Cloud, cloud, everywhere there’s cloud

Wow. So much news about cloud, so little time. Good thing we have this blog, right?

Federal News Radio was busy covering news about cloud computing this week. We’ve gathered all of those stories here for easy access.

• Army weeks away from enterprise e-mail rollout
  The Army will begin migrating employees to its new cloud-based e-mail system starting February 15. Federal News Radio reporter Jared Serbu reports testing for the Army’s new e-mail is almost complete. The Army expects the change will mean a significant savings in software licensing.

• Behind the USDA cloud
  The cloud services offered by the U.S. Department of Agriculture have become quite popular among other federal agencies. Federal Tech Talk host John Gilroy talks with Jim Stevens, Acting Deputy Chief Information Officer for Business, Finance and Security about what the agency offers and how your agency can compare security of the various cloud options out there.

• Exclusive: OMB uses budget to set cyber guidelines
  The administration’s recently announced cloud-first policy was one of several governmentwide provisions specifically mentioned in the annual IT budget passback guidance. In his exclusive report, Federal News Radio reporter Jason Miller says the “guidance also instructs agencies to consider the technologies that have been approved under the FEDRamp process.”

• Microsoft announces new cloud computing option
  Microsoft has made its customer-relationship management application available online. The cloud version will be available worldwide beginning Feb. 28, 2011.

• What will the Google bid protest mean for cloud?
  Off the Shelf host Roger Waldron talks with David Dowd, partner at Mayer Brown, about the Google/Microsoft/Interior Department cloud decision recently handed down. The Interior Department had been ordered to stay an award to Microsoft after a judge ruled it violated the Competition in Contracting Act and rules in the Federal Acquisition Regulations. Waldron and Dowd discuss the potential implications for agency requirements development and acquisition planning.

Microsoft gets FISMA certification

Google will soon be fighting for room on the cloud with rival Microsoft.

Microsoft recently received Federal Information Security Management Act certification for cloud computing data centers — about five months after Google gained approval.

“Meeting the requirements of FISMA is an important security requirement for U.S. Federal agencies,” Microsoft’s Senior Director of Risk and Compliance Mark Estberg wrote in a Dec. 2 Global Foundation Services blog post.

However, Microsoft’s hosted Exchange and Online services are still in the process of getting approved for FISMA certification.

Microsoft recently reworked its cloud services and renamed it “Office 365.” Office 365 is currently in beta form and includes Microsoft Office, SharePoint, Exchange, Lync Online and other services. Office 365 will be available beginning in the first half of next year.

And while Microsoft was celebrating its approval, the General Services Administration announced plans to become the first federal agency to move its email and collaboration tools to Google’s cloud-based service, Google Apps.

Microsoft said it was “disappointed” with the GSA’s selection.

“While we are disappointed we will not have the opportunity to meet the GSA’s internal messaging needs, we will continue to serve its productivity needs through the familiar experience of Microsoft Office and we look forward to understanding more about GSA’s selection criteria – especially around security and architecture,” Micrsoft wrote on its Why Microsoft blog.

Cloud lovers converge at ‘Cloudstock’

What do you call hundreds of cloud developers stuck in a room together? Why, Cloudstock, of course.

A cloud computing technical conference – dubbed by some as “The Woodstock for Cloud Developers” took place in San Francisco this week.

Its mission was to “bring the top cloud developers and the top cloud technologies together under one roof, to learn from each other, collaborate, innovate, and drive the future of cloud computing,” according to the Cloudstock website.

The free conference sold out and featured 67 sessions, ranging from everything from understanding API activity to making money with Saas to the future of app deployment to business payments on the cloud.

Organizers live blogged throughout the day and had Tweets automatically filtering in on their site with the hashtag “cloudstock.” Cloudstock also had several demo stations, which highlighted some of the latest cloud technologies in action.

Another unique aspect of the conference was “The Cloudstock Hackathon,” which challenged developers to use their coding skills against one another and create solutions to bridge clouds.

The conference was hosted by force.com and Cloudstock partners included Google, Amazon web services, eBay, Yahoo, LinkedIn, Adobe and Paypal. Microsoft and its cloud computing services were noticeably absent from the conference.

Google Files Suit Against Interior Department



Google has filed a lawsuit against the Interior Department in an attempt to prevent the agency from going ahead with bid requests to host a cloud-based electronic messaging system.

According to a lawsuit filed in U.S. Court of Federal Claims, Google says they met with Interior Department officials on several occasions asking them to consider them and their “cost saving benefits” and assure them that Google’s applications could care for the agency’s needs.

Google maintains that the Interior Department’s request for quotations was written to prevent the company from competing because it required the system to include the Microsoft Business Productivity Online Suite.

In April of 2010 – after a year of communicating with the Interior Department about competing for the contract – Google says they were informed by Interior Department Chief Technology Officer William Corrington that a “path forward had already been chosen” for the service, and that there was no opportunity for Google to compete because it did not comply with Interior Department security requirements, according to the lawsuit.

The contract is estimated to pay $59 million over five years.

Google filed the lawsuit with its partner Onix Networking on Oct. 29.

According to the Wall Street Journal, Google and Microsoft are also competing for a contract to consolidate and modernize email at the General Services Administration.

NOAA pilots cloud solutions

Today, the FCB hears from Joe Klimavicz, chief information officer and director of high performance computing and communications at NOAA.

He tells us about some pilot programs they’re running in order to see if cloud is the correct solution for them.

“It’s a great, flexible, open environment allowing access and interoperability between the different environments, and [could reduce the] complexity and maintenance of our environment. I think that we’re helping a lot of organizations go through the FISMA certification and accreditation. So, I think that cloud computing is coming into its own.

We’ve run pilots with Google Apps, and also Microsoft’s BPOS — their Business Productivity Online Suite. We also have a pilot with Everbridge, the emergency notification system — and [we are] trying to make sure that during an emergency we can reach all of our employees. As scattered about the country as we are [with] a lot of planes and ships and remote [locations], that’s a challenge, but we think that that’s the way to go there.

Also, we’ve been working with GSA on the certification and accreditation, so we’re following what’s going on there. That’s been a big hurdle, I think, [but] it’s coming about. We understand where we need to be from a security perspective.

I also think that service level agreements that include exit strategies — I think everyone understands that once you get into the cloud, you need to make sure that you can get out or change your business model if that is necessary.

So, to me this makes sense. The technology is there. . . . [Our work] is all characterized as pilots. We’ve got a lot of innovative and creative folks at NOAA that tend to want to use state of the art technologies, and I don’t try to discourage that at all.

I think what we need to do is take advantage of all this technology and look at [it], and then it’s my job to sort through all the emerging technologies [and decide] which ones are real, [and] which ones can be supported in the long term to best meet our mission requirements.”

Hear more of Joe Klimavicz’s interview on Ask the CIO.

Comparing cloud use in the U.S. and Europe

Who’s using cloud more — the U.S. or Europe? What are the biggest concerns when it comes to security on both sides of the Atlantic? Should you be developing a cloud strategy now, or should you wait until next year?

These are some of the questions that the Ponemon Institute and CA Technologies posed in a recent survey of IT professionals.

Today we talk with Larry Ponemon, chairman and founder of the Ponemon Institute, and Lena Leverti, vice president of products at CA Technologies, who explain their results for us.

LP: In our experience, there are a whole bunch of interesting security topics, but what seems to rise to the top of the security heap in terms of risk and potential problems is, in fact, the cloud computing environment, which is very quickly becoming the standard for organizations — not just small and medium sized companies — but much, much larger companies, as well.

LL: One of the key things is that, as companies start adopting cloud, they’re basically giving up some of the control that they have. When they technology is within their own organization, they control it directly, so one of the biggest hurdles that’s viewed around cloud adoption is definitely security.

FCB: Who did you survey and why did you pick that group or groups?

LP: Well, the appropriate groups for this study are folks in the IT community and, more specifically, people who know something about information security. When you do a study like this, you quickly find that people wear many hats, and so many of the respondents were IT practitioners, but every respondent at least touched some aspect of information security, including network security systems, and a whole bunch of other related areas of expertise. This study is not just the U.S. only; [it] was also conducted in tandem with a group of practitioners in Europe, as well. I think that actually generated some interesting differences between the two groups.

LL: There were about 600 folks that responded to the survey.

FCB: What were some of the key findings?

LP: Probably one of the most interesting and important findings is that the respondents — these IT practitioners in both the U.S. and Europe — basically don’t have confidence that their organization has the ability to secure data and applications that are presently deployed to the cloud. So, they basically see some very significant security risks that exist today and maybe loom large on the horizon. We also found that IT practitioners in the U.S. and Europe hold relatively similar views on the reasons why cloud computing is so fashionable and so popular and so important, because it’s really about cost savings, and it’s also about speed to deploying new applications. So, even though we may say, ‘gosh, there’s a huge security risk,’ the reality is that cost and speed to deployment are probably much more important to end users.

LL: And one of the biggest challenges that came out in the survey results was that half of the respondents basically said that they’re not aware of all of the computing resources deployed via the cloud in their organization today. So, if you’re not aware of it, you really can’t secure it.

FCB: One of the things that I noticed first and foremost is the fact that you define cloud computing. When you were talking to people in the U.S. and Europe, did you notice that there was maybe a difference in the definition of cloud computing?

LP: We expected that there would be differences, and, in fact, the perception of cloud computing and what a cloud computing environment is was pretty consistent — more consistent than our . . . expectation. But I will say that, in both the U.S. and Europe, there’s confusion about private clouds and what these really mean. Is a private cloud a more secure version of a public cloud? Or, is it just simply on-premise computing where you’re using extensive virtualization? So, if there is any confusion in the marketplace, it’s probably around the private cloud environment. But, public clouds are generally well understood and the definitions are generally agreed upon.

FCB: Speaking of differences across the pond, did you find any differences between who’s using cloud in the U.S. versus who’s using cloud in Europe, especially in terms of government entities?

LL: We did. Some of the [respondents] are, in fact from the public sector and public organizations, and it is clear that public sector organizations are using cloud computing resources, perhaps not to the same extent as commercial organizations, but definitely the trend is that the government is, in fact, a very large — and potentially larger — user of cloud computing resources, because obviously it’s about cost, and governments . . . are trying to control them. One way to do that is to make sure that [they are] using the most efficient technology. But, it does create that security risk. We did see some differences in the rates of deployment between the U.S. and Europe and, in fact, the rates of deployment in the U.S. are higher than Europe, generally speaking. That’s not just for software-as-a-service, but it’s also for platform services and infrastructure services.

FCB: Did you find any causation — why that might be — or did you just look at the numbers in terms of use.

LP: We tried to figure out why there were some differences between U.S. and European companies in terms of their deployment patterns. We think that, in the U.S., probably, cloud computing is just slightly more popular, and some of the providers — especially software-as-a-service — the big providers like Amazon, Google and SalesForce.com — they probably have a larger base of customers in the U.S. But, I think that difference is small and will probably be non-existent within the next 18 to 24 months.

FCB: Let’s talk a little bit more about security, because I noticed that you not only talked about cloud security and public cloud versus private cloud, but the responsibility for security — did you find any differences between who’s responsible for IT security in a U.S. organization versus in Europe? Or, is it kind of the same?

LL: With regards to the study results, it’s definitely shared, and the reality is, it has to be shared. Basically, when you look at the responsibilities for this type of an environment, there’s the provider themselves that has some level of responsibility and accountability, [and] the owner of the information is going to be held accountable regardless of any SLA in any type of agreement with the provider. At the end of the day, if a credit card provider puts their data in the hands of a partner, they’re still going to be held accountable, and history shows that’s definitely happened. So, the shared responsibility with IT, with the security folks, as well as the business line owner, which I think was a definite key finding in the study itself. The business owner also has a stake in this — and then, of course, the cloud provider.

FCB: What’s next? Is a report coming coming out of this study? What should we take from all of this data that you’ve put together?

LL: The study that we did was two-fold: it was for the consumers of cloud services, as well as the providers of cloud services. So, the study that we released was the first portion of that — for the consumers. We’ll be releasing the results of the study from the providers’ perspective, and then identifying some of the contrasts and so forth between the two.

FCB: Any wrap-up comments?

LP: We actually do believe that this issue of cloud computing from a security perspective is certainly not going away. The good news is that there are security technologies that are being developed and deployed that do reduce risk pretty substantially, caused by the change from on premises to cloud computing environments. So, it’s not all that bleak. There may be solutions in the future that will make that risk really negligible.

LL: Cloud security is definitely one of the areas that is viewed as high priority and, today, is viewed as a high risk area. I believe that technologies over the next year or so will definitely close the gaps [and] reduce the risks. One of the key things that organizations can do today and agencies can do today is clearly define a cloud security policy, whether it’s part of the security policy, I think it’s very important to just specify, from a cloud perspective, whether this policy applies in full or — here are the additional requirements and mandates for cloud security. That will help close that gap faster and reduce the risk significantly — just by creating awareness.

Friday cloud news round up

This week on the Friday cloud news round up:

• You don’t need a cloud strategy. Randy Heffner, vice president and principal analyst at Forrester Research blogs about this in PC World. He argues that cloud might be important in the future, but creating a “cloud strategy” might not be necessary. He says CIOs should focus on business strategy, not IT strategy, and cloud should be just one part of an overall model.
• Cloud is making a difference, albeit a small one. The largest representation of mini-cloud computing is small- and mid-sized businesses using commercial versions of Google Mail, Google Apps and other ad hoc or low-cost cloud-based applications. That according to an interview in NetworldWorld, which says that cloud’s greatest impact so far has been in focused, often small projects.
• And, should cloud computing be more regulated? Internet.com reports that IT research firm Ovum recently wrote a report about why there needs to be rules that govern cloud. It says that, “the benefits of the cloud — lower costs, a smaller data-center footprint and immediate access to multiple applications for a distributed, international workforce with minimal fuss — are also some things that can expose companies to degrees of risk.”

  Check back next week when we talk with Terremark and much more!

NASA JPL develops own cloud ‘brokering’ system

And now we wrap up our conversation about NASA’s JPL moving toward cloud computing.

In our final segment with guests Tom Soderstrom, IT CTO at NASA JPL and Khawaja Shams, senior solution architect at NASA JPL, they give us their final thoughts on the benefits of cloud.

TS: I would say there’s a couple of [benefits]. One is, in our industry we look at something we call the technology readiness level. It starts very early with an abstract idea — level 1 — and then when it’s operational, it becomes level 9. Now . . . we’re thinking about the cloud readiness level, so we’re getting JPL up the curve on this cloud readiness level, and we [had] a JPL cloud day — the first in a series. . . . Our overall goal is to run an application and the storage and the computing wherever it’s most appropriate.

So, the cloud for us gives us a new avenue, a new tier of options.

We’ll have our internal data centers with private clouds, we’ll use [a] community cloud . . . and then the ultimate goal is to [use] a public cloud. We have data in Amazon and Microsoft. We also have data in Google’s cloud.

To do that, we need some kind of cloud brokering, and we went out to industry and tried to buy it, frankly, but it doesn’t exist yet, so we’re creating it. We call it the Cloud Application Suitability Matrix — CASM — and that’s the set of questions that gives a score and assesses in which cloud this particular application is the most suitable to run. We think that’s going to be a big trend — this cloud brokering, if you will.

The partnering part, I can’t stress enough, how important it is for all of us in government and the private sector to just get started — to try it — because you learn a lot.

One unanticipated consequence is, of course, there’s a lot of excitement about the cloud, so you’re making connections and you’re making partnerships that otherwise would have taken a lot longer. We have very good relationships with lots of vendors and agencies.

The last piece, I would say, is . . . the CIO at JPL came up with this idea of replacing the procurement screen with a provisioning screen. That kind of says it all. We’re trying to give self-service to the users of IT so that they can get the computing they need when they need it, and turn it off when they need it, so we can spend less money on IT and more money on science.

The whole effort is to keep it real, and we did that from the very beginning and it’s proven very effective. It’s not an IT benefit, it’s a business of the institution benefit.

KS: One thing I’d like to add is, I know that a lot of institutions are very wary of security.

At JPL, instead of stopping to use the cloud because of security problems, we are trying to address the security problems and trying to create best practices and secure ways ot use the cloud without actually compromising the privacy or integrity of our data.

Our admission developers are working very closely with our office of the CIO and the IT security teams to make sure that we can leverage the benfits of the cloud without compromising our security.

TS: We think that the cloud could be more secure than what we do today, because it becomes, in many ways, more uniform so you can react to threats much more quickly and you can segment off things like denial of service attacks and keep going in a different part of the cloud. We have worked very closely with key vendors and cloud security teams . . . and the biggest obstacle, I would say, is going to come from the auditing function.

The auditing function needs to figure out how an application that used to run on one server in one data center now could [run] on multiple servers in multiple data centers. How do you audit that to make sure it’s secure? Until we can do that, we probably can’t go live with anything substantial.

So we’re working very closely with vendors and the auditors to facilitate that, be an early explorer and help industry in that area.

Friday Cloud News Round Up

Welcome to another edition of the Friday Cloud News Round Up!

Today:

• Standards are the next step when it comes to moving your agency into the cloud. That’s according to Federal CIO Vivek Kundra, who says that standards for security, interoperability and data portability are needed in order to move forward. NextGov reports that the White House will soon begin consolidating data centers in the first of one of numerous “game changing approaches” that will help agencies move into the cloud.
• VMWare and Google are teaming up in the cloud. They’re going to do research on “multiple fronts”, including software and app development. BusinessTimes reports that the project will support systems that aren’t proprietary.

• Facebook isn’t just for kids anymore. There are lessons for managers to learn. A recent article in PCWorld discusses some privacy issues that have cropped up with the social networking site lately, and cloud providers can take this situation to heart. Are you making the same mistakes as Facebook when it comes to your client’s information? Read more to find out!

NASA examines the move to the cloud; Vint Cerf speaks on standards

NASA has a new CIO, and she, like many federal CIOs, is looking at whether or not cloud computing would be a good fit at her agency.

Linda Cureton recently spoke on Federal News Radio’s Daily Debrief about a variety of topics, and now Fed Cloud Blog brings you her thoughts on looking at the cloud.

“The thing that we need to look at is — what needs to happen with the survey. It could be that the server is just fine where it is. It could be that, or it could be — that server is putting out a lot of heat and using a lot of energy — there’s a more cost effective way to do that. So, if we’re going to, say, take someone’s server away, what are we going to give them? We talk about taking things away, but we need to talk about what you get [from] it. Cloud computing is not a silver bullet, but in many respects it can give that person that’s hogging the server a whole lot more capabilities than they would have if they just had the thing heating their feet under their desk. So, sometimes it makes sense to go status quo, and sometimes and end user — a customer — can get a whole lot more from exploiting technologies like cloud. What we have to do is understand what that is and have a strategy about exploiting it.”

And . . . What do 2010 and 1973 have in common?

Standards!

On this week’s Federal Tech Talk, host John Gilroy talks about the emerging cloud standards with Vint Cerf of Google. He explains that, back in 1973, networking standards were emerging — and many lessons about cloud standards can be learned by comparing and contrasting.

Listen to the whole show and get the low-down from the “father of the Internet”!