Listen to the first part of our interview with Susie Adams.
With the recent release of Microsoft’s Azure, Fed Cloud Blog decided to talk with Susie Adams, CTO for Microsoft’s Federal Business, about cloud computing, the platform and where she thinks federal agencies can most benefit in terms of the cloud.
In the first part of our interview with her, she talks about what cloud computing actually is — and why it’s nothing new, really.
Susie Adams: So, if you think about the definition of cloud computing — we can take the definition that NIST has given — and what they’ve done is really layered it into three different layers. So, you have infrastructure as a service, platform as a service and software as a service — and a very similar way that we think of multi-tier applications. At the infrastructure layer, you have your physical ping, power and pipe, and then on top of that you have your operating system layer.
In the cloud, we see as a natural evolution of moving to the cloud that you also need a cloud operating system, so that’s what Windows Azure is for Microsoft. So, it is Windows Server 2008 with our hypervisor virtualization technology with some engineering modifications to be able to handle the elasticity that’s needed to scale cloud apps up and down.
Fed Cloud Blog: One of the things that we talk about is security. Tell me a little about the challenges of securing something in the cloud versus [legacy] desktops, laptops, what have you.
SA: I like to talk about security first off by saying that, when most people talk about the cloud they think of it as some brand new technology that just kind of sprung up out of nowhere. Really, it’s just the fifth generation of IT. It’s a natural evolution, actually for the IT industry.
With that said, all the learnings, especially from a security perspective that we’ve garnered over the years . . . all those same security best practices still apply in the cloud, and then the obvious thing that people are concerned about is the lack of control that they feel that they have when they give their data, for example, to a service provider like Microsoft. Is my data safe? Will it be kept private? Is it secure?
So, when we think about those things from a security perspective, most people immediately go to security controls and best practices. From Microsoft’s perspective, we really think about it from two different standpoints.
One, it’s not just about the physical infrastructure and the controls that you have in place, it’s all about the people process and the technology. You can have the best controls in place and be utilizing best practices, but if you don’t have a rigorous process in place to evaluate and audit that on a regular basis, and continuously improve that process . . . you’re not going to be adhering to the best security practices.
The second thing is all about transparency and trust. When you think about, for example, email moving to the cloud, federal agencies have been using systems integrators for years to host their email systems. Some in data centers that are owned by the government, and some in data centers that are owned by systems integrators. When we look at how that traditionally has worked, the government agencies have been able to go in at any point in time and actually look at or audit a particular service running on a server.
The cloud model’s a little different because it’s a multi-tenant environment, and in that environment, it’s almost cost prohibitive to allow every single customer to come in. From our perspective, for you to trust us with your data, we have to be extremely transparent about the security processes that we have in place, the security controls that we’re compliant with. . . . What we like to do is make sure that our customers understand which security controls we’re compliant with and we allow them to actually look at the audit logs and things of that nature.
FCB: All of this talk about cloud computing and moving into the cloud is really making people change their mindsets. Do you think that that’s still a challenge, though, that some people [are stuck in the past]?
SA: Absolutely we do see it as a challenge. . . . For obvious reasons, as the IT industry has grown up, people have learned that if they have physical control over the applications and the systems that applications are running on, that they have a little bit more confidence on the reliability of that service. To go ahead and just say — especially if you think of the administrators today and the stress that they’re under, for example, just to make sure that mail is up. 99.9 percent of the time they’re very reluctant to say — I’m just going to give all of this to the service provider — especially since we’re just in the infancy of cloud computing.
The interesting piece here, I think, too about this is from a procurement model we’re still kind of stuck in the legacy mindset. I’ve talked with several CXO-level executives in multiple agencies and when we talk about — let’s take email and move it to the cloud — agencies don’t want a contract just for email. [They want] what I call the everything-but-the-kitchen sink model, where it’s email, desktop management, collaboration software, and a number of other helpdesk [options].
So, when we say — we can provide email to you, Federal Agency, they immediately go — I want everything else, too. What about my PII? Today, the way cloud services work, that’s not traditionally something that a Microsoft or a Google or an Amazon offers. We actually offer services in one of those three layers of the cloud stack.
I think that that is also going to be a challenge. It’s the [feeling of] the lack of control — and the way they procure software today.
On Wednesday, we’ll bring you more of our conversation with Susie Adams, when she will discuss the possible cost-savings — and pitfalls — of the cloud.