While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
Each agency will apply cloud computing a little differently because of varying mission requirements and changes over time. But that doesn't mean there aren't best practices that can be applied even while cloud services are in their infancy at many agencies.
Cloud computing has the potential to provide reliable, secure and cost-effective IT services, giving CIOs additional options to employ technology to support their agencies' missions.
There are challenges. Among the biggest in the next five years will be refreshing outdated computer infrastructures in many agencies. Budgets are stressed like never before. That should give agencies further incentive to take advantage of the economies of scale that cloud servÂice models provide.
Cloud computing can help by reducing the technical risk of implementing new infrastructure and providing a fast and agile solution to agencies' IT service needs. The cloud is also a natural partner to mobile computing, which continues to play a growing role in our private lives, in industry and in government.
CIOs must understand their agencies' missions and how cloud computing can help support those missions. To fully realize the ultimate goal of providing better service at a lower cost, agencies need to transition from their role as direct providers to managers of services through judicious use of contractor-provided cloud services.
Agencies will implement different service models (software as a service, platform as a service and infrastructure as a service) and deployment models (private cloud, community cloud, public cloud and hybrid cloud) to meet their individual requirements, including their differing tolerances for risk.
Federal requirements when migrating systems and services to the cloud are different from those of industry. The government has to meet personnel security, legal and privacy requirements that industry isn't bound by. It has needs beyond the commercial market because of the trust the American people put in the government and the government's obligations to the public to protect their information and ensure the continued operation of its systems.
Cloud represents a shift from physical to logical control of data. But the physical location of data dictates its sovereignty — whose laws and policies apply to that data, to the data owner and to the vendor operating the system. Data sovereignty issues present a number of unknowns that will have to be addressed (see sidebar).
Cloud providers must address the concerns of the federal community. They need to understand the high service-level requirements and the relatively low risk tolerance for many programs. Agencies' IT teams will need to spell out these requirements in contract deliverables. Contracts and service-level agreements should have detailed performance levels and penalties for not meeting those levels. Agencies should request that providers prove that they can meet those requirements.
Not all government requirements are unique. Many are similar enough to industry standards that agencies and cloud providers can flesh out "commodity" items that the government can use without modification. Federal organizations with unique requirements should be addressed separately. Commodity-based services will drive down costs, reduce risk and speed delivery of services.
CIOs and chief information security officers have resources to help them maintain security as they move to cloud computing. The Federal Risk and Authorization Management Program, initiated by former federal CIO Vivek Kundra and launching now or in the near future, is an innovative program to develop trust relationships between agencies and cloud providers.
FedRAMP will establish standard security and privacy requirements for cloud services. It provides for independent, third-party assessments of controls that a joint authorization board will use to provide an initial authorization. The goal is to create an "approve once and use often" system that agencies and vendors can use to avoid duplication of effort, thereby lowering costs and saving time.
In addition, the CIO Council's Information Security and Identity Management Committee developed "Guidelines for Secure Use of Cloud Computing by Federal Departments and Agencies." This document helps program managers create a strong, secure business case for embracing the cloud computing capability that coincides with their level of acceptable risk.
Additionally, the National Institute of Standards and Technology has crafted its Cloud Computing Standards Roadmap, which includes several practical tips and other guidance for agencies. NIST also is posting business cases that agencies can use to help fine-tune their own plans. There's no need to start from scratch; agencies and bureaus should simply borrow what works for their requirements.
One of the lessons learned from working on big projects at the Justice Department was the importance of getting sponsorship from the stakeholders. CIOs must ensure that stakeholders and senior management understand the benefits to both end users and the mission. Agencies need to set standards, establish priorities and provide strong project management to successfully develop cloud projects.
For more information, please see the CDWÂG Cloud Computing Reference Guide at cdwg.com/cloudguide.
An incremental approach to rolling systems to the cloud is critical too. With IT, a CIO won't really know for sure if a system works until it's operational. If you don't have operational successes early, users won't understand and won't support what you are trying to accomplish.
To that end, use pilots to help evaluate design. It is difficult for most people to understand what IT capabilities exist and how they can be used to support the agency mission until they sit down and use an actual live system. Their understanding of requirements also changes as they use a system. Prove it, then improve it.
The cloud can offer the early deliverables needed to do this. The system development approach identified by Kundra that breaks large, multiyear software development projects into six-month delivery cycles can help agencies focus their efforts.