Cloud service providers and brokers are making it simpler than ever for government agencies to provision cloud infrastructure and other services. But agencies are paying too little attention to what happens should the time come to switch vendors or reverse course, say people involved in moving federal government agencies into the cloud.
Vendors promise that agencies can decommission their cloud services at any time and take their data elsewhere. But agencies without a well-developed exit strategy are likely to discover that it's much easier -- and cheaper -- to move into a cloud provider than it is to move out, raising the risk of lock-in. "We have a robust approach for getting into clouds, but we have almost no procedures for getting out," says Gunnar Hellekson, chief technology strategist for Red Hat's U.S. public sector business.
Mark Day, acting deputy assistant commissioner at the U.S. General Services Administration's IT acquisition services division, urges federal agencies to address the following questions: What does the transition look like when we come out of a cloud provider? What transition clauses do we need? And what standards do we want? "There are no best practices for that yet," Day adds.
Hellekson's concerns go beyond the need for an exit strategy. "The ability to switch providers creates a certain degree of pricing arbitrage," he says. "This is one of the primary selling points of the cloud." But if agencies have a hard time leaving a provider because of the costs of unraveling and reintegrating systems, "then you can't perform that arbitrage," Hellekson says.
Exacerbating cloud lock-in, and thus weakening agencies' negotiating leverage, is their tendency to customize their cloud services, says former Department of Homeland Security CIO Richard A. Spires, who recommends that agencies avoid those specialized features and support as much as possible.
Hellekson says agencies need to build a detailed strategy for winding down their cloud vendor commitments. Usually when an agency moves from one IT vendor to another, the new vendor pays for the data migration. He recommends instead putting the responsibility on the first vendor. Before signing on the dotted line with a cloud vendor, agencies should explicitly detail in the contract the terms for how that vendor is responsible for packing up and moving the customer's data in the event the customer wants to change vendors.
"If you're renting a house, it's built into the contract that you'll leave it in clean condition or there are consequences -- it's not the next tenant's job to do," Hellekson says. While that relationship is the inverse of the roles he suggests data tenants and their data landlords play, the principle is the same, he says.
"The government knows how to acquire services," Hellekson says. "While there aren't any fundamental acquisition reforms that have to happen, acquisition [teams] should provide more levers to facilitate an exit from a cloud service provider."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.