Are community clouds nothing new?

Today we bring you the final part of our three part discussion with Mark White, principal with Deloitte Consulting LLP who works with both the firm’s Federal and Technology practices and CIO of Deloitte Consulting.

Today we continue our discussion of the potential benefits of community clouds, and delve into the security issues that could affect them.

White starts off by explaining that we’ve been down this road of ‘community’ before.

“One of the examples we would see would be trading networks, and I’m not talking about banking ETN’s — electronic trading networks — I’m talking about actual trading networks, like the tier 1 auto providers, and they’re surrounded by tier 2 suppliers who are surrounded by tier 3 suppliers and they actually ended up in this sort of highly networked hub-and-spoke system. They actually were a trading community — I’m not going to say cloud, but I’ll say trading community — that formed around that big hub that was the victory auto manufacturer.

So, in these community clouds, what we might see is some big player forming the hub, and then at one removed — tier 2 — and then second removed — tier 3 players coming into that network and forming that web that’s anchored by that hub. That’s one way they could do it.

The punch line on this is that the federal government as an enterprise has the scale. It may not be practical to expect all of the federal government to come together into a community cloud. Let’s say that sort of the minimum would be defense and civilian. Practically speaking, I would get a defense community — and Intel community — and a civilian community cloud. Now, if you look at what [Vivek] Kundra is writing and putting forward and the positions he’s taking, I believe that’s very much in line with the idea that he’s putting forward.

So, in one of those, and DoD would be very interesting because obviously there’s the Department and then the branches of service and then all of the service agencies. That’s kind of a natural hub — [with a] tier 1 and tier 2. One could imagine, for example, the Gigabyte Information Grid is the kind of service around which they might form a community. So, that’s an example of something that has a command and control for which there could be a centralized hub and a clear tier 2/tier 3 where there could be a common trust basis for the community, etc.

The second way that we saw those things form back in the past, and think about — again — trading communities. [It] was along a value chain, or a supply chain. So, rather than a hub with tier 2 and tier 3 surrounding them, what you had was this chain that went from the beginning of a value proposition to the end [or] the beginning of a mission objective to the sort of ultimate mission objective. Along that value chain, people sort of talk up the chain and down the chain. [When] everybody does that, suddenly you have this very linked chain. We saw that, for example, in retail apparel. Those are very linked value chains, from the textile manufacturer to the retailer and all the cut and sew and everything in between. Then, after they got this linear chain linked up, over time as it matured, it began to actually look more like a little bit of a network, not just linear.

That’s the other way this could form within the federal government — we’ll find a chain of mission. Again, I’m making these examples up, but [if] you think about the whole immigration and customs [situation]. You’ve got Customs and Border Protection and Immigration, Customs Enforcement and [Citizenship and Immigration Services] — they’re within DHS. So, CBP, ICE and CIS — and then maybe the State Department — if you think of that as a value chain along immigration and the ability for them to create links. . . . That would be a very natural set of trust zones that they could create and create this community that would then find expression in, undoubtedly in the rest of the federal law enforcement [community], if not state and local and tribal law enforcement.

That’s the idea of the emergence of community clouds — two ways that they could emerge: around a hub and around a value chain; examples in the federal government that are very prospective at this point, but one can hope; and then the punchline is, even if i just say Defense, Intelligence and civilian. . . . Those represent enough critical mass that they could achieve the economies of scale so that the cost per machine image or the cost per gigabyte of storage become competitive with public services, which then removes the last issue or objection around security and privacy, because now I’m back within the single trust zone.”

The potential of the community cloud

Today we bring you the second part of our three part discussion with Mark White, principal with Deloitte Consulting LLP who works with both the firm’s Federal and Technology practices and CIO of Deloitte Consulting.

We continue our discussion about security in the cloud.

Public v. Private: Not always all that different

“If the conversation is about the use of public cloud, then the issues of security and privacy are potentially different from just internal or on premise IT. The point that we would make is that they are really mostly different in scale, not in kind. That is to say, they’re the same sorts of security issues or privacy issues that I would face with an internal system, I’m just facing them in a slightly different — in fact, potentially profoundly different — scale that is the public cloud. If that’s the case, then the same disciplines and techniques and tools that I’m using to solve those problems in my internal system are the same sorts that I’ll use to solve them in public cloud implementations. We are underway now to prove those at cloud scale.

The claim would be that the difference between public cloud and a private cloud, or just a plain old in-house IT, is one more of scale than of kind with regards to security and privacy. There is one caveat to that that I would raise as a particular exception, which is the cardinality of the connection. By that I mean, how many different people can add information and access information? For those public cloud services . . . that are essentially retail in nature — so I’m reaching out to the constituency . . . [and] have a lot of consumer users — there’s an interesting difference. It is unusual for me to have an internal system with a lot of consumer users that is not already a demilitarized zone or a more secured part of my infrastructure.

So, that is one difference in kind that does require some thinking — what are our clients doing? The first thing is that we’re seeing very cautious adoption of public cloud by the federal user. Obviously, apps.gov is a great start on that. You’ll note that the majority of those [apps] are at the edge of the mission, so they’re a little bit safer because they’re not at the core of a mission, though I would argue that email or messaging technologies might be a little more core than we otherwise might think. . . . The adoption of public cloud by the federal user is relatively cautious and, for the most part, at the edge of the back office, not the core ERP, not the core mission information technology. There are exceptions that can be found in multiple cases but, for the most part, that’s true.

I believe that our federal clients are much more interested in private cloud possibilities. That is to say, to use the disciplines of virtualization, automation, IT services management to drive efficiency and effectiveness in their internal capabilities — so internal cloud, private cloud. That’s actually well and good, because that literally is taking the disciplines and the good stewardship that have been going on [with] data center consolidation, server virtualization, storage optimization, operations automation — that’s just taking that to the next level and presenting it to the mission user as a service catalogue that can be subscribed effectively.

That’s great. It gets you good efficiency. It gets you good effectiveness, because it changes you to an IT services management shop. It avoids the security and privacy risks issues, because it keeps everything inside the trust zone. . . . What it doesn’t get is the economies of scale that public cloud offers. There are very few enterprises in the world that run enough machine images to get to the cost per machine image that an Amazon web service can get to, just as an example. But that may not be the important thing. The efficiency and the effectiveness may be valuable, and, in fact, they are. We’re seeing that close look at private cloud as a way that they are moving forward.

The potential of community clouds

So, now I’m speculating. Now I’ve moved from the realm of things that we can actually point to examples of and [see] momentum around, to things that I believe there is momentum toward. And this is the idea of the community cloud.

Again, as originally described by the GSA in the request for information they sent out, [which was] easily 18 months ago, if not two years ago. The way I characterize that is, a set of people with private cloud capabilities, discover others — other entities, other missions, other agencies — that have a sharable trust. So, we don’t have exactly the same trust zone, but we have a sharable trust — something that’s a common basis of a trust — that would allow us to club together, to assemble ourselves together. There are two or three reasons that might occur: one is in pursuit of a common mission. [For example], the federal, state, local and tribal mission around law enforcement.

A second reason that could happen is — if you think about it — if I am a private service provider of private cloud SaaS, there must be a subscriber of cloud services that is also in the enterprise. So, I have this service catalogue that I’ve created and my users are subscribing these services and doing good things, and what we find out is that some of their counterparts in the mission . . . they are connecting operationally with others outside of my department or agency, and those others come back and say, ‘hey, could I subscribe those same services?’ So, an example of that is alerts and warnings. This idea of developing an alerts and warnings system for, for example, a natural disaster or other security event. A particular department or agency mission could have created one [and] by definition it’s subscribable by outside parties, so why wouldn’t we allow our partners in another department to subscribe that same service.

That goes on all the time now, it’s just done under inter-agency agreements. What we believe is, as agency ‘A’ — who has the alerts and warnings solution — and agency ‘B’ — with whom they work regularly and would like to subscribe it — as those two agencies themselves are offering private clouds, when they begin to do those exchanges, they’ll do them as cloud services. So, you’ll discover that I have services you’d like to subscribe, I’ll discover you have services I’d like to subscribe [and] suddenly we’re in community cloud.”

Next: Advice about letting go of all the control.

Make decisions before you decide to move to cloud

This week, we bring you a special treat — an extended conversation with Mark White, a principal with Deloitte Consulting LLP who works with both the firm’s Federal and Technology practices. He is also the CIO of Deloitte Consulting.

FCB talked with him at length about cloud computing and a variety of issues that are currently facing the industry.

He started by explaining what Deloitte does for the federal government in terms of cloud.

MW: “In talking with our federal clients about cloud, there are two or three different stages in which we find ourselves. There’s still the stage of trying to put some structure around what cloud means, how to actually come to a common understanding and an actionable conversation about it. That’s sort of the first [challenge] — understanding structure frameworks that allow a common basis of understanding and definition and that can allow you to have conversations and make plans that lead to a decisive outcome.

That, a year ago, was sort of the most common part of it. Now, with all of the attention that’s been spent and all of the time that’s been spent, that, while it still goes on, is probably not the most significant part.

The next phase, if you will — or generation of it — is in analyzing strategies and evaluating and helping make plans — plans to do analysis, plans to adopt, in certain cases, plans to expand — that is becoming of the most common of the three phases of the understanding, planning — and then the third phase, which is going to be actual implementation. That is the third phase — implementation of certain aspects.

It’s interesting. One of the points — and, in fact, one of our fundamental planks in the platform about cloud is that it’s technologically evolutionary. The impact on the mission can be revolutionary. So, when I say implementation is beginning to be an area in which we work more with our federal clients, that’s speaking specifically to those things that were originally described as so called ‘cloud’.

When I think about the fact that the technology aspects of cloud are essentially evolutionary in nature, they’re the next logical generation of the technologies and techniques and methods and disciplines we’ve been applying for data center consolidation, virtualization and operations automation.

So, having said that, we have been — and continue — to help our clients with implementation of those technology disciplines and capabilities and tools. It’s those that would, out of the box or from the get-go, have described it as a cloud implementation. That actually is beginning to increase.

FCB: With all of these changes happening — and I know different organizations sometimes have different definitions for cloud — but going based on what you just told me, what are you doing in terms of security. When I talk to agencies themselves, they say, ‘We’re really excited to take this next step, but we’ve got all this data that we don’t want getting out there.’ Talk a little bit about the security aspect and maybe alleviate some of those concerns.

MW: In order to have a common definition of cloud, there are two steps to set the table, if you will. The first step is — what are the characteristics of the mission problem that you’re trying to solve, or perhaps the technology solution you’re proposing? And do those characteristics imply or outline a cloud solution?

We use the five characteristics that NIST has put forward, and if you look around, you’ll see slight variations on a theme, but I think those are perfectly reasonable. . . . So, if your mission problem or your technology solution embodies or implies or needs all five of those, clearly we need to have a conversation about cloud. If it requires fewer than five — maybe three — then perhaps we ought to talk about a more mature technology — utility computing or managed services or even plain old outsourcing.

That’s the first part of having a cloud conversation — what are the characteristics of the problem or solution?

The second part of having a cloud conversation is three dimensions of the answer. The first dimension is the capability, or what kind of cloud: infrastructure-as-a-service, platform-as-a-service, software-as-a-service, or business process-as-a-service. The second is, what source? Is it a public cloud? A private cloud? A hybrid cloud? A community cloud, which actually obviously GSA defined in that RFI coming up on two years ago now. . . . And then the third, and this is may not be quite as familiar because it doesn’t get talked about as much, but we think it’s really important, is — what is the business model?

There are four layers. Layer one is — the business model is, ‘I want to be a cloud service subscriber’. Layer three is, ‘I want to be a cloud service provider. I want to make money by providing cloud services in the marketplace’. Layer four is, ‘I want to be a cloud service enabler. I produce technologies or skills or capabilities that allow the cloud service providers to do their job’. And then layer two is a cloud service broker.

So, dimensioning a cloud conversation first — what are the five characteristics and do you really need cloud? Then, the three dimensions — what kind of service, what source of service and what business model? And, if you will tell me what we’re talking about, then we can have an actionable conversation — we can conclude with action. So, you might say to me, “I want to be a subscriber of a public cloud infrastructure,’ at which point we can have a very meaningful conversation about the obstacles and the enablers and the challenges and the benefits, one of which, obstacles, by the way, is the security and private data security and privacy issue.

Coming up — details about privacy!