Don’t fear the cloud, Kundra says

Fears about the security of cloud computing are exaggerated, Federal Chief Information Officer Vivek Kundra said at a forum on Capitol Hill last week.

“A lot of people are sort of driving this notion of fear around security,” Kundra said, according to Computer World. “And the reason I think that’s been amplified, frankly, is because it preserves the status quo.”

The conference was organized by Kundra and Sen. Tom Carper (D-Del.) to address the future of cloud computing in the federal government.

While security remains a major concern and, in some cases, a roadblock to public cloud adoption, agencies like the Department of Homeland Security are bucking the trend. DHS announced in May plans to move its public websites to the public cloud.

“I am a believer that we are going to, over the next few years, really solve a lot of the cybersecurity concerns that we have with cloud-based services,” DHS CIO Richard Spires said at the forum, according to Computer World.

Kundra also believes the shift to cloud computing will mean stiffer competition among government contractors. According to Federal Times, “Kundra said the administration wants to ‘introduce Darwinian pressure’ into the market to ensure that companies win government IT contracts because they provide greater efficiencies, not because they’ve mastered the procurement process.”

Saving money has been a major topic of conversation on Capitol Hill in recent weeks as lawmakers sparred over raising the debt ceiling.

During the forum, Sen. Carper said the use of cloud computing and smarter IT overall is one of the biggest ways to save money in government.

“We need to look into every nook and cranny of the federal government and find better results for less money . . . One of the great ways you can provide better service for less money is to do IT well and to do it smart,” Carper said, according to NextGov.

Fact or cloud computing myth?

Information technology managers around the world are being asked their thoughts on cloud computing and whether the companies (or agencies) they work for should use it. As with any new(er) technology, separating fact from fiction can be difficult.

Former Chief Information Officer Michael Hugos discussed what he believes are five cloud computing myths with Business Finance.

First, he said the idea that security for data in a cloud isn’t as good as in-house security, doesn’t make sense. “Security is part of how these companies make money,” Hugos told Business Finance, therefore they take it very seriously.

Second, the idea that cloud servers are less reliable than in-house data centers often isn’t the case. He points to the fact that cloud vendors have to keep on top of updates for their servers because it’s their livelihood.

Third, saving money is not the main reason companies should consider the cloud, he said. “The most compelling incentive to move to the cloud is to switch from a fixed-cost capital intensive business model to a variable cost pay-as-you-go operating expense model,” Hugos said in Business Finance.

Fourth, he said it’s a myth that big companies can run servers in-house for less money than in the cloud. He said companies often fail to factor in indirect costs like the salaries of people needed to run those servers and the energy it takes to run them.

Finally, he said the myth that cloud computing technologies require a whole new skill set for employees is unfounded. Instead, he said, businesses incorporating cloud computing will begin to rely more heavily on different kinds of people within their organizations, like business architects and enterprise architects. “That person is suddenly going to become much more important because they’re the ones who translate business needs into technical solutions,” Hugos told Business Finance.

Cooperation between CFOs and CIOs leads to cloud success

Earlier this month, the Fed Cloud Blog mentioned a survey that found chief financial officers aren’t as familiar with cloud computing as the chief information officers in their organizations.

Ann All, a blogger for IT Business Edge, says when it comes to cloud computing, CFOs and CIOs really need to work together. She says the regulatory questions that cloud could create have big implications for finance, and the two groups need to answer those questions together.

“CIOs should enlist CFOs to help spread the word that software-as-a-service will work better for everyone if IT is involved from the beginning. Of course, this will only work if IT is willing to at least consider all SaaS requests,” All says.

All even offers seven tips for CIOs who want to become partners with their CFOs:

• Get to know them on a more personal, non-business level;
• Help CFOs solve problems with IT solutions;
• Speak plainly and tell CFOs how a project can improve sales or reduce costs;
• Be thorough when submitting financial proposals to CFOs;
• Educate yourself so you can understand your organization’s finances;
• Be forthcoming with financial information;
• Consider appointing an “internal CFO” for the IT department.

What’s the relationship like between CFOs and CIOs in your organization? Tell the Fed Cloud Blog!

Why federal CIOs, CISOs still have concerns about the cloud

Has there been a break in the cloud?

Symantec recently released its 2010 Break in the Clouds Report, which shows that many CIOs and CISOs in the federal government still have real concerns about security.

Ned Miller, director of public sector strategy for Symantec’s public sector market, breaks it down for us today.

NM: The purpose, or intent, of the report was really simply to evaluate where agencies were, or currently are, in their overall cloud strategy, and then evaluate the ones that are early adopters, specifically with any challenges or barriers they’ve had with implementation, and really to focus on their key concerns. That will allow us to position how we can help our government clients going forward.

FCB: And what were some of your key findings?

NM: There were a number of themes that were pretty consistent in terms of the evidence that we collected.

The first area that we were very focused on was just how many agencies had actually implemented cloud, or cloud-based applications, or any platform or infrastructure. We accounted for about 23 percent of the agencies that participated in the survey have actually implemented cloud, and about 35 percent are planning to implement.

A couple other key areas that I think were interesting and noteworthy [are] — the emphasis on private clouds versus public clouds, and where agencies have already adopted some cloud strategies. About 58 percent of agencies are already using a private cloud, or in-house cloud, versus approximately 64 percent of those who are planning . . . to use private or in-house cloud versus using an outsourced cloud model.

FCB: We always, inevitably, come back to the security question. [Your survey] says 89 percent say data protection privacy is their top issue. Can you break down those numbers a little bit for us?

NM: Based, again, on the survey, about 80 percent of the participants came back and responded with that they believe that encryption in the cloud is a key area that needs to be addressed, and approximately 70 percent of them have come back and required data segmentation for the actual data in the cloud itself.

FCB: In terms of where agencies are now in terms of implementing cloud, you’ve got a slide [in the report] that says ‘proceeding with caution’. How does that tie into the security question?

NM: Well, in terms of ‘proceeding with caution’, a number of CIOs and CISOs that I’ve spoken to personally are still moving forward based on the mandates coming from OMB with their implementation of cloud strategies; however, the concerns are still centered mostly around security.

It still comes back to the data itself, protection of that data, and they’re fairly conservative in terms of the implementation approach to date, and therefore they’re really relying on building private clouds and building inside their own infrastructure. So, those are kind of still the key concerns — it really has to do with the data itself and where it resides.

FCB: So, a lot of agencies say they feel safer in these private clouds, rather than public clouds, but according to your survey, almost half who have implemented cloud don’t know if they’ve experienced a breach or an attempted breach. Is this cause for concern? Should we be really worried about this?

NM: We should, and, again, this speaks to the desired end state, which is a clear set of standards to address how to adopt and deploy and implement a secure cloud, which leads to FedRamp. . . . [It] is really designed to unify cloud computing security standards across the U.S. Government. Obviously, the initiative is managed by the folks up at NIST and Peter Mell, and he has a big task in front of him. We believe that, overall, this attempt to standardize a security model around cloud computing will take some time to evolve, and the biggest challenge we see with it, quite honestly, is not necessarily the adoption of the standards, but how quickly the industry — both the people, the process and the technology — are moving, versus how quickly standards can be adopted.

So, the biggest challenge to the standard, I believe, will be that we’re moving much faster than what standards typically have been able to get out.

FCB: What other barriers — perceived or real — are agencies facing at this point as they’re looking at cloud adoption.

NM: My sense is, at this point, that it’s going to come down to, specifically, expertise on the government agency side in terms of developing a technology strategy to deploy these private clouds.

So, we’re crossing into somewhat uncharted territory where agencies are building, with their own resources and infrastructure, these private clouds without necessarily a lot of strict guidance to any security standards, because they don’t quite exist yet.

So, in their rush to move towards the cloud, and derive the benefits that cloud provides in terms of efficiencies, economies of scale, etc., security often is still one of those scenarios that’s not baked in automatically.

FCB: And, finally, in terms of the ‘what’s next’ aspect of this, I believe you did talk to some agencies that are already implementing or starting to implement cloud computing. What did they tell you? What did you find out from them?

NM: It’s interesting in that, outside of the survey, I personally have been in contact, as I mentioned, with a number of CIOs and CISOs, and on the federal side, there’s a little over a dozen or so agencies that have fairly mature programs. They’ve actually stood up applications, some of which are service-to-citizen applications, the majority of which are still internal.

The notion of cloud computing is really catching on. We’re starting to see a number of agencies really jump towards that. I think in terms of what’s next is — they really need a cloud security strategy, instead of guidance from the authoritative sources, to help them ensure that, as they move forward with the guidelines that have been laid out by the federal budget planning process, [which says that] by September, 2011, any major IT investment acquisition has to provide an alternative analysis of a cloud strategy.

So, in terms of being able to support the mandates coming from OMB, I think the thing that we need the most is clear guidance around standards, and some assurance around the minimum security standards and criteria for both the industry partners [and] the government itself, specifically around data encryption, what the certification and accreditation process is really going to be like, what it means for one agency to approve a certain cloud provider [and] if another one can truly adopt that particular vendor, and then the notion of data segmentation for cloud solutions — whether it’s public or private.

Looking at NASA’s Nebula in 2010

We told you earlier about the Digital Government Conference.

One of the speakers was Chris Kemp, Chief Information Officer at NASA’s Ames Research Center.

He gave a presentation, Government Cloud Computing for 2010: Moving Towards Efficient Operations.

After his talk, we were able to catch up with him — and we bring you excerpts of our conversation with him now.

Fed Cloud Blog: Let’s start out with the 2010 budget guidance. We know there’s some sensitivities around it, but you mentioned the fact that there’s some requirements — some language — around cloud. Can you offer us a little more about it?

Chris Kemp: The first thing that I read a couple of months ago was that pilot projects should be pursued by federal agencies. Nebula is a pilot project that NASA’s been pursuing, and I think that other projects within other agencies, like DISA working with RACE, as an example of a pilot project — until we start having pilot projects, we don’t understand how to change our policies, procedures, processes and begin inserting the wedges in our budgets to start being more service-oriented and less infrastructure-oriented. So, I think it is necessary that, as soon as possible, agencies begin experimenting with the technology to begin understanding what impact this will have on their budgets and their infrastructure.

FCB: You mentioned that you guys are working on three or four different pilots, Nebula being one. You talked about the Microsoft telescope project with Mars, another one with Google — what’s the status. Are we looking at those happening in 2010 and beyond? Have they already started?

CK: I believe that, early next year, you’re going to see a full public release of Mars. This was something we announced we were working on a few months ago, so we’re going to be literally allowing every American to zoom in and see what’s going on in real time on Mars. So, every time we get a new image, we’re going to be recompiling it. It’s going to be live from the surface of Mars.

We’re also using Nebula to do some of the data processing behind Google, as well. So our goal is to use these platforms that have quite a following to make NASA’s mission more accessible to the public.

FCB: The idea behind this, we imagine, is that you have all this data. It’s publicly available. There’s no sensitivities behind it — let’s put it on the cloud and see what happens. Is that kind of the bigger idea?

CK: Right. A lot of this data has been on NASA Web sites but, if you’re a 5th grade student working on a science project, being able to go to a JPL Web site and pull down image ABC123 from camera C with with a spectral — that’s hard. Going into Google Earth, which you have probably on your computer in your classroom, zooming in and being able to see all the rich 3D panorama content that we’ve created — being able to go into Worldwide Telescope and see the tours of nebulas and planets and constellations — is a really new way for us to engage the public. Fortunately we’ve been able to do public-private partnerships with Microsoft and Google, so taxpayers aren’t even paying for this. We’re being reimbursed for the time spent making our data accessible on these platforms.

FCB: One of the things you mentioned about Nebula is moving it to Apps.gov within the next few months. You’re going to also release the business model so people can see the breakdown of how money’s being spent. It seems like you guys are not trying to make this a fee-for-service, but you’re really trying to say — this is what you can do with cloud. This is how it works.

CK: We’re trying to accelerate NASA’s ability to leverage this technology to support our mission. So, as we work on Nebula, what we’re trying to do is bake in the high data rates, the high performance, the requirements that we have as an agency into the DNA of cloud computing so we’re able to buy these things and procure these things from commerical providers in the future — that’s already baked i

FCB goes to the Executive Leadership Conference

The Executive Leadership Conference took place in Williamsburg, Va., over the past couple of days — and Fed Cloud Blog was there.

Federal CIO Vivek Kundra was there — and talked about a number of topics, including the fact that the federal government has seemed to have accumulated a large number of data centers over the years.

(Read more from WFED’s Jason Miller here.)

FCB cares because Kundra said that one of the long-term solutions for this problem involves cloud computing.

“We need to be able to dynamically allocate resources as we serve the American people through various applications.”

So, is there a cloud computing Line of Business in the future? Kundra said, not really, but the federal government did release a cloud computing strategy, which was released back with Apps.gov in September.

Overall, it seems that the federal government is, for now, taking small steps when it comes to moving into the cloud.

FCB will bring you more info from ELC as it comes back into the newsroom all this week.

---

Check out more of

CIO of the Office of Naval Research is in the cloud

Federal Cloud Blog recently ask Brian Reily, chief information officer at the Office of Naval Research, to answer our questionnaire. Here’s what he has to say.

---

Federal Cloud Blog: Does your agency/organization used shared services in IT? If so please describe.

Brian Reily: Yes we do use shared services. We are currently moving our business applications to Oracle on Demand. We also use the services offered by the Navy Marine Corps Internet and those offered by DISA. Our oracle on demand effort will save us $2M over 5 years and increase our Information Assurance posture.

We are also demonstrating a mobile computing device that will replace your blackberry, personal cell, VOIP phone and your desk/laptop computer. That is we are replacing all your computer with a single device that primarily is an access to the web where we host al the applications. The savings will be large and the security will significantly increase.

FCB: If you do use shared services, what was your motivation? Have the results been what you expected? What has not gone as well as you’d expected.

BR: We are in the initial stages of te Oracle on Demand shared service. We have established the NIPR net circuit which has taken some time. We are currently going through the certification process and should go live with our first application in October.

FCB: Now let’s talk about cloud computing. We’ll define it as having a third party host your applications and storage, accessible via the internet in a business model in which you pay. Are you investigating, piloting, using, or not considering working in the cloud?

BR: [We are] investigating, piloting and using cloud computing as defined above.

FCB: If you are investigating, piloting or using, which services are part of your efforts: storage; e-mail; other communications, such as instant messaging; office productivity applications; or agency-specific applications?

BR: Storage, e-mail and other productivity applications [are part of our efforts].

FCB: Please describe your service level agreement, for example, what is required in terms of up time, how fast new users are provisioned, security. That is, what are you getting contractually?

BR: I can make the contract available. [I can provide the SLA’s if needed.]

FCB: Describe how you pay for cloud services. For example, per user? per hour agency wide? Is there an initial startup fee for the agency? For each user as he or she is added?

BR: We pay based on users and applications being run. Details are available and can be provided if anyone is interested.

FCB: Is your cloud coming from a commercial entity, another agency, or your own agency?

BR: We use both Navy and DISA services. We also have gone commercial through Oracle.

FCB: Were there any unexpected issues that arose when you initialized your cloud arrangement? If so, please describe it/them.

BR: Making arrangements for the NIPR circuit has taken much longer than expected. However once the circuit is in place it will be easier for other folks to piggy-back and take advantage of our efforts.

FCB: Who (by position, not individual) was part of the decision to move to the cloud model?

BR: Basically it was my decision as the CIO. While I briefed it to senior leadership we completed a Business case analysis and we found a savings of $2M an increased security and responsiveness. Decision was really a no-brainer.

I also address this with senior IT leaders in the Navy. All are very interested in the results.

Since ONR charter is to look 20 years into the future exploring technology we adopted this philosophy for our IT environment looking 3 years into the future and testing emerging capabilities. We are also

FCB: Please describe the non-technical issues you had to work through for cloud. For example, agency culture, skepticism from the technology shop or other contractors.

BR: Many folks said we couldn’t do it especially our engineering staff. However, we did a test before we launched and provide that connectivity wasn’t the issue.

I think the real issue is having someone go first and address all the IA and tech issues. None of them are show shoppers but together they can derail the effort.