Cloud service providers and brokers are making it simpler than ever for government agencies to provision cloud infrastructure and other services. But agencies are paying too little attention to what happens should the time come to switch vendors or reverse course, say people involved in moving federal government agencies into the cloud.
Vendors promise that agencies can decommission their cloud services at any time and take their data elsewhere. But agencies without a well-developed exit strategy are likely to discover that it's much easier -- and cheaper -- to move into a cloud provider than it is to move out, raising the risk of lock-in. "We have a robust approach for getting into clouds, but we have almost no procedures for getting out," says Gunnar Hellekson, chief technology strategist for Red Hat's U.S. public sector business.
Mark Day, acting deputy assistant commissioner at the U.S. General Services Administration's IT acquisition services division, urges federal agencies to address the following questions: What does the transition look like when we come out of a cloud provider? What transition clauses do we need? And what standards do we want? "There are no best practices for that yet," Day adds.
Hellekson's concerns go beyond the need for an exit strategy. "The ability to switch providers creates a certain degree of pricing arbitrage," he says. "This is one of the primary selling points of the cloud." But if agencies have a hard time leaving a provider because of the costs of unraveling and reintegrating systems, "then you can't perform that arbitrage," Hellekson says.
Exacerbating cloud lock-in, and thus weakening agencies' negotiating leverage, is their tendency to customize their cloud services, says former Department of Homeland Security CIO Richard A. Spires, who recommends that agencies avoid those specialized features and support as much as possible.
Hellekson says agencies need to build a detailed strategy for winding down their cloud vendor commitments. Usually when an agency moves from one IT vendor to another, the new vendor pays for the data migration. He recommends instead putting the responsibility on the first vendor. Before signing on the dotted line with a cloud vendor, agencies should explicitly detail in the contract the terms for how that vendor is responsible for packing up and moving the customer's data in the event the customer wants to change vendors.
"If you're renting a house, it's built into the contract that you'll leave it in clean condition or there are consequences -- it's not the next tenant's job to do," Hellekson says. While that relationship is the inverse of the roles he suggests data tenants and their data landlords play, the principle is the same, he says.
"The government knows how to acquire services," Hellekson says. "While there aren't any fundamental acquisition reforms that have to happen, acquisition [teams] should provide more levers to facilitate an exit from a cloud service provider."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.