Private clouds promise maximum control and strong security, while commercial cloud services are fast and flexible. Which works best? Government agencies are adopting both, as well as hybrids. The private cloud vs. public cloud debate is rapidly giving way to new models where agencies tap on-demand IT resources from a variety of cloud platforms--private, commercial, hybrid, software as a service--based on what best suits their needs.
There are few technology trends the U.S. government is embracing with such fervor as the cloud. In his Federal Cloud Computing Strategy report, published in February, federal CIO Vivek Kundra set a target of shifting 25% of the government's $80 billion in annual IT spending to cloud computing.
How fast will federal agencies make the transition? InformationWeek Government and InformationWeek Analytics surveyed 137 federal IT pros in February to gauge their plans. Our 2011 Federal Government Cloud Computing Survey shows a big jump in the use of cloud services, with 29% of respondents saying their agencies are using cloud services, up 10 points from last year. Another 29% plan to begin using the cloud within 12 months, which means adoption should surpass the 50% mark in the year ahead.
As federal IT teams evaluate where cloud computing fits in their broad IT strategies, they must answer some fundamental questions: Where will cloud services deliver savings over existing systems? How should they provision and manage cloud services? And the big one on everyone's mind, what about data security?
The Obama administration's "cloud first" policy requires agencies to use cloud services where possible for new IT requirements. Cloud computing is more than a new technology services approach; it demands changes to deep-rooted procurement processes and organizational culture. It's also an alternative to capital investment in systems and software, as agencies look to eliminate 800 data centers over the next four years in accordance with the Federal Data Center Consolidation Initiative.
The Office of Management and Budget's influence is shown in our survey, with 21% of respondents saying that compliance with OMB guidance is a driver in their shift to cloud computing.
The economies of scale from shared, centralized infrastructure have the potential to lower usage costs across government. In a pure utility model, users pay only for what they consume, but that doesn't translate to federal IT yet. However, with the prospect of decreasing budgets, agencies must find ways to direct limited funds to their core missions, which may mean having less money available for IT investments. Cloud computing could very well be part of how they cope.
Federal IT pros are clearly looking for savings in the cloud. In our survey, lowering IT costs is the No. 1 business driver of cloud computing, mentioned by 62% of respondents.
Private Clouds For Hire
Agencies face many challenges in moving to the cloud. Top among them is assuring the security of systems and data, identified by 77% of respondents. To address that concern, vendors are offering private clouds with tighter controls over the geographic location of data storage and other aspects of security.
The downside is that all of this comes at a price. The more unique a cloud environment, the harder it is to leverage the scale of the cloud model and, with that, realize the cost savings made possible by a wide user base and cheap resources. It's important that agencies perform their own cost assessments because private clouds and public clouds aren't always the least expensive choices. In general, private clouds don't offer the same savings as public clouds.
The Department of Defense and some intelligence agencies have launched data center improvement initiatives under the private cloud moniker. These efforts seek to employ service catalogs and orchestration technology for configuring and provisioning IT resources. While such initiatives will make data centers more efficient and have other value, it has been hard to demonstrate return on investment that's anywhere near what's possible with commercial cloud services. Private clouds often require a significant up-front investment in equipment, and the complexities of managing IT capacity remain, so the potential for long-term operational savings is difficult to establish.
Making SaaS Work
In the commercial market, SaaS gives companies enterprise-class capabilities without the ownership capital costs of self-managed applications. But once hooked, businesses may get socked with usage fees that, over time, exceed the cost of conventional software deployments. The trade-off may be worth it, however, since they're conserving up-front capital and not building IT empires in support of on-premises software.
In federal government, many CIOs are dealing with established software systems that represent substantial investments. Furthermore, technical challenges around integration and storage and legal requirements related to where data resides are potential barriers to SaaS. Storing information in the cloud will require "a technical mechanism" to achieve compliance with the records management laws and policies of the National Archives and Records Administration and the General Services Administration, according to the Federal Cloud Computing Strategy report.
Uncle Sam's SaaS portal, Apps.gov, has experienced only limited uptake by agencies, but Apps.gov isn't the only option. Agencies can procure SaaS through requests for proposals or piggyback on existing contract vehicles. The problem becomes the length of the certification and accreditation process required to ensure that a SaaS app satisfies an agency's security policies. A drawn-out procurement and C&A effort can negate any savings SaaS might provide.
Private clouds are the preferred model in government, with 46% of respondents already using or highly likely to use private clouds. But agencies are also looking to plug into cloud services outside of their data centers, and 27% say it's highly likely they will do that through a government portal such as Apps.gov.
What about commercial cloud services from vendors such as Amazon, Google and Microsoft? Going forward, federal IT pros are twice as likely to subscribe to those services when the services have been specifically adapted for government customers, such as Google's Government Cloud. In our survey, 11% are highly likely to adopt commercial cloud services; that jumps to 22% for commercial clouds adapted for government.
How FedRAMP Helps
To reduce barriers to entry, the federal CIO Council has established the Federal Risk and Authorization Management Program, or FedRAMP, which is intended to bring a standard approach to assessing and authorizing cloud services and products. The goal, according to Kundra, is to "allow joint authorizations and continuous security monitoring services for government and commercial cloud computing systems intended for multiagency use."
In theory, FedRAMP will lead to a common security risk model that can be leveraged across agencies. In reality, however, the program will get agencies only part of the way through that process. In our survey, 44% of respondents are unfamiliar with the FedRAMP program, and 26% have conducted their own C&A instead of taking advantage of it. A lot more work is needed to get more vendors through the program and to promote it within agencies.
Another new program, Standards Acceleration to Jumpstart Adoption of Cloud Computing, led by the National Institute of Standards and Technology, also has had limited impact. In our survey, 53% of federal IT pros haven't heard of the initiative, and only 5% find it very helpful.
As part of the SAJACC program, NIST published 25 use cases to help federal IT pros assess cloud-based offerings. Examples include "cloud bursting" from data centers to cloud services to meet spikes in demand, and migrating a queuing-based application to the cloud. While SAJACC may spur ideas, there isn't a lot of actionable information in the case studies to guide selection and adoption of cloud computing.
Agencies are looking for ways to take advantage of cloud computing, while maintaining data security and protection, and new initiatives take many forms. Here are a few examples of how agencies are getting started.
>> The U.S. Patent and Trademark Office's financial and acquisition system, dubbed Momentum, has one production environment and four test environments, comprising 25 servers with 10 integrations. The production database, including the failover database, is 2 TB, while the test database is 4 TB. (All are Oracle.) The test database is production-sized and refreshed with scrubbed production data periodically. USPTO is assessing the feasibility of moving Momentum to a cloud environment.
>> The Air Force Research Laboratory's Information Directorate is exploring how cloud technology might be used for cybersecurity mission assurance. Its goal is to see if cloud computing can increase the availability and redundancy of continuous operations.
>> The Department of Education is planning to issue an RFP for the operation and maintenance of its Migrant Student Information Exchange, and it's interested in cloud computing as a potential way of providing those capabilities. MSIX, implemented in 2007, contains records for 97% of the migrant student population, with data from 41 states.
>> The Department of Transportation, Federal Aviation Administration, and Air Traffic Organization may explore cloud computing in a test program. This program would provide a virtual production environment that simulates ATO's production environment, which is spread across a number of facilities. The virtual environment would be used to provide email service and to develop and test software.
Private Cloud Considerations
The easier it is for users to request services from a private cloud, the more complex the back-end processes have to be. From the service request to provisioning and managing the service, a mature process environment is required if you’re going to automate those tasks and achieve the benefits of rapid, on-demand provisioning and, ultimately, cost savings.
Unfortunately, the best server provisioning, orchestration, and management tools won’t compensate for a lack of well-conceived processes. While the ITIL has been a rallying cry for IT process improvement, many IT organizations aren’t at the level of maturity required for private clouds.
The ability to manage capacity is important in private clouds, though many traditional software tools don’t adapt well to that job. Monitoring application performance, faults, and security in a private cloud often requires a different set of tools. So far, the options that have sprung up in the market are geared toward virtualized data centers. IT organizations must determine how to integrate new cloud-aware tools with their enterprise management platforms to get a complete picture of their computing environments.
Our data shows agencies are very interested in rapidly expanding into the cloud, driven by cost savings, an ability to accelerate delivery of IT services and infrastructure, and the prospect of tight IT budgets and fewer data centers. But the transition presents challenges around security, systems integration, governance, and more.
To maximize the benefits, federal IT teams must enter the cloud with well-conceived business and deployment plans and a readiness to adjust along the way.