Security costs test states' budgets

Network World - ST. LOUIS - Proliferation of security threats. Pressure for freer access to network resources. Reduced staffing and funding.
Sound familiar?
Any corporate IT department faces these challenges, but the problem is magnified for those in charge of security for state government networks, according to speakers and attendees last week at the National Association of State Telecommunications Directors (NASTD).
"Security is on all our minds every day," said Jim Edman, manager of network technologies for the bureau of information and telecommunications for South Dakota. "Everybody wants access to everything from everywhere all the time, but there's a price to pay for that."
According to NASTD estimates, the 50 states spend at least $3.5 billion a year on IT, but with declining cash and new mandates for public safety systems and compliance with the Health Insurance Portability and Accountability Act, they still are strapped.
Linda Luebbering, Missouri's budget director, said that for the first time, the state has suffered two consecutive years of declining revenue with no end in sight. "Next year is going to make this year look easy," she said.
Federal officials, who demand some of the security improvements without funding them, don't seem to have a sense of urgency to do so, said Paul Taylor, chief strategy officer for the Center for Digital Government. "There is no public investment for public infrastructure right now. They're not treating it like it's real yet," he said. "A lot of things we said we were going to do after Sept. 11 haven't been done yet."
That situation has many states looking to each other for ways to implement effective security policies economically. Many are looking at the Kansas Bureau of Investigation (KBI) implementation of a secure network over the Internet using a combination of firewalls and VPNs from remote desktops to the statewide network. It uses authentication tokens, a public-key infrastructure (PKI) and its own certificate authority to handle digital certificates. Rather than using dedicated circuits or secured public data networks, the KBI uses the Internet to transport traffic. The KBI avoids paying $2.5 million per year it would otherwise spend on those more expensive networks, said Norma Jean Schaefer, who was in charge of the KBI project and is now network infrastructure manager and information security officer for the Kansas Department of Health and Environment.
Agencies that want to access the network must comply with strict standards to support security, but also to support effective management, Schaefer said. "Everybody wanted to connect to us. If I had to manage trust with