Oct 29 2012

Why “Cloud First” Is Becoming “Private Cloud First”

As agencies move systems to meet the federal “cloud first” mandate, most employ a private-cloud model.

When cloud computing first came on the IT scene, it held the promise of hundreds of organizations — government and corporate — sharing online computing resources and enjoying economies of scale. And several agencies did move systems, such as e-mail, to public-cloud infrastructures.

But it became apparent almost immediately that most federal agencies, under most IT circumstances, wouldn’t participate in cloud computing the way it was first envisioned. There were concerns about security, data privacy and, in some cases, the physical location of public-cloud infrastructures. So the private cloud was created, characterized by the same shared services, elasticity and rapid provisioning as other cloud services, but dedicated to government IT. Today, as agencies move systems to meet the federal “cloud first” mandate, most employ a private-cloud model.

“Over 80 percent of what the federal government does in the cloud will be done in the private cloud,” says Shawn McCarthy, research director at IDC Government Insights. “As the public cloud matures and proves itself to be highly reliable, that might change. But a level of trust hasn’t been established yet.”

Chris Willey

Flavors of Private Clouds

In government, private clouds fall into three general categories. First is a private cloud that one agency obtains as a service from another government agency. “We think of that as a shared service, which has been used in government for a while,” McCarthy explains.

The second type of private cloud is located at a federal site but operated by a contractor. The third type is located offsite in a service provider’s data center but is dedicated to government customers. “Your agency might be on a virtualized rack next to a state government and a county government, but it’s all dedicated to government,” McCarthy says, “as opposed to being on a rack and your next-door neighbor is a company in China.”

The Census Bureau is in the process of building a private cloud at its Bowie, Md., data center. When the project is up and running, it will offer infrastructure as a service (IaaS) to Census users.

“This is based on user feedback,” says Harry Lee, senior computer scientist for infrastructure at Census. “They come to IT for processing capabilities, storage and applications. It takes time to provision those, so we wanted to improve the way we deliver those capabilities and, over time, let users request those services through a web portal.”

Census is following a building-block approach to creating its private cloud, from standardizing its infrastructure across the agency, to consolidating systems in Bowie, to virtualizing the infrastructure on IBM BladeCenter servers running VMware. From there, Lee says, it’s a matter of adding automated tools for provisioning the infrastructure based on users’ needs, introducing capacity- and demand-management software and, finally, developing a web interface for requesting IaaS.

While the result will be a private cloud that offers IaaS, Lee says Census will eventually pull in public-cloud resources to create a framework for providing other shared services.“Based on security and privacy requirements, there are certain things we need to retain in a private cloud,” he says. “But based on spikes in demand, especially when we get to the 2020 Census, we need to think about where we can look externally to provide those peak resources. We don’t want to buy for the peak, so we have to consider a hybrid cloud.”


The number of companies that the General Services Administration tapped to offer cloud-based e-mail services (private and public) to government agencies

The Homeland Security Department has developed and fielded 12 cloud-based services — nine in private clouds hosted at two DHS datacenters. One of the data centers is government-owned, and the other is contractor-owned.

“Ours is a two-part strategy that features both the private-cloud and public-cloud models,” explains DHS CIO Richard Spires. “While our public cloud enables migration to open-source technology that improves government-to-citizen services, our private-cloud infrastructure is operated solely for our organization.”

According to Spires, DHS uses private clouds to manage sensitive data and services, such as virtual desktops and mobility services; virtualized, multitenant collaboration environments for information sharing; and authentication services across the department. “We’re also transitioning our legacy e-mail systems to e-mail as a service and cultivating customer relationship management services,” he says.

Some agencies considering the cloud worry that having a dedicated infrastructure to host private-cloud services can eat away at potential savings. However, while a private cloud may not be as cost-effective as a public cloud, it can still save agencies money.

“Our private-cloud computing capabilities are being deployed in both our data centers, but in both data centers, our service providers own the computing infrastructure,” Sprires says. “ Early projections indicate a cost avoidance savings of 8 to 10 percent once we fully transition to private-cloud infrastructure services.”

Private to Public?

In the long run, many regard private clouds as one stop along the way to secure, public-cloud services. At the Consumer Financial Protection Bureau (CFPB), which began operation in 2011, CIO Chris Willey oversees an IT infrastructure built from scratch. “We’re not building a data center,” he says. “We’re not buying racks or servers, except in a couple of rare instances. From the beginning, we realized that to do what we wanted to do as fast as we wanted to do it, the best way was to leverage cloud infrastructures.”


The amount agencies could save annually on e-mail by migrating to one of GSA’s cloud providers

SOURCE: General Services Administration

The CFPB intends to run its entire infrastructure in one type of cloud or another. The agency gets some of its resourcesfrom the Treasury Department, some from a private-cloud provider dedicated to government customers, and some from a traditional public cloud. As service providers address security concerns in public clouds, Willey expects to transition more of CFPB’s resources to those clouds — and he believes other agencies will go the same route. “We have to make sure that we do due diligence on the security side so that as we bring more sensitive data into that environment, we do it in such a way that it doesn’t jeopardize the data that we have to protect,” Willey says.

Agencies with private clouds often look to maximize their existing investments, having already built data centers and invested in server technology. “There are significant switching costs for people who’ve built that kind of infrastructure and after standing up a system in a data center, say, ‘All right, now we’re going to move this into a cloud,’ ” Willey explains. “And clearly, agencies with private clouds worry about security and protection. They’re right to be cautious about that.

“But because we’re basically starting from zero, we have the opportunity to take advantage of public clouds sooner than other agencies,” he says, adding that he expects more agencies to adopt public clouds, but on varying schedules that suit their needs.

Though the vast majority of its cloud services are delivered via private clouds, DHS’s Spires can envision a time when his department utilizes more public-cloud resources, especially as the Federal Risk and Authorization Management Program (FedRAMP), a program for assessing cloud services, evolves.

“As FedRAMP matures and we begin to see public-cloud service offerings that meet our security requirements,” Spires says, “we will look at the potential to migrate applications that handle sensitive data to public-cloud service providers.”

<p>Credit: Nicholas McIntosh</p>

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.