Cloud computing began to take center stage in the federal IT community during the last few months of 2010. And Ed Meagher thinks that trend will continue in 2011. Meagher is the former deputy chief information officer at the Veterans Affairs Department and the Interior Department. He’s now vice president of health care strategy at CSC.
He also tells Federal News Radio he thinks cloud computing will be a game changer in the years ahead.
“People have heard cloud computing for years, and now all of a sudden this is money,” Meagher said.
Multiple agencies made a serious push toward cloud computing this year including USDA, GSA, and the Treasury Department. USDA and GSA both announced plans to move their email to the cloud while Treasury moved its website, Treasury.gov, completely into the cloud. It’s the first cabinet-level agency to do so. At the same time, the White House announced a cloud-first policy for agencies.
But security issues remain a big concern for agencies. CSO Online recently listed five cloud security issues it sees for 2011, including the increased use of smart phones to access data, the need for better access control, compliance concerns, the risk of multiple cloud tenants, and the emergence of cloud standards.
VA is one of the agencies struggling with cloud security issues. Roger Baker, the agency’s CIO, fully admits that he must find a way to strike the proper balance between use and security because there is a growing call for cloud-based tools.
“The government by itself can’t keep up with Yahoo!, Google, Apple and others who are creating great applications for medical usage. We have to figure out how to embrace those and at the same time ensure that we are providing privacy and health information protections that we are committed to doing. These are great tools for patient care, and right now my position as the CIO has to be ‘you can’t use them.'”
Baker said he is looking into how to make that balance work but still has not found the right solution to this problem.
Hear the second part of our interview with David Chen.
Today we continue our chat with David Chen, lead of the technology consulting practice for Accenture Health and Public Service.
Security in the cloud: Risks and benefits
Security is definitely a very valid concern.
If you look at how companies are able to offer some of the economies of the cloud is because they have shared infrastructure and they’re able to leverage unused compute power in one are to another application and move that around.
By the nature of things being shared, that poses a security concern, especially in the federal government, where there’s sensitive and classified information — and there’s also the need for certifications and accreditations of certain environments.
So, the first message there is to be conscious of that. I think IT managers need to choose very carefully what applications are appropriate to host on the cloud, given the current state.
Then, the third thing you’ll see is a lot of the cloud providers are working toward a hybrid model, where they will have computing infrastructure dedicated toward one agency or one organization and have a cloud within that.
Now, you won’t get quite the same economies when you do that.
We also see a lot of agencies starting to implement private clouds, where they use a lot of the same technologies internally and get some of the same advantages to address some of those security concerns.
I would say, though, also, on the flip side, the cloud can actually give you some benefits with security.
One is that you keep some of your applications that might be more public facing away from from your highly sensitized internal applications.
So, somebody breaks into your public facing Web page, for example, then, if it’s on the cloud, the intruder cannot get to other systems that would otherwise be on the same network.
We’ve seen that happen to some of the agencies — where [hackers] got into one system and then, all of a sudden, could get into other systems that were much more sensitive, because they were on the same network.
By moving things out to the cloud, you can avoid that problem and also the cloud can help you with things like denial of service attacks because of the ability to shut off and turn on new servers and other compute infrastructure quickly.
Accenture and the cloud
We help agencies and companies operate in the cloud and with the cloud.
We help them with their cloud strategy; we help them with the management of their infrastructure, including both cloud and non-cloud environments; and then we also will partner with cloud companies and really leverage their capitol investments in the infrastructure.
The name may be a little misleading — it’s not something to make the cloud go faster, but . . . It helps an agency or a company formulate their cloud computing strategy.
We help them, in a very short time period — usually four weeks or less — look to see which business applications could be migrated to the cloud, how cloud fits in with their overall strategy and then how to both transition into that . . . as well as long-term — how their environment might look or should look when they start integrating both their cloud and traditional computing environment.
Wrapping it up
I think what I would say in terms of [the topics about] — everyone’s struggling with how quickly to move into the cloud — and is it real — and is it secure enough?
What we’ve seen time and time again is that, when we look at internal compute enterprise environments butting heads with the Internet, the Internet always wins.
So, we see cloud as something that is inevitable long-term. What I would say is that most IT managers should start looking at the cloud [and] figuring out how it plays in and understand that it’s still early on and the technology is maturing and it’s not going to be a fit for everything — but start to look and see what is a good fit.
There are some incredible economies that should be — and can be — taken advantage of now. Then, also, as I have mentioned several times, really making sure that there is a holistic strategy.
It’s not just about cloud computing.
It’s not just about traditional, but we see, in the next several years, that everyone is going to have a mixed environment.
Cloud still has to be managed just like other systems out there need to be managed in terms of system monitoring and everything else.
So, it’s going to be very important for agencies to look at migrate and evolve their management structure to both be able to handle cloud and non-cloud in a mixed environment.
Fed Cloud Blog will return next week with more posts. Have a great holiday in the meantime!
We left off discussing security, so we’ll start back up there:
On security and 100% protection
I don’t think anybody would be fool hearty enough to offer a 100% service level agreement (SLA) of a virtual machine sold as a service that is absolutely foolproof. What you do is basically multi-level security.
One of the things we do with Terremark’s enterprise cloud offering in the federal space, is we actually host it in a data center who’s security level is equal to that at Langley, Virginia or any good military base. We have armed guards, we have 200-foot setoffs, we have fences and all of the same features that any federal institution would require. In fact, we host classified organizations inside our data center.
Then, inside that, you have logical security. You run physical data centers that are essentially lights out — there’s no human access to the actual hardware. All of that’s highly controlled.
Beyond that, you do all of the things that are software-based, or otherwise hardware-based that are about information security. You do malware analysis, digital forensics, vulnerability assessment penetration testing, manage firewalls . . . the list goes on and on.
Public cloud v. Private cloud
There is such a thing as a public cloud.
[Terremark] has an offering called Virtual Cloud Express — or VCloud Express. It’s essentially a commodity cloud, much like Google’s or Amazon’s. You pay as you go, you take reference to shared resources, you don’t have much knowledge or concern about where those resources reside physically. The utility platform is enterprise-class. You sign it with a credit card, there’s no minimum, there’s no contract — you buy it by the minute or by the hour and use it as you will.
In my opinion, most federal agencies are not going to find a lot of utility in that kind of cloud computing. It’s just too risk-laden. It’s too amorphous. They’re not going to put their core missions on that kind of a platform — but there’s a different kind of cloud.
In Terremark’s case, it’s called the enterprise cloud, which is essentially a virtual, private cloud with a dedicated resource pool and the ability to burst above the amount of resource that you have bought. It has a physical device and private network integration. It supports multiple operating systems and I can take you into our data center and point to where it actually lives. So, we serve this up out of a physical fortress.
In fact, we have now moved beyond the dot gov phenomenon . . . at Terremark Federal Group and have recently been selling cloud as a foundation for actual production services inside large federal agencies. So, it’s beginning to happen.
Why everyone — not just IT managers — should learn about the cloud
I think mission managers and executive level decision makers all over the federal government are learning about it as we speak.
I’ve never seen so many symposiums dedicated to a single topic.
Vivek Kundra, the federal CIO, has been a change agent and an advocate for cloud computing from the federal perspective, and is acting in very — I think — effective ways to begin to push the message into federal decision making.
Again, it has a long way to go, but there are many opportunities for federal decision makers to learn about the cloud, to asses and weigh the risks versus the benefits, and — at the end of the day — they can come to a company like ours and just get it for free for 90 days, load it with whatever application they want and kick the tires.
There’s a lot of learning to be done, but it’s well underway.