Feds trek to the cloud
Agencies are now grappling with the hard realities of making the 'cloud first' policy work.
By Mary K. Pratt
September 12, 2011 06:00 AM ET
Computerworld - The government sector is on a fast march to the cloud, but Robert Rosen wants to pause for a breath.
"I've been looking at the cloud for a long time, and it's not as simple as all the vendors want to make it seem," says Rosen, CIO of the National Institute of Arthritis, Musculoskeletal and Skin Diseases at the National Institutes of Health in Bethesda, Md. "The federal government isn't this uniform user of IT. So there's no one-size-fits-all. There are places it fits fine, others where it doesn't, and this great middle area where it's 'maybe, maybe not.'"
So even though he's working under a new federal mandate known as "cloud first," Rosen is moving cautiously. He's evaluating how to use cloud computing to store data that his agency doesn't access frequently, a move that could help eliminate the need to build a new data center. But he says he wants to cover all the bases to make sure he doesn't make mistakes. He's looking at the data itself to determine security needs, calculating bandwidth requirements and devising an exit strategy in case he wants to switch vendors or move out of the cloud.
"It's a deliberate process we're going through. We're just not going to leap," says Rosen, a past president of Share, an IBM user group. Still, the pressure is on Rosen and his colleagues to move to the cloud.
Last December, former U.S. CIO Vivek Kundra established the cloud-first policy, telling federal CIOs to move three services to the cloud within 12 to 18 months. In a 25-point plan to reform federal IT management, Kundra cited cost savings, flexibility and speed of deployment as reasons for adopting the policy.
Now, IT leaders like Rosen are grappling with the details involved in making the policy work, but also seeing early successes moving some functions to the cloud as they work toward migrating truly strategic systems there.
"This is a paradigm shift," says Shawn Kingsberry, CIO at the federal Recovery Accountability and Transparency Board and a proponent of cloud computing.
Kingsberry considers this a unique point in IT history, akin to the late 1990s, when IT departments went through drastic upgrades during the run-up to Y2K. Today, dwindling dollars and a shrinking workforce are forcing IT leaders to once again think big. "Now you have a perfect situation where the stars are aligned to make massive change," he says. "When you look at what this means, federal government has the opportunity to make moves forward."
Kingsberry's agency moved its Recovery.gov website to Amazon.com's EC2 cloud service in April 2010. He says the agency decided to make the leap after successfully using the cloud for testing, although IT leaders at the agency still performed a rigorous analysis before making the move. They considered, among other factors, how cloud computing would fare in terms of performance, cost and security.
Classified Data? Not in the Cloud
IT leaders are constantly weighing cloud computing's benefits against its security risks.
In its spring survey of 375 federal, state and local government IT decision-makers and influencers, CompTIA found that 44% of cloud implementers rated network security as a top challenge. Thirty-six percent listed compliance with security mandates as a top challenge, while 35% cited data loss prevention and 35% pointed to hardware security.
Tim Herbert, vice president of research at CompTIA, says CIOs are concerned about keeping data and systems safe from malicious attacks and establishing data governance procedures in an environment that encourages collaboration and sharing.
"It comes up a lot -- security and policies. And it comes up in the private sector, too," he says. "Some of that concern is reality, and some of it is perception."
At the very least, analysts say, those security concerns will keep classified data out of the cloud for the time being even as the General Services Administration and other agencies establish security standards. And it will likely limit to some degree the amount of less-sensitive data that migrates to the cloud as well.