The City of Syracuse, New York, in cooperation with Syracuse University and SC3-cpSriA Action Cluster (Smart City and Community Challenge Cloud privacy security rights inclusive Architecture) have recently released a blueprint which aims to help communities of all sizes and technical capabilities build smart cities based on a secure hybrid cloud architecture. Such architecture supports confidentiality, access control, least privileges, and protection of personally identifiable information (PII). The architecture also serves as a cloud-based backup when things go wrong.
“You know about the Baltimore ransomware attacks, you know about the Atlanta one, you know about the two Florida cities that just paid off in bitcoin their ransomware attackers,” said Lee McKnight, a professor at Syracuse University who oversees SC3-cpSriA action cluster’s work. “All that is a result of essentially a combination of legacy systems from cities with limited budgets. The cities can’t afford the IT staff or numbers of a Google or an IBM or Amazon or Microsoft for securing cloud services. They’re always going to be more vulnerable because of their limited expertise and awareness.”
The framework for cloud services has been designed to facilitate city officials’ decisions about managing and protecting data. The framework uses a three-tiered data and risk classification scheme: red for sensitive data such as PII; yellow for data that can be shared with controls and monitoring; and green for data that can be shared openly. The workflows applied to the data depend on their classification. City officials can assign a likelihood, impact, and overall rating to each risk and put in place automated controls to mitigate those risks.
“It minimizes the risk and treats all those legacy systems as honeypots,” McKnight said. “You don’t care if they’re attacked because you’ve got everything backed up to the cloud. Nothing worse than a day’s loss of data can ever happen because we’ve designed this properly.”
The architecture conforms to standards such as the Federal Risk and Authorization Management Program, Global City Teams Challenge (GCTC) Cybersecurity and Privacy Advisory Committee guidelines, Health Insurance Portability and Accountability Act of 1996, International Organization for Standardization standards and PCI.