A series of tests at headquarters and several labs, in combination with observation of Lawrence Berkeley's experience, will help the agency plot its course, leading to a decision within six months about the next steps to take, according to John Dunlap, the agency's acting associate CIO for IT support, who heads up a number of the Department of Energy's shared services. Among the smaller-scale tests is a 50-user Google Apps pilot that then-deputy CIO Carl Staton signed off on before retiring earlier this month, and a planned Microsoft Exchange Online test by Argonne National Laboratory.
"The Department of Energy sees that cloud computing has significant potential for decreasing costs, improving efficiency, and improving the end-user experience," Dunlap said in an interview. "It's an industry with great potential, but, of course, it is young and there are many immaturities in the marketplace."
The choice to test e-mail is a strategic one, said Dunlap. Unlike the prospect of trained IT administrators working with an outside provider to stand up cloud-based infrastructure, e-mail is less easily controlled because it's subject to use by the average worker, and e-mail use varies widely from person to person. Testing e-mail in the cloud gives Energy the chance to explore and test the level of granularity included and required in both technical controls (i.e., the ability to set limits on which features which users can tap into and when) and prospective policy guidance on use of the cloud.
Department officials foresee an eventual hybrid e-mail system that would integrate things like directories and calendaring between the cloud and the agency's on-premises system. By moving to offer cloud-based e-mail alongside on-premises e-mail, the agency will be able to give users a choice, while at the same time future-proofing and preparing itself for any major market shift toward the cloud.
However, before that happens, concerns about security, records management, and contracting, among other things, must be worked out. That's especially challenging in an agency like Energy that has a diverse group of users working on everything from open science to classified research and development projects. According to an Energy Department IT executive who asked not to be named, Staton's initial memo approving the headquarters-based Google Apps pilot identified a dozen cybersecurity risks that need to be tackled.
For example, remote access and identity management could prove to be thorny issues. The agency requires two-factor authentication for remote access, which raises questions about how that requirement interferes with the access-from-anywhere portability benefits of cloud computing. Federated identity management, meanwhile, could require infrastructure upgrades depending on the ultimate choice of technologies.
Archiving presents another of the test's challenges, as the federal government has unique records management requirements that will require thoughtful contracting. "When you rely on an external provider, if you fail to contract properly and ask them to, for example, do a deep fuzzy logic search because of a [Freedom of Information Act] request, they might be able to say that it's not what you contracted for," said Dunlap.