recommended reading

Budget push for cloud computing could be premature, observers say

The fiscal 2010 federal information technology budget request tells agencies to slash costs by moving to cloud computing platforms, but some government technology consultants responded to the unprecedented product endorsement with concerns about hasty implementation.

Cloud computing, often called subscription-based service, offers paying customers Internet access to software programs -- or even hardware -- that are hosted at a company's data center. The customer, in this case, the agency, does not own the software or information technology.

"Most IT suppliers to the government are recasting their current government data centers into federal clouds primarily through PowerPoint presentations but without any real value addition," such as more security and reliability, said Alan Paller, the director of research for the SANS Institute, a cybersecurity firm.

"The key for government to take advantage of cloud computing is not to allow the outsourcers to shape the offerings" but to choose the services it wants the clouds to deliver and then let the outsourcers compete in security, reliability and cost, he added. Amazon, Microsoft, Google and Salesforce.com were among the many companies pushing cloud platforms in the public sector, even before the president called for an IT overhaul.

Information security and privacy specialist Lynn McNulty said if agencies ignore security in the rush to adopt cloud computing, there are bound to be security consequences that would delay the transition.

The president's budget takes the unusual step of not mincing words in ordering agencies to emphasize the "cloud" -- a relatively untried technique in government.

"Pilot projects will be implemented ... to identify enterprisewide common services and solutions," states an analytical perspectives document released on Monday to provide more IT guidance on the budget. "These projects should lead to significant savings, achieved through basic changes in future federal information infrastructure investment strategies and elimination of duplicative operations at the agency level."

The administration envisions agencies tapping into a pool of servers, storage devices, business applications, help desks, remote workstations, financial management systems and citizen communication tools, curbing the costs associated with owning the underlying infrastructures.

"The announcement on cloud computing is a clear signal from the administration that the government must get more out of each dollar that it spends on IT," said David Mihalchik, manager for federal business development at Google, adding this is "a green light for agencies" to implement cloud computing services.

While Jennifer Kerber, vice president for federal and homeland security policy at a TechAmerica, a technology trade association, agreed with Paller that agencies and cloud suppliers should work together to define performance requirements, she cautioned agencies against being overly prescriptive in writing contracts.

"Sometimes it's hard for the government to know exactly what they want if they don't understand the capabilities or the services," she said. "Rather than [say,] 'I need a red hammer that is 12 inches high,' " tell the supplier " 'I need something that can shove a nail into a board in five seconds flat and never miss.' "

Kerber added that agencies that craft rigid contracts could end up buying technology that is outdated by the time it is installed.

While the budget heavily promotes cloud technology, it is careful to stress the concept demands a different approach to risk management than agency data centers require. This is because the cloud typically involves more information sharing.

"It appears that [the White House] recognizes that security is an important issue and has said a few of the right words about security in the budget document," said McNulty, a former federal IT official who is now an executive consultant at the government technology firm McConnell International.

The fiscal plan urges agencies to establish a proactive program management office for implementation and directs the federal community to create new security measures.

But Kerber argued it is a myth that cloud computing frameworks need tougher security standards. The model comes with the "same vulnerabilities you would [find] behind an agency firewall. Discovery and auditing and compliance also need to be thought about," whether the computer system is inside or outside a cloud, she said.

The upfront costs of moving the federal enterprise to a cloud are expected to be recouped by consolidating data centers and allowing federal employees to work remotely, thereby reducing travel costs, according to the budget plan.

Some agencies already have begun buying into the cloud.

The federal government's homepage, USA.gov, switched to a cloud computing platform earlier in May and expects to cut Web management costs in half.

"The move is progressing remarkably smoothly, with no major surprises or problems, just the process of learning new systems," said Thomas Freebairn, acting director of USA.gov technologies at the General Services Administration.

The State Department is using a Google-hosted application to enhance interactions with citizens, although not a direct cost-cutting venture, the company said.

Taking a cue from Waldo, State launched a kind of "Where's Hillary" map http://www.state.gov/secretary/trvl/map/ to show users where Secretary of State Hillary Clinton has traveled and where she is at any given time.

"I think that you'll see agencies, just like USA.gov ... adopt a cloud-based approach," said Dan Chenok, who was a member of the president's transition team and former branch chief for information policy and technology in the White House Office of Management and Budget. "But I wouldn't necessarily use commercial cloud computing in classified environments."

Threatwatch Alert

Credential-stealing malware / User accounts compromised / Software vulnerability

Android Malware Infects More than 1M Phones, Adds 13,000 Devices a Day

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download
  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download

When you download a report, your information may be shared with the underwriters of that document.