stuff out. It wasn't a failure of the vendor. It was just that we were moving some very complex email systems, and in moving them, you're always going to find some things that you just missed and you have to clean those things up. That was pretty small. We are up and running pretty well and getting ready to migrate the next agencies.
What specs regarding Florida's architecture and approach has made it compliant with the FBI's Criminal Justice Information System (CJIS) guidelines?
That has been a long set of meetings between folks at CJIS, a policy analyst at the FBI, our Florida Department of Law Enforcement and my agency -- the four of us went back and forth on [security issues] and we've been doing this for a very long time. We had to work with the FBI to say, 'This is the architecture we want to build -- we want to secure CJIS data in a system that contains non-CJIS data.' Law enforcement data isn't mixed in the same environment as non-law enforcement data; they're generally kept physically isolated. As we move forward, physical isolation isn't the only option of keeping data isolated and secure. You can logically separate it and perfect it with IT systems and policies. So we took that approach, worked with them and we finally came up with a [security] architecture they could support. This is a Microsoft Exchange 2010 system, and that product has backend security control of separation that the FBI will accept just out of the box -- as long as it is configured properly.
But the backend really wasn't the problem. To get CJIS compliant, 32 policies have to be complied with to get certification. We had to go through the process of background checks for all the staff who would be involved in this: from opening the cardboard boxes, to loading the software, to managing the equipment, and so on. We had to deal with the physical system: Do we have the right cage around the system? Do we have the right physical isolation and the data center away from that? Then we had to deal with access to this system through various methods -- Outlook Web access, a browser, and how are you securing that browser's session to make sure that only people who have the right to access the law enforcement data can access it? And then we have Blackberry accessing and those various other ways that you can connect to the system and how [we] could secure all those. So we had to go though each of those one by one and make sure that the FBI was comfortable with how we were approaching it. Once we came into an agreement, the vendor began building the system. We don't have CJIS data in there today -- that system is being built. We are not scheduled to move CJIS data in until, I think, March.
What's your take on the previously failed law enforcement cloud projects?
I am not sure what has sunken the email projects nationally. I read about some of them, but they really don't go into details about why they can't be CJIS compliant. I suspect that it either falls around the background checks or advance authentication, which is, for example, when you log into your bank, perhaps you have to set up a series of security questions and you have to be able to answer those. How do we advance authentication of all these different ways of connecting to the system, from Outlook Web access to the Blackberry browser and so on? That took a lot of back and forth. I think it's really quite the achievement for everyone that has been involved in that process.
What advice do you have for jurisdictions looking to move their law enforcement data into the cloud?
I would say the most important thing is to make sure you have a strong partnership with your local law enforcement entity that has a lead on that CJIS compliance. We were blessed here that the Florida Department of Law Enforcement was a willing and active partner in this email project from day one. They leaned in and helped us work with the FBI; they wanted to make this happen. Both our governor and our law enforcement agency have been very supportive of this project every step of the way, and that's what makes it happen.
Is cloud computing in government here to stay?
It's inevitable that state governments are going to go this route. There are a lot of states out there trying different systems and approaches, but I think inevitably we will move more and more of Florida's government systems into the cloud in order to save money and be more efficient in providing that data. It's the right thing to do. And public-private partnerships are clearly more efficient. It's hard for the government to continue to make appropriations to keep all our systems up to date. But if we go more to a utility model, we have a fixed cost of doing business that we can understand that's very transparent and very accountable. I really think that's the strategy as we move forward.