NIST seeks comments on draft cloud guide

The National Institute of Standards and Technology is asking for public comments on its latest Cloud Computing Synopsis and Recommendations.

NIST is the government agency responsible for developing cloud standards.

The latest guidance from the agency offers a definition of cloud computing and a look at the differences between public, private, and hybrid clouds. The synopsis also examines the various cloud environments including software-as-a-service, platform-as-a-service, and infrastructure-as-a-service. The guidance also addresses what NIST calls the “open issues” that surround cloud computing including cloud reliability, cloud economics, and cloud security.

In explaining the cloud standards they’ve developed, NIST’s Lee Badger said, “Cloud computing is not a single kind of system. Since cloud computing spans a spectrum of underlying technologies and configuration possibilities, each organization’s requirements call for different cloud technologies and configurations.”

Comments can be sent to NIST via email. NIST is accepting comments until June 13, 2011.

This week in cloud computing

Kundra: Agencies on path for transition to cloud

Agencies are on track with their cloud computing strategies. Federal Chief Information Officer Vivek Kundra told those in attendance at the NIST Cloud Computing Forum and Workshop that all agencies have identified the three systems they will move to the cloud as part of the administration’s cloud-first policy. Kundra gave several examples of agencies that are moving full steam ahead. Read more and listen to Kundra’s speech by clicking the link above.

Six-month budget slashes e-gov fund by 76 percent

Among the cuts agreed to by lawmakers and President Obama in the 2011 budget compromise is a dramatic reduction in the administration’s E-Government fund, which pays for open government websites such as Data.gov, the IT Dashboard and USASpending.gov. Federal Chief Information Officer Vivek Kundra testified last week the government has saved $3 billion so far with the use of its 25-point IT restructuring plan. He said the process of adding transparency to IT programs was key to the cost savings the administration has achieved.

Also testifying at the hearing was Dave McClure, associate administrator in the Office of Citizen Services and Innovative Technologies at the General Services Administration. McClure said when GSA begins offering cloud email services under a blanket purchase agreement it estimates it will save agencies as much as 44 percent over their current email costs. Read the full story by clicking the link above.

Cloud-first policy, cloud security top of mind for feds

Federal News Radio covered two big stories this week on cloud computing. Check them out!

Cloud computing e-discovery risks a concern
Federal lawyers and record managers are watching closely how the General Services Administration, the Agriculture Department and others move their email and collaboration services to private sector cloud computing providers. Federal News Radio’s Jason Miller says they have questions about accessing data if the government faces a lawsuit.

Kundra details cloud-first success stories
Federal Chief Information Officer Vivek Kundra was on hand at the National Institute of Standards and Technology’s latest Cloud Computing Forum and Workshop. During a Q&A session, Kundra discussed some of the success stories for the Obama administration’s cloud-first policy. Listen to the Q&A by clicking the link above.

Cloud computing progress to be discussed at NIST forum

Government and industry leaders are coming together to discuss progress the government has made to advance open standards in interoperability, portability and security in cloud computing.

The National Institute of Standards and Technology will hold its Cloud Computing Forum & Workshop III April 7-8 at the agency’s headquarters in Gaithersburg, Md.

Working groups formed at the second forum held this past November will give updates on their progress. According to NIST the goals of the workshop are to present updates on:

• the NIST U.S. Government (USG) Cloud Computing Technology Roadmap,
• the NIST Standards Roadmap and the Standards Acceleration to Jumpstart the Adoption of Cloud Computing (SAJACC) process,
• progress by the NIST Cloud Computing Security working group.

Cloud computing business use cases by various government agencies will also be presented as well as the first version of a neutral cloud computing reference architecture and taxonomy.

Federal Chief Information Officer Vivek Kundra and NIST Director Dr. Patrick Gallagher will keynote the event. According to the forum agenda, other keynotes and panelists are still being determined.

Panel topics include:

• Cloud Computing – Adopters’ Long-term View
• Can you ever really trust the cloud?
• Cloud Innovation: Math & Science
• Cloud Computing Standards Panel – Chicken or Egg?
• Reference Architecture

Pre-registration is required for the event. Those interested in attending can register online until 5 p.m. March 28.

This week in the cloud

NIST cloud guidelines address security, privacy concerns

We told you last week about the two draft cloud documents NIST published. This week, Federal News Radio spoke with NIST computer scientists Lee Badger and Tim Grance about those docs. Federal News Radio host Chris Dorobek also discussed how agencies can take advantage of the costs and efficiencies of moving to the cloud while maintaining security and privacy.

FERC’s Sardar adds citizens’ needs to his tech repertoire

Sanjay Sardar is the deputy chief information officer at the Federal Energy Regulatory Commission. In an interview on Federal News Radio’s Ask the CIO program, Sardar says FERC is testing or considering cloud computing options for email, Web hosting and data storage. Sardar says one of his top priorities this year is to improve the IT mobility of the agency’s employees.

To hear either of these interviews click the links above.

Sneak Preview: Coming up this week on Off the Shelf, Steve Kempf, commissioner of the General Services Administration’s Federal Acquisition Service, discusses cloud computing. The show airs Tuesday at 10:30 a.m.

NIST publishes draft cloud computing standards

The National Institute of Standards and Technology published two draft documents on cloud computing today.

The first offers NIST’s definition of cloud computing and the second offers guidelines on security and privacy in cloud computing.

Both documents are open for public comment through February 28, 2011.

NIST also announced the launch of a new Cloud Computing Collaboration website which it says will “enable two-way communication among the cloud community and NIST cloud research working groups.”

Find more on this story at FederalNewsRadio.com.

What is the government’s role in cloud computing?

The Commerce Department and the National Institute of Standards and Technology are trying to figure out what the federal government’s role in cloud computing should be. The agencies are hosting a panel discussion Tuesday with industry leaders and experts from academia to discuss this as well as other national needs.

A media advisory from the Commerce Department says, “Achieving national priorities – which include a Smart Grid for electricity distribution, electronic health records, cybersecurity, cloud computing and interoperable emergency communications –depends upon the existence of sound technical standards. The standards being developed through public-private partnerships for these new technology sectors are helping to drive innovation, economic growth and job creation.”

Some of the questions the agencies hope to answer at the event:

• What is the appropriate role for the federal government in convening industry stakeholders and catalyzing standards development and use?
• How should the federal government engage in sectors where there is a compelling national interest?
• How are existing public-private initiatives in standardization working?

U.S. Commerce Secretary Gary Locke, Federal Chief Technology Officer Aneesh Chopra, and NIST Director Patrick Gallagher will all speak at the event.

Confirmed panelists include:

• Mark Chandler, General Counsel, Cisco
• Arti Rai, Professor of Law, Duke Law School
• Geoff Roman, Chief Technology Officer, Motorola Mobility
• Raj Vaswani, Chief Technology Officer, Silver Spring Network
• Stephen Pawlowski, Senior Fellow and General Manager, Central Architecture and Planning, Intel Corp.
• Ralph Brown, Chief Technology Officer, CableLabs

The event will be held from 9:30 a.m. – 12 p.m., Tuesday, January 25, 2011 at the Department of Commerce.

NIST creates cloud computing test bed

Federal News Radio was on hand for the latest NIST Cloud Computing Forum and Workshop where the agency announced it has created a cloud computing test bed named Koala.

Dawn Leaf, NIST’s senior executive for Cloud Computing, told those in attendance the objective of the test bed is to “assess and characterize resource allocation algorithms within a public infrastructure-as-a-service cloud model.” NIST says it hopes to have the first results of the Koala tests by early 2011.

Leaf said agencies are anxious to get cloud guidance as soon as it is available.

Federal Chief Information Officer Vivek Kundra was also on hand. Hear what he had to say about the cloud by listening to the report above by Federal News Radio’s Max Cacas. You can also read more here.

Why federal CIOs, CISOs still have concerns about the cloud

Has there been a break in the cloud?

Symantec recently released its 2010 Break in the Clouds Report, which shows that many CIOs and CISOs in the federal government still have real concerns about security.

Ned Miller, director of public sector strategy for Symantec’s public sector market, breaks it down for us today.

NM: The purpose, or intent, of the report was really simply to evaluate where agencies were, or currently are, in their overall cloud strategy, and then evaluate the ones that are early adopters, specifically with any challenges or barriers they’ve had with implementation, and really to focus on their key concerns. That will allow us to position how we can help our government clients going forward.

FCB: And what were some of your key findings?

NM: There were a number of themes that were pretty consistent in terms of the evidence that we collected.

The first area that we were very focused on was just how many agencies had actually implemented cloud, or cloud-based applications, or any platform or infrastructure. We accounted for about 23 percent of the agencies that participated in the survey have actually implemented cloud, and about 35 percent are planning to implement.

A couple other key areas that I think were interesting and noteworthy [are] — the emphasis on private clouds versus public clouds, and where agencies have already adopted some cloud strategies. About 58 percent of agencies are already using a private cloud, or in-house cloud, versus approximately 64 percent of those who are planning . . . to use private or in-house cloud versus using an outsourced cloud model.

FCB: We always, inevitably, come back to the security question. [Your survey] says 89 percent say data protection privacy is their top issue. Can you break down those numbers a little bit for us?

NM: Based, again, on the survey, about 80 percent of the participants came back and responded with that they believe that encryption in the cloud is a key area that needs to be addressed, and approximately 70 percent of them have come back and required data segmentation for the actual data in the cloud itself.

FCB: In terms of where agencies are now in terms of implementing cloud, you’ve got a slide [in the report] that says ‘proceeding with caution’. How does that tie into the security question?

NM: Well, in terms of ‘proceeding with caution’, a number of CIOs and CISOs that I’ve spoken to personally are still moving forward based on the mandates coming from OMB with their implementation of cloud strategies; however, the concerns are still centered mostly around security.

It still comes back to the data itself, protection of that data, and they’re fairly conservative in terms of the implementation approach to date, and therefore they’re really relying on building private clouds and building inside their own infrastructure. So, those are kind of still the key concerns — it really has to do with the data itself and where it resides.

FCB: So, a lot of agencies say they feel safer in these private clouds, rather than public clouds, but according to your survey, almost half who have implemented cloud don’t know if they’ve experienced a breach or an attempted breach. Is this cause for concern? Should we be really worried about this?

NM: We should, and, again, this speaks to the desired end state, which is a clear set of standards to address how to adopt and deploy and implement a secure cloud, which leads to FedRamp. . . . [It] is really designed to unify cloud computing security standards across the U.S. Government. Obviously, the initiative is managed by the folks up at NIST and Peter Mell, and he has a big task in front of him. We believe that, overall, this attempt to standardize a security model around cloud computing will take some time to evolve, and the biggest challenge we see with it, quite honestly, is not necessarily the adoption of the standards, but how quickly the industry — both the people, the process and the technology — are moving, versus how quickly standards can be adopted.

So, the biggest challenge to the standard, I believe, will be that we’re moving much faster than what standards typically have been able to get out.

FCB: What other barriers — perceived or real — are agencies facing at this point as they’re looking at cloud adoption.

NM: My sense is, at this point, that it’s going to come down to, specifically, expertise on the government agency side in terms of developing a technology strategy to deploy these private clouds.

So, we’re crossing into somewhat uncharted territory where agencies are building, with their own resources and infrastructure, these private clouds without necessarily a lot of strict guidance to any security standards, because they don’t quite exist yet.

So, in their rush to move towards the cloud, and derive the benefits that cloud provides in terms of efficiencies, economies of scale, etc., security often is still one of those scenarios that’s not baked in automatically.

FCB: And, finally, in terms of the ‘what’s next’ aspect of this, I believe you did talk to some agencies that are already implementing or starting to implement cloud computing. What did they tell you? What did you find out from them?

NM: It’s interesting in that, outside of the survey, I personally have been in contact, as I mentioned, with a number of CIOs and CISOs, and on the federal side, there’s a little over a dozen or so agencies that have fairly mature programs. They’ve actually stood up applications, some of which are service-to-citizen applications, the majority of which are still internal.

The notion of cloud computing is really catching on. We’re starting to see a number of agencies really jump towards that. I think in terms of what’s next is — they really need a cloud security strategy, instead of guidance from the authoritative sources, to help them ensure that, as they move forward with the guidelines that have been laid out by the federal budget planning process, [which says that] by September, 2011, any major IT investment acquisition has to provide an alternative analysis of a cloud strategy.

So, in terms of being able to support the mandates coming from OMB, I think the thing that we need the most is clear guidance around standards, and some assurance around the minimum security standards and criteria for both the industry partners [and] the government itself, specifically around data encryption, what the certification and accreditation process is really going to be like, what it means for one agency to approve a certain cloud provider [and] if another one can truly adopt that particular vendor, and then the notion of data segmentation for cloud solutions — whether it’s public or private.

Make decisions before you decide to move to cloud

This week, we bring you a special treat — an extended conversation with Mark White, a principal with Deloitte Consulting LLP who works with both the firm’s Federal and Technology practices. He is also the CIO of Deloitte Consulting.

FCB talked with him at length about cloud computing and a variety of issues that are currently facing the industry.

He started by explaining what Deloitte does for the federal government in terms of cloud.

MW: “In talking with our federal clients about cloud, there are two or three different stages in which we find ourselves. There’s still the stage of trying to put some structure around what cloud means, how to actually come to a common understanding and an actionable conversation about it. That’s sort of the first [challenge] — understanding structure frameworks that allow a common basis of understanding and definition and that can allow you to have conversations and make plans that lead to a decisive outcome.

That, a year ago, was sort of the most common part of it. Now, with all of the attention that’s been spent and all of the time that’s been spent, that, while it still goes on, is probably not the most significant part.

The next phase, if you will — or generation of it — is in analyzing strategies and evaluating and helping make plans — plans to do analysis, plans to adopt, in certain cases, plans to expand — that is becoming of the most common of the three phases of the understanding, planning — and then the third phase, which is going to be actual implementation. That is the third phase — implementation of certain aspects.

It’s interesting. One of the points — and, in fact, one of our fundamental planks in the platform about cloud is that it’s technologically evolutionary. The impact on the mission can be revolutionary. So, when I say implementation is beginning to be an area in which we work more with our federal clients, that’s speaking specifically to those things that were originally described as so called ‘cloud’.

When I think about the fact that the technology aspects of cloud are essentially evolutionary in nature, they’re the next logical generation of the technologies and techniques and methods and disciplines we’ve been applying for data center consolidation, virtualization and operations automation.

So, having said that, we have been — and continue — to help our clients with implementation of those technology disciplines and capabilities and tools. It’s those that would, out of the box or from the get-go, have described it as a cloud implementation. That actually is beginning to increase.

FCB: With all of these changes happening — and I know different organizations sometimes have different definitions for cloud — but going based on what you just told me, what are you doing in terms of security. When I talk to agencies themselves, they say, ‘We’re really excited to take this next step, but we’ve got all this data that we don’t want getting out there.’ Talk a little bit about the security aspect and maybe alleviate some of those concerns.

MW: In order to have a common definition of cloud, there are two steps to set the table, if you will. The first step is — what are the characteristics of the mission problem that you’re trying to solve, or perhaps the technology solution you’re proposing? And do those characteristics imply or outline a cloud solution?

We use the five characteristics that NIST has put forward, and if you look around, you’ll see slight variations on a theme, but I think those are perfectly reasonable. . . . So, if your mission problem or your technology solution embodies or implies or needs all five of those, clearly we need to have a conversation about cloud. If it requires fewer than five — maybe three — then perhaps we ought to talk about a more mature technology — utility computing or managed services or even plain old outsourcing.

That’s the first part of having a cloud conversation — what are the characteristics of the problem or solution?

The second part of having a cloud conversation is three dimensions of the answer. The first dimension is the capability, or what kind of cloud: infrastructure-as-a-service, platform-as-a-service, software-as-a-service, or business process-as-a-service. The second is, what source? Is it a public cloud? A private cloud? A hybrid cloud? A community cloud, which actually obviously GSA defined in that RFI coming up on two years ago now. . . . And then the third, and this is may not be quite as familiar because it doesn’t get talked about as much, but we think it’s really important, is — what is the business model?

There are four layers. Layer one is — the business model is, ‘I want to be a cloud service subscriber’. Layer three is, ‘I want to be a cloud service provider. I want to make money by providing cloud services in the marketplace’. Layer four is, ‘I want to be a cloud service enabler. I produce technologies or skills or capabilities that allow the cloud service providers to do their job’. And then layer two is a cloud service broker.

So, dimensioning a cloud conversation first — what are the five characteristics and do you really need cloud? Then, the three dimensions — what kind of service, what source of service and what business model? And, if you will tell me what we’re talking about, then we can have an actionable conversation — we can conclude with action. So, you might say to me, “I want to be a subscriber of a public cloud infrastructure,’ at which point we can have a very meaningful conversation about the obstacles and the enablers and the challenges and the benefits, one of which, obstacles, by the way, is the security and private data security and privacy issue.

Coming up — details about privacy!