Developing a Unified Approach to Multi-Cloud Security for California State

The California Department of Technology (CDT) partners with state, local government and educational entities to deliver digital services, develop innovative and responsive solutions for business needs, and provide quality assurance for state government Information Technology (IT) projects and services. CDT is the guardian of public data, a leader in IT services and solutions, and has broad responsibility and authority over all aspects of technology in California state government, including policy formation, inter-agency coordination, IT project oversight, information security, technology service delivery, and advocacy.

To accelerate large scale cloud adoption while mitigating security risks and maintaining compliance with regulatory requirements, organizations must establish a unified approach to cloud security that balances control and autonomy—but this can be especially challenging as entities are just beginning their cloud journey with limited organizational knowledge of the cloud and security processes developed for traditional infrastructure.

The California Department of Technology (CDT), Office of Information Security (OIS) recognized the importance of preparing for State entities to migrate significant internal and customer applications into the cloud. To ensure that these efforts were realized with appropriate secure development processes, security architecture, configuration, and monitoring/management capabilities, CDT sought out a consultant with strong cloud development, security architecture, and operation expertise.

InterVision was chosen by competitive bid to be the CDT’s cloud technology security partner with the expertise and authority to develop a unified approach to secure cloud adoption and operation across cloud providers. With a strong cloud services practice made up of experts who have garnered the experience and education to ensure entities’ assets are safely migrated to the cloud, we were well-positioned to execute the project with minimal to no downtime or interruption to their daily services.

InterVision had led a previous Palo Alto Networks (PAN) and F5 deployment with the company, which included scripting. As a result of this earlier engagement, the company knew of our expertise to execute with quality on a tight timeline and trusted us as challengers to the status quo. They viewed InterVision as a strategic partner when it came to security automation, so we were a good candidate for the project.

To ensure critical preventive controls, detective tools, and response capabilities established and utilized in the early stages of the cloud adoption process, InterVision helped set up CDT’s framework to define the policies, controls, and centralized services and products that 150+ state entities would utilize to ensure security and compliance as they adopted cloud services. Our approach through our Cloud Migration Lifecycle Assurance (CMLA) program empowered them to build upon baselines, providing guardrails for safety and centralized services to minimize effort and complexity.

These security standards were set with the knowledge and input of key government officials. We assessed current infrastructure management and policies and adapted them to the cloud. InterVision developed DevOps/SecOps tools and processes to support both multi-cloud and hybrid cloud environments.

To date, we have developed a plan for CDT to develop and implement policies, controls, services, and products in alignment with the NIST Cybersecurity Framework (CSF). For each subcategory in the NIST CSF, we have recommended specific capabilities to support State entities. We have also developed an approach to governance at scale, utilizing centralized ITSM for account management, security and compliance automation, as well as budget and cost control. We are supporting CDT’s infrastructure services team in defining infrastructure management and application delivery tools and processes, including utilizing version control, infrastructure as code, and automated deployment.

AWS Services Utilized:

• AWS Direct Connect (Hybrid Cloud)
• Multi-cloud
• AWS CloudFormation
• AWS Organizations
• AWS Service Control Policies
• AWS Permissions Boundaries
• AWS Artifact