Government IT Forecast: Cloudy with a Chance for Myth-busting

I was happy to see so many of you at the 2011 Interagency Resources Management Conference (IRMCO), GSA’s preeminent forum for promoting innovation, transparency, and collaboration among government and industry leaders. The conference was a unique opportunity to put our heads together on the key initiatives that will transform government management.

I was fortunate to sit on a great panel with Karen Lee, from the Office of Management and Budget’s (OMB) Open Government for Federal Spending Transparency Initiative and Patrice McDermott, Director of OpenTheGovernment.org. We had a great discussion on how open government can drive improved government performance.

I’m a big fan of open government and increased communication, particularly as it relates to better, smarter government acquisitions. This issue is really driven home by the Office of Federal Procurement Policy’s recent must-read “myth-busting” memo, which basically debunks some of our overly cautious interactions with industry.

In the same spirit of myth-busting and improved government performance, I’d like to debunk some cloud computing myths. OMB has taken an aggressive stance on cloud. We’re all on the hook to move three systems to the cloud by 2012. I’m here to tell you that it can be done intelligently and securely.

Myth #1: Cloud can be anything

With any great innovation comes the temptation to repackage the old as new. You almost can’t open a government or tech trade publication today without seeing the word cloud. But not all cloud offerings are created equal: they must adhere to five essential characteristics. For a brief but thorough explanation, check out the very cool GSA Federal Cloud Computing Initiative video on YouTube.

Myth #2: Public clouds are not secure, and agencies can’t control security requirements

Public clouds are not inherently secure, but, with a little guidance, agencies can put in controls to achieve an acceptable level of security based on the confidentiality, integrity, and availability of the data.

First of all, off-the-shelf security terms are negotiable. Open communication with industry can help agencies define their unique requirements as well as a little help from the cloud experts at GSA.

Second, keeping information systems secure takes constant work. In some cases, cloud service providers may be in a better position to make necessary changes to control risk than if we operated every system ourselves.

Third, agencies can choose what to push to the cloud. Not all systems and data have the same security requirements; not everything is appropriate for cloud. By carefully moving appropriate components to cloud, both cloud-based systems and premise-based systems can become more secure.

Myth #3: Agencies will lose control of their data

Agencies can enforce strict Service Level Agreements (SLAs) for the handling of their data and should build into their requirements a prohibition against data-mining and monetizing.

Myth #4: Moving to the cloud is difficult

Difficult and easy are relative terms. If an agency is facing a technology transition that requires a large capital investment, say in hardware, then making that technology transition may be easier and faster in the cloud. However, every time you move data or applications, there is risk—regardless of whether you move the data or applications to the cloud or different platforms in your own data center.

Good practice in technology generally dictates that systems, applications, or data be moved in pilots or phases. Moving to the cloud is no different. Agencies can move component by component, on a timeline that makes sense for them.

Whatever an agency decides with cloud, GSA can make the acquisition process easier.

GSA is developing cloud-specific blanket purchase agreements that will soon be available to customers for Infrastructure-as-a-Service (IaaS) and Email-as-a-Service (EaaS)—based on what we’ve learned from our own cloud-based email procurement and proactive discussions with industry. These vehicles will make it easier for our customers to compare services and acquire what they need from the cloud. See “The Cloud: Battle of the Tech Titans” in Business Week, which explains how cloud is being used today.

To meet immediate needs, we already have existing contracts in place—Alliant and Alliant SB GWACs, and IT Schedule 70—that offer cloud services.

Customers are using all of these acquisitions today to buy cloud-based solution, and they can do those acquisitions quickly.

FACT: Cloud Computing Enables Good Government

We’ve all received our cloud marching orders, but OMB mandates are not the only reason to move forward. Cloud computing is a step forward in addressing the really big challenges we face: budget and deficit crises, increasing greenhouse gas emissions, and a population in need of critical government services.

Cloud computing will enable a more efficient, sustainable and effective government for the American people.

GSA can help. Come talk to me. Together we can transform government.

6 Replies to “Government IT Forecast: Cloudy with a Chance for Myth-busting”

Tracy March 26, 2011 at 4:59 pm

Excellent points made about the cloud. It is good to agencies embracing technology for solutions for today’s problems and for future issues that will arise.
Bill April 19, 2011 at 4:17 pm

The government moving into the cloud makes me as nervous as the mouse fixing to be feasted upon by the hungry cat. The cloud isn’t inherently secure and we haven’t begin to tear it apart to see how it really ticks, with multiple “cloud” solutions out there each of which has their own undiscovered vulnerabilities (that is until a hacker posts a dark paper on the topic and publishes it on an obscure website somewhere, only to be found by google months later by that time the race is on to see how many infrastructures are at risk), and to assume that this risk is low is just an attempt to put lipstick on a pig.

If there were a set standard, then I would agree that chief security could be achieved and maintained but the fact is there is no set standard and the cloud movement is still in its infancy, which means until more in depth testing can be done, no one let alone the government should be looking at it as a viable option in the near present future.
yeap April 24, 2011 at 1:10 pm

Thanks for the ideas you have discussed here. One more thing I would like to convey is that computer system memory demands generally go up along with other advances in the technological innovation. For instance, whenever new generations of processor chips are brought to the market, there’s usually a corresponding increase in the size and style preferences of all laptop memory in addition to hard drive space. This is because the software operated simply by these processor chips will inevitably surge in power to make use of the new know-how.
Mary Davie May 3, 2011 at 1:50 pm

Thank you for your comment. You’re right that clouds are not inherently secure, but neither are hosted or premise-based systems. You still need to do your security work whether the system is “cloud” or not. GSA is working with federal CIOs, CSOs and NIST to create the Federal Risk and Authorization Management Program (FedRAMP), a shared process for cloud security certifications. This will provide a common level of security for government cloud computing use. Vulnerability patches, a common issue, may take us longer to apply if we own and operate the systems. Cloud service providers may keep pace with security faster than government, as it’s part of their mission. But not everything is appropriate for cloud. Agencies have to be prudent in what and how they move to the cloud. GSA can help them make the right choices.
Mae May 11, 2011 at 12:19 pm

The transition risk is minute when you can benefit more from the cloud development in the end. Also, thank you for clarifying the myths
liveinterface February 26, 2012 at 8:52 am

The key is better discipline what belongs on the cloud and what does not. You’re already on the cloud if you’re using email of any kind, but there are somethings you simply do not email. The same goes for all IT apps. To that point the information on cloud based apps should be transparent within the hierarchy to help enforce that discipline, forcing users to use more secure systems when necessary. Going to the cloud does not necessarily mean abandoning premise or legacy systems, but rather minimizing the cost for such systems by keeping their usage minimal. This is possible simply because the cloud is so much more efficient for IT to maintain than a million PC’s running their own unique profile of software revisions. Most PC operators in government should require fat clients leaving the high security work to those who absolutely need it, making it easier to maintain such systems, it. a more secure IT system in general.