Federal IT departments are faced with some tough challenges these days. Not only are budgets constrained, but also mandates are starting to stack up like the tax code. One of the most talked about is the cloud-first mandate, the push to make IT-as-a-Service the standard procurement mechanism.
While there are many types of clouds, a private cloud is going to be the best option for government agencies seeking to comply with federal mandates.
Cost savings myth
The myth that public cloud offerings are going to save the government money still persists. Outside the beltway, however, organizations of similar size to government agencies have figured out that renting IT doesn’t provide a lower total cost of ownership (TCO) than purchasing does. Once an IT organization – government or private industry – grows to a certain size, the economies of scale of public cloud services are not much better, leaving little room for the service provider’s profit margin. This is no secret and is being discussed in board rooms, conference halls and in LinkedIn forums. Cloud organizations are defending their savings story with aggressive marketing campaigns to persuade enterprise customers to still consider public cloud options. Their arguments often claim that hard ROI calculations are not complete and that intangible benefits that cannot be captured in just dollar comparisons have to be added. Ignoring the smoke and mirrors feel of these arguments, the basic fact is that if the public cloud hype of “tremendous savings!” were true, these arguments wouldn’t be necessary. Also ignored is the introduction of new problems and costs, such as WAN network bandwidth and new security challenges.
Still not secure
Speaking of security concerns the recent hacking incident related to Amazon and Google accounts should highlight a problem often not discussed about public cloud. When information is inside of the organization, the concern about accounts and passwords is muted. Moving the data outside the IT firewalls opens the information up to human mistakes in account management. This problem is unrelated the traditional security concerns of a public cloud solution. Those traditional security concerns about public cloud environments are well-discussed, but still not addressed by most providers. There are some public cloud service providers that meet all the federal government’s FISMA guidelines, but the costs are so significantly higher than the general population of cloud providers, it’s shocking. GSA’s FedRAMP attempted to design a solution, but until contracts offered by the majority of cloud service providers can meet federal security requirements, it will just be words on paper. At least a few agencies have publicly had to admit that their cloud contracts put them out of security mandate compliances. When given the choice of a security mandate or a cloud mandate, security should trump.
FOIA compliance impossible
Some of the major cloud providers do not offer information assurance in a Freedom of Information Act (FOIA) request. There is no way to track the history of data or show that data has not been deleted. This puts agencies in danger of being unable to comply with the law, not just a mandate. Agencies and private companies have been fined and punished for not returning court requested information, even if it was on accident. This is no trivial issue. Transparency in government laws and mandates have been issued by congress and affirmed by the courts.
Lack of Disaster Recovery (DR) and Continuity of Operations (COOP)
In most (though not all) cloud service contracts, there is a service-level agreement (SLA) that requires a specific uptime, but no remedies if this is not met. The contracts do not specify how these SLAs will be met, or how many copies of the data will be made or even how they will be accessible. And if the service provider goes down, there is no way for the government agency to recover until the service provider itself recovers. Recent high-profile outages should increase these concerns, but more important is the concern of lost data to hacked and deleted information. Data on an internal system could possibly be recovered with backups or even hard drive recovery services, but if the data was deleted with the correct account privileges, it’s unclear how the cloud provider can ensure recovery.
Again, there are cloud providers that do offer these options, but they are very costly. The other option is to contract a second cloud provider as a backup. This only works if both the primary and secondary cloud provider both adhere to the standards of a major hypervisor manufacturer and can continually keep the copies up-to-date. At this time, no agency seems to have been able to set this up successfully. At least one agency attempted, but had to pull the contract of the second provider because it was not technically possible to host the information.
Virtualization and modernization will save money without breaking mandates
In January of 2012, a survey on virtualization found that only 37 percent of government servers had been virtualized. It is estimated that increasing that rate by just 26 percent could save an additional $23 billion by 2015. That goal is very attainable and could be made even more productive through modernization and virtualization of end-user systems. These efforts would not add problems that break current mandates.
While public, private and hybrid solutions can all be used by government agencies facing a cloud-first mandate, private clouds that rely on virtualization and other modernization techniques are a good place to start. A hybrid system – one that uses public cloud providers as a DR or COOP target – can provide additional benefit and cost-savings. Secondary sites have different utilization rates, access methods and cost structures, which makes them a good fit for this purpose. If the cloud provider adheres to major hypervisor standards to manage data across the two platforms, the mixed-model approach could provide the most cost-efficient way to meet mandates.