While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
Data security. Cost. Reliability. Interoperability. As the Defense Department embarks on five commercial cloud pilots this fall, the list of unknowns grows.
"There are lots of issues with going to a cloud provider in the commercial cloud space," says Air Force Chief Technology Officer Frank Konieczny. "That's why we do pilots — so we can work through those issues."
What's more, DOD is likely to contract with multiple providers, "because everybody's offering different capabilities," says Konieczny. "We have to figure out how we're going to manage the maintenance of all those applications, because each vendor has its own way of doing things."
As more agencies adhere to the Federal Cloud Computing Strategy and adopt cloud-first policies, they're grappling with many of the same issues as Konieczny and his colleagues at DOD.
"You have to actively manage your cloud providers, just like you have to do with other contractors and staff," says former Securities and Exchange Commission CIO Thomas Bayer, who recently left the agency after four years at the head of its Office of IT.
But, he adds, cloud management is getting easier. "The cloud providers know that their success depends on their ability to traverse public and private clouds and different providers, and they're getting better at it. We have to get better at it as well."
Agencies can get assistance. They can use tools that provision virtual machines across multiple clouds, migrate applications or perform service management and application capacity tracking, explains Mary Johnston Turner, research vice president at IDC.
Pilot projects are essential to cloud success, Air Force Chief Technology Officer Frank Konieczny says.
All of the cloud services used by the General Services Administration provide mechanisms to securely integrate agency systems and various cloud services via application programming interfaces, data transfer mechanisms and standards-based access management, says GSA CIO Sonny Hashmi.
"The cloud industry has been maturing fast over the last couple of years in terms of its expertise, ability and motivation to meet federal terms of service," he says.
In fact, GSA has been working with various cloud providers through its Federal Risk and Authorization Management Program (FedRAMP), which provides a security baseline for cloud services.
To earn FedRAMP authorization to operate, a cloud service provider must have its security processes, architectures and controls evaluated and assessed on an ongoing basis through continuous monitoring processes. Providers also are required to notify GSA of any significant issues they experience.
"More companies than ever before are interested in meeting FedRAMP requirements so that the federal government may be able to use their services," says Hashmi.
IT leaders must ask many important questions before moving to the cloud, explains Hashmi. Agencies should assess a cloud service's lifecycle costs and compare the cloud's return on investment with maintaining in-house systems. They must make sure a cloud service complies with agency and federal policies and craft contracts that address security, access and ownership of data. Other essential considerations include business processes, severability, transition-out strategies and service-level expectations.
DOD already has services on milCloud, an Infrastructure as a Service solution run by its cloud broker, the Defense Information Systems Agency. But moving to commercial providers raises a new set of questions.
"A lot of the issues that we have with clouds right now have to do with making sure that we understand what data's being put in the cloud and the security levels and controls that we have to place on that data," says Konieczny.
The DOD pilots will determine if the security model is adequate, he explains.
The agency also hopes to determine whether commercial clouds make financial sense. "The assumption is that it's cheaper if you go to a commercial cloud," says Konieczny. However, the more controls and reports the agency asks for, the higher the price.
Systems integrators can help navigate many of the issues common in cloud deployments. They can collect information from an agency's multiple cloud providers and present a unified view of the metrics and performance of their cloud portfolios, explains Shawn McCarthy, research director at IDC Government Insights.
DOD uses a systems integrator to maintain and operate its cloud systems, but that raises another question: Who is responsible for ensuring that the agency gets the reliability and resiliency it needs? "In the end, we have to make sure that the mission actually gets done as opposed to finger-pointing between the cloud provider and the system integrator," says Konieczny.
Before DOD can contract with commercial vendors, though, it needs to determine how to fund those services. The agency typically pays for fixed expenses month by month, but fees for many cloud services fluctuate based on usage. So DOD either needs to negotiate fixed contracts or treat the services like commodities, such as electricity.
"Those are the main things — how you pay for this and how you contract it," says Konieczny.
The Securities and Exchange Commission has years of experience using and troubleshooting issues with commercial cloud services — and, in turn, is answering many of the questions that DOD is now facing.
Since moving its Investor Response Information System call center application to a commercial cloud provider in fall 2010, the SEC has added about 50 applications to the cloud, including its search engine capability, website, two data centers and its Market Information Data Analytics System. It's now planning to move its development and testing environments into the cloud, according to Bayer.
"If a Software as a Service provider has a cloud application that we don't have to manage, that's a positive for us," he says.
At the same time, the SEC has to be cautious about the providers it chooses. It has a 99.99 percent uptime requirement, 24 hours a day, 7 days a week, so it looks for vendors that can meet that level of service.
Security is another consideration. The SEC must make sure that its cloud providers are meeting or exceeding security requirements established by the National Institute of Standards and Technology. The SEC has detailed metrics, and its cloud vendors provide active monitoring of systems and networks, informing the call centers and network operations center staff of various statistics. "It's a very comprehensive program," says Bayer.
As agencies expand their efforts in the cloud, Bayer stresses the need for human communication. His team of employees and contractors calls in each day to a 20-minute stand-up meeting. They report issues, outages or other items of concern with the agency's cloud applications.
"You need to carefully plan out the service-level agreement and figure out how you're going to manage the provider and measure the applications to make sure that they're up and available and that they have great response times, as promised by the SLAs," Bayer says.
In many cases, cloud services make management easier. For instance, while the SEC has seen heavy migration to mobile device usage, it didn't need to build out its network or invest in IPv6 to support mobile devices because its cloud providers handled that.
Patching is also simplified, Bayer says. SEC still needs to plan patches and coordinate with third-party vendors, but it's not involved in the actual patching. "As we move more applications to the cloud, it will become easier for us to manage, because this kind of rote work will be migrated from our side to the cloud provider's side," says Bayer.