While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
When it comes to cloud adoption, federal agencies might learn a thing or two from Texas. In 2007, the state started consolidating data centers and moving certain applications to the cloud, but it found it didn’t have the expertise on staff to figure out which applications were most suitable to the cloud, which cloud services were most appropriate and how best to get the applications where they needed to be. So Texas started piloting a cloud brokerage — considered among the first in government — to handle such details.
“The concept was to aggregate services into a single portal, which allowed [an] agency approval and workflow, price comparison and … access to multiple cloud providers,” said Frosty Walker, chief information security officer with the Office of the Texas Secretary of State. Walker spoke on Jan. 16 at the MeriTalk 2014 Cloud Computing Brainstorm in Washington. “Had it not been for the cloud brokerage model, we would not have entered into this frontier.”
Like Texas, many federal agencies could use help in their efforts to utilize cloud services. It can be hard to determine which cloud services match an agency’s needs — and even harder to actually contract for those services. And with a June deadline looming, by which agencies must ensure that their cloud service providers comply with the Federal Risk and Authorization Management Program (FedRAMP) requirements, agencies are seeking even more guidance. Cloud brokers — either third-party companies or internal government organizations — can help.
“We’re struggling with the concept of cloud brokers,” said Dave McClure, associate administrator of the General Services Administration’s Office of Citizen Services and Innovative Technologies, at the Cloud Computing Brainstorm. “We all know that the integration of cloud services, the interoperability of cloud services … are huge questions for government buyers of technology. In some cases, we’ve floated the idea of a broker being able to sort through and understand what some of those issues are and guide the acquisition process a little bit more, rather than just picking randomly off of a schedule.”
The National Institute of Standards and Technology (NIST) has defined a cloud broker as “an entity that manages the use, performance and delivery of cloud services and negotiates the relationships between cloud providers and cloud consumers.”
— Brad Grimes (@BGrimesDC) January 16, 2014
At the Defense Department, that entity is the Defense Information Systems Agency (DISA). As the DOD began migrating systems to the cloud, it became apparent that too many organizations were launching too many cloud pilots, without enough coordination. “The intent was to set up a cloud broker endeavor to manage this,” said Frank Konieczny, Air Force chief technology officer of the Office of Information Dominance and chief information officer of the Office of the Secretary.
The DOD cloud broker was established as a separate unit within DISA. The cloud services it deals in begin with a foundation of FedRAMP compliance and then add several layers of data and security controls, spelled out by NIST.
But one of the biggest challenges the DISA cloud broker has sought to manage is contracting. Among the questions a broker must deal with, according to Konieczny: With whom does the customer contract? Who actually moves an application to the cloud? And if there are multiple parties involved — say, the cloud provider and a systems integrator — who is responsible for the service-level agreement, and who handles the penalty clause?
“If we put a mission system into a private cloud provider, we want a penalty clause,” Konieczny said. “And the penalty clause may be that you have to switch to another cloud provider. That means we have another contracting issue: How am I going to bring together two separate cloud providers and say, ‘I want you to be a backup for this guy, because if you fail, this guy has to take over’?”
A cloud broker can offer several benefits, according to CIOs. The broker can help compare costs across many cloud services and can handle the vetting process required to determine cloud providers’ security and compliance postures. In addition, the broker can help negotiate more operational issues, such as how an agency can scale (and pay for) its cloud resources on short notice in cases of traffic spikes or other unforeseen requirements.
“It’s very hard to cast a net across various cloud offerings and get clarity,” said Hamid Ouyachi, chief technology officer at the Labor Department. “If I have a large workload that I want to move to the cloud, I need to be able to simulate what my cost will be over 10 years. Depending on who you ask, you will get different numbers. There are people who will say you will save, and people who will say it will actually cost you more than if you did it on premises.”
Ouyachi recognizes that the Labor Department is unlikely to establish its own cloud broker, so it needs to leverage external brokers. “But it’s the Wild West within the broker world,” he said. “We’re struggling to figure out precisely where we can get trusted brokerage.”
Admittedly, cloud brokers are a relatively new phenomenon. In its guidance, NIST has begun to separate the business side of brokering (such as contracts) from the technical side (such as provisioning). Ouyachi believes that if companies could automate the technical side of cloud brokering — discovering suitable service providers and requesting service — it would be a significant help.
Agencies expect cloud brokers to play a larger role in the federal Cloud First initiative, even as they sort out solutions to contracting, interoperability and other issues. Ultimately, cloud brokers can assume some of the risk that agencies now take in adopting what is still an emerging computing platform.
“The broker entity has great value,” Ouyachi said.