One of Vivek Kundra's most significant contributions in his position as first CIO of the United States was to introduce a "cloud first" policy for government computing projects. Mr. Kundra's replacement, Steven VanRoekel, vows to continue this policy, which will help numerous government agencies streamline their missions and improve citizen services.
Recently I was interviewed as part of a series of technology provider perspectives on government cloud computing. I'd like to share that interview with you, our blog readers. I plan to post the questions and answers in a three-part series, the first of which follows here. As always, we welcome your thoughts and reactions.
Agencies are under a “cloud first” mandate for procuring IT services, so awareness of the cloud should be there. But what's the level of understanding about how agencies can benefit from it?
Cloud providers love to wax rhapsodic about the benefits of utility computing, and you can find plenty of appealing goodness on their marketing web pages. What’s missing, I think, is a way for agencies to translate the generic promises into specific benefits that they can then measure. Of course, this means you already need a fairly good understanding of what you have, what works well, and what doesn’t work well. From this you can then more easily evaluate the benefits of the cloud in general and also compare specific benefits of various providers. Unfortunately, if you don’t have a good idea of what you’re already doing, it’s difficult to truly know whether moving to the cloud will bring positive results.
Is moving to the cloud a “no brainer” for agencies, and they should just go ahead and do it? What process do they need to go through to decide if they are ready?
Assuming you can accurately translate the promises into measurable benefits, I’d say yes, agencies should adopt cloud computing as the new default deployment model for new projects and for existing projects that are planned to undergo a refresh cycle. I don’t like characterizing it as a “no brainer,” though. To wring maximum value from a cloud deployment requires a fair amount of brains: cloud architecture is fundamentally different from traditional on-premise architecture, and this is reflected in how you develop applications, where you locate data, how you plan for disaster recovery, and how you implement information security controls.
Are there any agency applications or services that should never move to the cloud, or is everything an agency does open to that move? In either case—why?
One way to influence change is to set new defaults. For example, in states where applicants for driver licenses have to opt in to organ donation, only 20% chose to do so—vastly limiting organ availability. Some states have reversed this; drivers are organ donors by default unless they opt out. 80% stick with the default, and all residents of these states benefit from the greater availability of organs. So the “cloud first” mandate along with the mental shift to cloud as default requires that an agency must obtain an exception if it wishes to deploy a project on premise. If you make the exception process sufficiently painful, this will discourage agencies from inventing convenient excuses to continue doing things the old (meaning familiar) way. Clearly there are certain exception criteria that will prevent some workloads from moving to shared infrastructures. But does each one need its own dedicated data center? Could, perhaps, all these workloads share a single private “top secret” cloud? I’d imagine so.
How can agencies decide which flavor of cloud—private, public, or hybrid—is right for them?
It doesn’t make much sense to choose a deployment model from the start and then attempt to force all workloads into that one model. Different workloads can use different models—that’s one of the neat things about cloud and emerging technologies that make it easy to port workloads between clouds. So I’d say that the decision of which deployment model to use for any particular workload is driven by the answer to the previous question and, of course, the following question.
Many potential agency users of the cloud believe it's not yet secure enough for their needs. Are they right?
Perhaps we should let General Keith Alexander, chief of the US Cyber Command, answer that one for us:
“This architecture would seem at first glance to be vulnerable to insider threats—indeed, no system that human beings use can be made immune to abuse—but we are convinced the controls and tools that will be built into the cloud will ensure that people cannot see any data beyond what they need for their jobs and will be swiftly identified if they make unauthorized attempts to access data... The idea is to reduce vulnerabilities inherent in the current architecture and to exploit the advantages of cloud computing and thin-client networks, moving the programs and the data that users need away from the thousands of desktops we now use—up to a centralized configuration that will give us wider availability of applications and data combined with tighter control over accesses and vulnerabilities and more timely mitigation of the latter.”
These are quotes from his testimony to Congress in March 2011. His statements reveal a remarkably keen understanding of where risk to information lies and how to mitigate those risks. If the world’s largest online retail company stores and retrieves its entire product catalog from the public cloud, if Treasury.gov, Recovery.gov, and NASA all use the public cloud, if major pharmaceutical manufacturers use public cloud resources for testing the protein folding sequences of trade-secret chemical compounds, if the world’s largest movie streaming/subscription service runs its whole business—front and back office plus its intellectual property—from the public cloud, then just who are these people who claim “oh, the cloud isn’t secure enough for me”? Cloud providers are under constant pressure to prevent their services from becoming attractive to bad guys and to make it exceptionally difficult for one customer to interfere with another. And they’re constantly striving to obtain ever more stringent certifications. That’s a lot of work, more work than most private or single-purpose data centers have the staff or budget to undertake. Now, having said all that, if your cloud provider refuses to be transparent about how they manage their security, I suggest you take your business elsewhere.
Part 2 will follow two weeks from today, and part 3 will follow two weeks after that.