Data Center

Cloud’s Dirty Little Secret

Reaching federal goals for cloud computing will require agencies to navigate a minefield.

Paul Wohlleben, a former federal CIO, consults in the federal sector. E-mail him at paul.wohlleben@gmail.com, or visit his blog at www.businessofinfotech.blogspot.com.

To date, most federal cloud projects can be characterized as low-hanging fruit — e-mail migration, website migration, use of commercial software as a service offerings that are mainly stand-alone applications. While each of these projects has a business case supporting the migration, taken together they won’t make much impact on the overall goal of reducing cost and improving security.

For cloud computing to have a truly transformative impact on federal IT, agencies will need to move many of their mission-critical systems to the cloud. This is where it becomes hard, and where the danger to fully implementing the federal cloud strategy becomes most acute.

The concern is simple. Many of these systems are patched-up versions of old design and programming techniques. They will not migrate to or run well in the cloud model in their current states. They will need to be modernized. System development and modernization projects are very risky, and the IT landscape is littered with many costly failures. To get from the federal government’s current major system inventory to cloud-based infrastructure, agencies will need to pass through this minefield. This is cloud’s dirty little secret.

What’s the Vision?

Cloud computing came to the forefront as a high-priority initiative with the February 2011 publication of the “Federal Cloud Computing Strategy.” This strategy envisions the creation of a mature and competitive marketplace in which agencies can rapidly procure access to cloud services that are secure, interoperable and reliable, and in which they can move easily among providers. The benefits will be significant cost reductions, improved IT capabilities and innovations in government IT solutions.

Simply stated, the vision for cloud is to deliver better IT solutions that will result in better government while reducing the cost of IT. That is a compelling vision. The challenge, as in most transformations, is to actually get to the intended result.

Some Historical Perspective

Over the years, federal IT has experienced successive waves of technological change. Some of us can recall the moves from mainframe-based timesharing to PCs, then to PC- and server-based networks, then to the web, and now a push toward cloud and data center consolidation. I almost get a sense of déjà vu — we moved from a centralized environment to decentralization, and now we’re going back to what will become a highly centralized environment once again.

Of course, many factors affect these transformations. The two that most affect the present are cost and security. Both should be improved by centralized IT. If we are to learn from the past, the governance and customer service capabilities of the emerging centralized environment will be more responsive to serving the needs of the IT customer. If they aren’t, the more centralized model will eventually be rejected.

The Path Forward

But the federal government can’t afford to move its large inventory of major systems to the cloud. Migrations will be costly and risky.

There is significant duplication in federal IT. Agencies have made attempts to address it, but none has been broadly successful. The strategy going forward seems clear — identify duplication, move only one system of a kind to the cloud and force other system managers to use the migrated system. Strategy and planning are the simple steps; execution is really hard.

As I recall, when the Navy implemented its Navy–Marine Corps Intranet, it required all systems to pass muster with respect to design, standards, security, etc. Many system owners chose not to migrate to NMCI due to the cost and risk inherent in doing so, and found other ways to meet their needs.

From reading press reports, I know that many NMCI users were not happy. I am not in a position to hold that program up as a successful implementation, or to label it as less than successful. I do, however, believe the approach has merit and applicability to cloud migration.

To achieve its cloud strategy, OMB needs to both migrate the government’s mission-critical systems to the cloud and reduce the inventory of major systems to be migrated. Sounds like a paradox, doesn’t it? But the path forward seems clear — put in place a strong governance process that will significantly reduce duplication before migrating major systems en masse.

That process is not found in current cloud plans — it needs to be added.

Laying the Foundation

To move the federal government toward cloud adoption, former federal CIO Vivek Kundra published several important policy documents. The first was the “25 Point Implementation Plan to Reform Federal Information Technology Management,” which included a cloud-first policy. The document established a three-part strategy on cloud technology that revolves around using commercial cloud technologies where feasible.

The 25-point plan required each agency CIO to identify three “must move” services and create a plan for migrating them to the cloud by this summer.

Next, the “Federal Cloud Computing Strategy” made the case for cloud and described some of the challenges that need to be addressed to successfully migrate to and manage in the cloud environment.

In November, the National Institute of Standards and Technology released a draft “U.S. Government Cloud Computing Technology Roadmap,” which addressed a number of requirements and action plans for cloud adoption. As these requirements are met, a foundation will be established for broad adoption, because cloud computing will be consistent, mobile, secure, easy to acquire and easy to manage.

In December, the Office of Management and Budget released the Federal Risk and Authorization Management Program. FedRAMP establishes the approach to developing trusted relationships between federal agencies and cloud providers. The program is intended to enable a cost-effective, risk-based approach for adoption of cloud services by providing standardized security requirements and a program to produce consistent security assessments.