Feds Offer Agencies Guidance On Cloud Implementation
As agencies adopt cloud services, a new report helps set some guidelines around SLAs, security, and privacy.
Top 10 Open Government Websites
(click image for larger view and for slideshow)
Since cloud computing services represents a paradigm shift from the way federal agencies historically have acquired IT systems, they have a number of new factors to consider--service-level agreements (SLAs), security and privacy among them--as they make plans to implement the cloud, according to a new report.
As part of a broad IT reform plan, the feds have adopted a "cloud first" policy requiring agencies to consider the cloud first as they plan new IT projects, which should accelerate adoption of the technology at the federal level.
This means agencies must think carefully not only about how they implement cloud computing from a technical perspective, but also about how they work with cloud service providers to hammer out the terms of service.
"The most consistent lessons learned from the early adopters show that the Federal Government needs to buy, view, and think about IT differently," the report says. "Cloud computing presents a paradigm shift that is larger than IT, and while there are technology changes with cloud services, the more substantive issues that need to be addressed lie in the business and contracting models applicable to cloud services."
Since cloud computing usually means handing over control of data and systems to a third party, SLAs, security, and privacy are three particular areas of concern for agencies when working with vendors of the services, according to the report, which provides advice on how to handle each area. The Federal CIO Council, the Chief Acquisition Officers Council, and the Federal Cloud Compliance Committee collaborated on the report.
In the area of SLAs, agencies must craft them with clear terms and definitions for the performance of systems, including ways to demonstrate how performance is being measured. They also must put in place mechanisms that ensure enforcement of the terms of the SLAs.
Security--which has been cited as one of the chief roadblocks to cloud computing adoption by government customers--must be handled with particular care as well. Because of its importance, the feds have been preparing common security requirements for cloud computing in the form of the Federal Risk Assessment Program (FedRAMP).
The report cites FedRAMP as the baseline guide for helping agencies address the security needed to acquire, authorize, and consume cloud services. It also listed seven other key security areas agencies must factor into their decisions: clear security authorization requirements; continuous monitoring; incident response; key escrow; forensics; two-factor authentication with Homeland Security Presidential Directive-12, a common federal identification standard for employees and contractors; and auditing.
Privacy is also another new concern with cloud computing, as third parties now will be in charge of storing personal data and information—specifically, personally identifiable information (PII)--about agency employees, other network users, or members of the public.
To ensure that data is protected, agencies must ensure their cloud implementations comply with the Privacy Act of 1974 and related requirements for how agencies must store and handle PII, according to the report.
They also must work with cloud providers to engage in privacy impact assessments (PIAs) and privacy training, and be clear about the location of their data in the cloud to ensure it is properly secured. Moreover, the report specifies that agencies must agree with cloud service providers on how to respond in the event of a data breach.
How 10 federal agencies are tapping the power of cloud computing--without compromising security. Also in the new, all-digital InformationWeek Government supplement: To judge the success of the OMB's IT reform efforts, we need concrete numbers on cost savings and returns. Download our Cloud In Action issue of InformationWeek Government now. (Free registration required.)
2014 Next-Gen WAN SurveyWhile 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
Server Market SplitsvilleJust because the server market's in the doldrums doesn't mean innovation has ceased. Far from it -- server technology is enjoying the biggest renaissance since the dawn of x86 systems. But the primary driver is now service providers, not enterprises.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.