How GSA is securing its cloud apps

As the General Services Administration (GSA) migrates to a work-anywhere, work-anytime strategy, the real estate arm of the U.S. federal government is discovering that having an iron-clad security strategy is critical to its adoption of cloud-based applications.

GSA says the combination of a unified directory service, single sign-on software that covers both cloud- and premises-based applications, and two-factor authentication is allowing the agency to meet regulatory mandates for information security. GSA uses passwords and smart cards for authentication.

"Identity management is really a critical piece of this," said GSA CIO Casey Coleman. "We have a two-factor authentication solution. You can use that two-factor authentication solution as the main criteria for provisioning and de-provisioning. When an employee comes on board, nothing happens until you issue a credential or token, and when they leave that's the first thing that's reclaimed. By doing that, you don't have to turn off accounts in all of these other cloud systems. By taking away that second factor that's required to get into these systems, you improve your ability to maintain your right set of access controls."

MORE: Identity management in the cloud emerges as hot-button issue for CIOs

GSA is at the forefront of the Obama administration's "cloud-first" strategy, which is designed to lower IT costs and eliminate federal data centers through the adoption of cloud-based applications. The new policy requires agencies to identify three "must-move" IT services that can be migrated to cloud computing applications and to complete the migration in 2012.

GSA, a fee-for-service organization, has vowed to be the first agency to meet this "cloud-first" requirement.

"Our administrator Martha Johnson has issued us a mandate that GSA goes first," Coleman said. "Our goal in doing that is that by adopting these technologies, GSA can provide the value and share the lessons learned in deploying them to other federal agencies or other corporations. Our goal is to serve as a public steward for the prudent adoption of new technologies."

By the end of the year, GSA will complete its migration to cloud computing for three popular applications used by its 17,000 employees. GSA selected Google Apps for email, Fiberlink for remote device management, and Salesforce for customer relationship management (CRM) and collaboration. The Google Apps and Fiberlink transitions are done, and the Salesforce migration will be complete in 2012.

"GSA has been enthusiastic and eager to be out in front of other federal agencies in the adoption of cloud computing," said Ray Bjorklund, chief knowledge officer at Deltek, a federal IT market research firm. "To their credit, they have been trying to ensure that all of the cloud concepts and principles work really well for the government. They've been collaborating very aggressively with [the National Institute for Standards and Technology] on security issues."

Bjorklund said his only concern about the GSA cloud computing initiative is the way the vendors -- particularly Google and Salesforce -- were selected. Rival Microsoft complained that GSA's Google award was unfair, while the Salesforce contract was closed to other CRM vendors.

"One thing I haven't been able to resolve is how can an agency like GSA push vendor-specific solutions," Bjorklund said. "Some of the smaller cloud providers have argued that GSA and some other agencies have chosen one particular cloud offering in their minds unfairly."

Despite the controversy, GSA considers cloud-based applications -- which its users can access by laptops, tablets and smartphones from job sites, offices or their homes -- to be a key enabler of its flexible work strategy.

"GSA is an agency that is very mobile," Coleman explained. "We're out with our clients and vendors, and even when we're in the building, we're working collaboratively. We are aggressively seeking to adopt mobile technologies including Salesforce to enable us to do our work anytime, anywhere, on any platform."

Coleman said Salesforce and its Chatter collaboration tool complement the agency's embrace of mobility. GSA has deployed Chatter -- a private social networking service akin to Facebook -- to half of the agency's employees. "We're giving this tool to virtually anyone in the agency who needs it," Coleman added.

MORE: Private social networks playing Facebook role in more workplaces

GSA also is deploying the Force.com application development platform within Salesforce. Coleman said GSA plans to use Force.com to consolidate all of the administrative and back-office workflows that previously resided in a number of different tools including IBM Lotus Domino, its email platform prior to Google Apps.

"Now we'll have a robust cloud-based development platform for everyone to use," Coleman said. "We can make the development of these tools standard, so teams can develop whatever they need for their local requirements, but everyone can share common sets of data, data standards, security standards and architectural requirements."

GSA is already reaping the rewards of its transition to cloud computing. GSA says that migrating to Google Apps will reduce its email operation costs by 50% over five years and save more than $15.2 million. The savings are coming from a reduction in hardware, software licenses, data center space and maintenance.

"We're using pretty much every aspect of Google Apps: email, calendar, contacts and chat, including text chat, voice and video chat," Coleman said. "We're using Google Sites and Google Docs for editing. We see Google and Salesforce together providing a pretty harmonious set of capabilities that will let us move [forward.]"

GSA doesn't expect direct cost savings as a result of its Salesforce deployment. Instead, the agency expects to be more efficient due to its increased mobility, and faster at adopting new technologies.

Salesforce is about "enabling employees to be mobile, to be more effective in serving our customers, and to have access to critical tools in a secure manner all the time," Coleman said. "The business case for Salesforce is more on the qualitative side than the quantitative side. By moving to the Salesforce platform, any applications we develop in Salesforce are mobile-ready form the beginning. Smartphones and tablets can use those applications."

Coleman said maintaining information security was the biggest challenge that GSA has faced in its migration to cloud-based applications.

"We have spent a significant amount of time with both Google and Salesforce -- over a year's worth of effort -- reviewing security plans and procedures and ensuring that our controls meet federal standards at the moderate level, which is the requirement for GSA," Coleman said. "We have consolidated [Microsoft] Active Directory into a single entity. ... What that allows us to do is single sign-on and two-factor authentication to the cloud. We maintain the authoritative directory list approved to log in to systems, and then we hand it off via SAML2 to the cloud providers. That's a control that we've kept in-house.''

BACKGROUND: 5 signs that you've lost control over your cloud apps

Fiberlink is a key component of the agency's cloud computing strategy because it provides remote security for mobile devices such as smartphones, tablets and laptops.

"One of the benefits of cloud computing is that the data is not sitting on one of those devices," she said. "Whereas before if you had a laptop lost or stolen it had data on it, now a tablet or smartphone that's connected to the cloud has very little data on it. The data is in the cloud where it can be secured. The device can have strong password protection, encryption and it can be wiped or erased if lost or stolen. ... Between the move to the cloud and the elimination of data sitting on devices, I think we're moving to a place where information is better secured.''

Another component of GSA's mobility strategy is to adopt open plan offices.

Like cutting-edge businesses such as Citrix, GSA is remodeling its headquarters building in Washington, D.C., to embrace open spaces and to eliminate assigned offices. In conjunction with this redesign, the agency is reducing the amount of square footage it leases by 50%. This will result in a huge savings in rent, which is one of the top expenses for all government agencies.

RELATED: CIO Q&A: How Citrix supports more workers with lower IT budget

"We'll have roughly 4,000 employees moving into a space with seats for 2,000," Coleman said. "This is quite a break from the way government real estate is normally used, and it will allow us to use the space to maximum efficiency."

Coleman says GSA is hoping to set a good example for other agencies about the benefits of open-plan office spaces. "We're expecting other agencies to learn from the GSA experience about how to use space more effectively and reduce square footage and reduce rent bills," she said. "Our going first down this path will demonstrate that using these mobile technologies will have a business return on our real estate bills."

Having gone this far down the cloud computing path, Coleman is urging other CIOs to follow GSA's lead.

"The world is moving to cloud and to mobile and to collaboration. If you're not moving there, your users will probably move there with or without you," she said. "Cloud technologies are easily adopted. As a CIO, you need to make sure the adoption is done in a secure, resilient manner that benefits the enterprise."

This story, "How GSA is securing its cloud apps" was originally published by NetworkWorld .

Join the discussion
Be the first to comment on this article. Our Commenting Policies