Cloud computing and government can mix -- and with substantial benefits. According to Chris Willey, chief technology officer (CTO) of the District of Columbia, the success of implementing a cloud computing
When it comes to cloud computing, all CIOs and CTOs have to consider the lack of control over data once it leaves a data center, as well as accountability for where it rests. Public technology officers have historically been even more skeptical, given the direct public trust in the data protection of citizens' information.
Willey's implementation of cloud computing builds on the efforts of his now-famous predecessor, Vivek Kundra, the nation's first chief information officer (CIO). As of last week, when Willey presented at the Gov 2.0 Expo Showcase in Washington, D.C., the district has now deployed more than 200 applications for more than 12 governmental agencies in 18 months. In every case, development has been designed around business needs that require quick resolution. Willey has been rolling out a cloud-based tool called QuickBase, from Mountain View, Calif.-based based Intuit Inc.
During his presentation at the Gov 2.0 Expo, Willey asserted moving to a cloud-based development and deployment has resulted in substantial utility for both internal users and the public. In a presentation, he said the district's public schools were an example of a place where cloud computing was applied. Contact information, maps, phone numbers and other data was dynamically populated and made available to the public in QuickBase. The system also provides an easily accessible repository for project data and timelines for internal work and a means to track cash flow through agencies, which in turn allows the CTO to apply a chargeback system. Dashboards that draw upon these data sources are available to the mayor to filter information, for instance, by locating the status of open and closed projects.
QuickBase served a legal need for the district as well. The public school systems were getting sued daily, according to Willey, and risked violating a court consent decree if they didn't develop a better tracking system. His development team built an application using QuickBase for case management in two weeks that was immediately made accessible online to anyone with login credentials.
In an exclusive interview with SearchCompliance.com, Willey elaborated further on the successes and challenges that the district has encountered as it has employed its cloud computing platform.
"In the QuickBase example, Intuit is the owner of the system," Willey said. "They have their own backups and perform the backup of the data. We had a situation where we needed to go back in time to retrieve information from a particular database, and they were able to accommodate that. All of that is governed by the contract with the individual vendor."
Aside from data control, information security is key for any CTO or CIO. "Security is addressed in many different ways," Willey said.
- Authentication: "We've tied in authentication to the system through Active Directory," he said. "If you don't have a login through DC.gov, you can't get into the QuickBase system. Similarly, if you leave DC.gov, and we terminate your account on Active Directory, that's immediately the case over on QuickBase."
- Role-based access: "Another way security is addressed is that you can lock down data at a field level," Willey said. "If you have roles to see fields one, two, three, four -- but not five -- we can accommodate that in QuickBase. We couldn't do that, say in spreadsheets, it's much harder to do- - at least not without a lot of programming work."
- Encryption: "All of the data that is on QuickBase is encrypted," Willey said. "None of the people that are working on it at Intuit can see the data that is in the system. It's all encrypted at that level."
Protecting data is coupled with keeping sensitive data out of the system. "There are things we do not put into QuickBase," Willey said. "Intuit has been forthright in saying that it is not HIPAA-compliant. We do not currently have any data governed by HIPAA in the system. We are working actively with Intuit to try to find ways to make QuickBase HIPAA compliant because we believe it would be a benefit to our Health and Human Service agencies. Until that happens, we have to keep that behind the firewall."
Open data matters, although compliance is considered at every level
Willey made clear that he sees substantial value in keeping data open, providing geographic information systems (GIS) data as an example."We have liberal restrictions on GIS data in the district," he said. "Some cities actually sell their GIS data. By law, we can't. That is, I think, actually a good thing. We're able to make it available and regionally have done a lot of data sharing."
That ethos and perceived value in the release of data to the public was reflected in many of the other presentations from the Gov 2.0 Expo and subsequent summit. Developers are using multiple open data feeds from Data.gov and other agencies to unprecedented effect. "We have about 320 feeds on our data warehouse," Willey said. "De-personalized data or geographic data, like historical buildings. Housing data. Permit data. Those things have been easier to share because of the lack of laws governing their use."
Willey is careful of privacy regulations and laws that govern the use of citizen data. "The office of the CTO does don't own any of the health statistics -- that data is owned by individual agencies," he said. "All we can do is to create a way to enable its sharing through technology. We use frameworks for that that are governed by guidelines like HIPAA or FERPA [the Family Educational Rights and Privacy Act]. Our role is to create the channel by which things can be shared."
Is there enough regulation? I think we've spent a lot of time writing laws about the privacy and security of data … What we haven't done is spent a lot of time on is how do we make data interoperable.
Chris Willey, chief technology officer, District of Columbia
Given that the enterprise in question is a municipality that handles the personal data of many citizens, data protection, privacy and authentication are crucial issues. "So far, the data we're publishing is one-way," Willey said. "You might be able find out crime for an area of the city or even a neighborhood. You cannot, however, get it at the address level or personal level. What's actually published is more aggregate. If a police officer arrests someone, they take that information, report it directly online and it goes into a database. What's actually published is aggregated. All of that aggregation is based on laws. Where that is specifically personal-level identification -- in the case of a sex offender -- that's what the law says. We write the systems that help support the goal of the law."
There's no shortage of compliance challenges for Willey. Because the District of Columbia takes electronic payments, Payment Card Industry Data Security Standard compliance is also at issue in Willey's implementation of technology services, along with a criminal justice information system that relates to arrest data.
And while Willey is careful to maintain compliance with existing regulations, he said he sees the need for a shift in focus for future governance. "Is there enough regulation? I think we've spent a lot of time writing laws about the privacy and security of data, especially around health data and student data -- and I think that's great," he said. "What we haven't done is spent a lot of time on is how do we make data interoperable. City managers, mayors and city planners have a legitimate need to be able to look at data in connection with other data. By doing so, you can ask interesting questions that might lead to answers that might then lead to programs that might have positive benefit to the municipality and citizens. I think there needs to be equal time spent on how data can be used and shared, with the citizen's permission. The city, the state and the country can benefit from that."
Let us know what you think about the story; email: firstname.lastname@example.org.
This was first published in September 2009