The Trump administration’s Cloud Smart strategy makes clear that federal agencies should deploy cloud solutions that meet their mission needs.
A key question agency IT leaders need to think through is which cloud models work best for their agencies’ strategic plans: Software as a Service, Infrastructure as a Service or Platform as a Service.
“The traditional cloud deployment models reflected a progression of increasing vendor-ownership through system layers, from Infrastructure as a Service (IaaS) where vendors provide only the infrastructure and hardware, to Platform as a Service (PaaS) where vendors provide hosting and infrastructure management, to Software as a Service (SaaS) where agencies only need to provide their data and most other capabilities and functionality are provided by a vendor,” the strategy notes.
Cloud service providers (CSPs) such as Microsoft’s Azure, Google, IBM and Oracle can offer agencies “finely differentiated set of capabilities at different layers,” the Office of Management and Budget notes.
“The rapid development of both open source and proprietary offerings have made possible today almost any combination of vendor and Government ownership of these various layers,” the strategy adds. “Most major vendors now offer a variety of available adoption paths and services depending on end-user needs. Industries that are leading in technology innovation have also demonstrated that hybrid and multi-cloud environments can be effective and efficient.”
The possibilities are seemingly limitless when it comes to the combination of cloud services agencies can deploy, but they must be “properly equipped to evaluate the choices available to them based on their service and mission needs,” the Cloud Smart strategy notes. “Agencies should make computing and technology decisions that take into account end-user impact balanced against cost and risk management criteria.”
How can they do that and decide which models are right for them? Agencies need to determine how much control and customization they want to bring to their cloud services, as well as how much involvement they need to have in terms of application and data security, experts say.
“It really comes down the roles and responsibilities that each agency is required to do versus what the cloud service provider is responsible to do,” says Ashley Mahan, the acting director of the General Services Administration’s Federal Risk and Authorization Management Program, which authorizes and monitors federal cloud services.
Mahan notes that all the cloud layers — infrastructure, platform and software — “work hand in hand with each other to deliver technology or capabilities to the end user, to the agency.”
As part of the FedRAMP process, CSPs describe in detail what roles and responsibilities they have terms of security compared to the roles and responsibilities of agencies. “As you travel up the cloud stack, essentially the cloud service provider is taking on more responsibility,” she says.
What Is SaaS?
In the Software as a Service model, software is licensed on a subscription basis and is centrally hosted by a CSP. Applications are abstracted, and can run the gamut from human resources to customer relationship management, email and collaboration tools.
In SaaS “everything is abstracted, you just use the whole application through a browser interface,” says Larry Carvalho, research director for IDC’s Platform as a Service practice.
Switching any applications an agency has that can be moved to a SaaS model will save them the most, Carvalho says. “It makes no sense for you to use an Exchange server or Lotus Notes server or anything in-house for email,” he says. “It’s more secure, more trackable for everything you do.”
Mahan notes that with SaaS, agencies get access to a service that, “out of the box, really is ready to go on day one and allows you use innovative products to enhance your mission very, very quickly.”
What Is IaaS?
Unlike SaaS, Infrastructure as a Service allows agencies to shift major IT functions, such as computing, storage, networking and databases, to the cloud. Agencies can effectively “rent” all of the equipment needed for such functions in a CSP’s data center and pay only for the capacity and space they use.
CSPs own, manage and maintain the equipment, and give agencies enough capacity to scale up or down to meet their mission needs. Agencies can use virtual machines to access their apps via a browser interface. Carvalho notes that the “lift and shift” model of just running workloads that had been on-premises in a CSP’s infrastructure has limited value. “You still are holding a lot of responsibility other than having physical servers,” he says. Agencies also do not have to worry about physical security or network backups, he notes. However, the savings usually only amount to 20 percent, he says.
IaaS allows agencies to “build their own custom environments,” Mahan says.
What Is PaaS?
Platform as a Service enables agencies to develop, run and manage apps without having to worry about the infrastructure they would usually need to develop and launch an app.
Mahan says that PaaS is “more hands-on” for agencies. CSPs are providing some services but not a lot, and agencies can use prebuilt cloud environments to start building apps in those environments. That allows for some customization, but it also brings on more responsibilities for agencies in terms of security, such as active control, multifactor authentication and ensuring credentials are authenticated.
Carvahlo notes that many agencies can refactor their applications and rewrite them to take advantage of cloud services like serverless computing, and add in new capabilities such as artificial intelligence and support for Internet of Things applications.
“I think that after lift and shift you get the refactoring. That’s when you get the benefits of Platform as a Service,” he says. “You get a lot cost savings, because now rather than paying somebody for proprietary software you might be using open source software.”
PaaS, Carvalho says, gives agencies the agility to use higher-end services like AI and machine learning, and it boosts the speed of application development and lowers the cost of development.
IaaS vs. PaaS vs. SaaS: The Advantages and Disadvantages
The different cloud computing models each have their advantages and disadvantages for agencies. If agencies can use a public cloud service that meets their infrastructure needs, there is no need for them to keep running a data center, Carvalho says, pushing them to IaaS, which will decrease their costs.
If agencies are still using an on-premises HR, email or customer relationship management application, they can shut that down and use a SaaS solution that fulfills those purposes and meets government regulations.
For those organizations that have custom applications — for example, the Defense Department has an app that tracks planes — they can refactor that app in a PaaS model and “do a lot more with a lot less resources than they would ever have before.”
PaaS does require more effort and user training than other models, and agencies often do not have enough skilled workers to understand all of the aspects of PaaS. They then have to rely on system integration firms to help them rewrite applications, Carvalho notes.
However, the cost savings are significant. “You could be paying millions of dollars a year for license fees,” he notes. But in a public cloud, the cost of running the software is much lower — perhaps by as much as half.
“The agility you gain is significant enough that the PaaS adoption makes a lot of sense for a government agency,” he says. “I do agree that there is a larger effort and I do feel that the biggest challenge is getting the correct talent for you to be able to do things.” That may require agencies to provide more training and create centers of excellence to improve user education, Carvalho says.
Agencies can use IaaS and PaaS to leverage their in-house expertise to “build their cloud footprint from the ground up,” Mahan says. Those models can allow agencies to create a customized environment and approach based on their internal strategies and knowledge, she says.
However, a disadvantage of IaaS and PaaS can be that they require agencies to have a sound strategy in place to fully leverage those models’ capabilities. “Being able to pick the right mix of cloud deployment models for your agency is key,” Mahan says. “So, if you don’t have that strategy, if it’s kind of difficult for you to understand what your current technology landscape looks like and what skillsets you have across your agency, then it gets a little bit more complicated in moving to cloud and picking the right mix for your organization.”
As BMC notes in a blog post, the differences between IaaS vs. PaaS are clear, and each model has different advantages. IaaS platforms are composed of “highly scalable and automated compute resources. IaaS is fully self-service for accessing and monitoring things like compute, networking, storage, and other services, and it allows businesses to purchase resources on-demand and as-needed instead of having to buy hardware outright,” the blog notes,
Additionally, IaaS is a great option for smaller organizations, since they would not have to spend the time or money trying to create hardware and software. “IaaS is also beneficial for large organizations who wish to have complete control over their applications and infrastructures, but are looking to only purchase what is actually consumed or needed,” BMC notes.
In contrast, PaaS provides a platform for software creation that is delivered over the web, BMC notes, “and gives developers the freedom to concentrate on building the software while still not having to worry about operating systems, software updates, storage, or infrastructure.”
PaaS can streamline application development and is also beneficial if organizations want to create customized applications, the blog adds. “This cloud service also can greatly reduce costs and it can simplify some challenges that come up if you are rapidly developing or deploying an app,” the blog says.
How Feds Should Decide on IaaS vs. PaaS vs. SaaS
As agencies move to the cloud, IT leaders should take a hard and honest look at the agency’s unique strengths and weaknesses, Mahan says, as well as their IT budget and mission priorities, and then identify the scalable cloud solutions that enable those priorities.
FedRAMP is working with 156 agencies and has 213 cloud vendors that are FedRAMP-ready, authorized or in process according to Mahan. Of the services in the FedRAMP program, 67 percent of them are SaaS, 20 percent are IaaS and 13 percent are PaaS.
FedRAMP is seeing agencies use all three models to address very specific needs, Mahan says. Some agencies want to transition large portions of their IT footprints to the cloud and create customized environments, which is where IaaS and PaaS would come into play. Many agencies are contemplating multicloud environments that make use of several IaaS or PaaS instances.
Agencies look to SaaS for niche services that address specific needs for programs or projects. Agencies can turn to SaaS for enterprisewide services, such as HR, e-learning, email or data analytics, Mahan notes.
FedRAMP promotes partnership with the private sector and the wide range of CSPs in the program. Agencies need to understand the roles and responsibilities between what the CSP is on the hook for and what they are responsible for, she notes. Having that knowledge and understand is “critical,” she says, as is having a good cloud governance model and configuration and change management capabilities.
Agency IT leaders should conduct a portfolio analysis to determine which apps it can or should move to the cloud, Carvalho says, and which would be most appropriate for SaaS. They should do such analyses every six months to determine the “low-hanging fruit” they can shut down and move to SaaS models.
Agencies should also determine what they can lift and shift to IaaS so that they can shut down data centers. After that, they should determine which apps can be refactored and moved to containers or serverless models.
Some applications may need modernization and changes. Agencies can then use the PaaS model to start pilot projects for modernizing those apps, Carvalho says.