Budget push for cloud computing could be premature, observers say

Some warn security could suffer in the rush to subscription-based software and hardware services.

The fiscal 2010 federal information technology budget request tells agencies to slash costs by moving to cloud computing platforms, but some government technology consultants responded to the unprecedented product endorsement with concerns about hasty implementation.

Cloud computing, often called subscription-based service, offers paying customers Internet access to software programs -- or even hardware -- that are hosted at a company's data center. The customer, in this case, the agency, does not own the software or information technology.

"Most IT suppliers to the government are recasting their current government data centers into federal clouds primarily through PowerPoint presentations but without any real value addition," such as more security and reliability, said Alan Paller, the director of research for the SANS Institute, a cybersecurity firm.

"The key for government to take advantage of cloud computing is not to allow the outsourcers to shape the offerings" but to choose the services it wants the clouds to deliver and then let the outsourcers compete in security, reliability and cost, he added. Amazon, Microsoft, Google and Salesforce.com were among the many companies pushing cloud platforms in the public sector, even before the president called for an IT overhaul.

Information security and privacy specialist Lynn McNulty said if agencies ignore security in the rush to adopt cloud computing, there are bound to be security consequences that would delay the transition.

The president's budget takes the unusual step of not mincing words in ordering agencies to emphasize the "cloud" -- a relatively untried technique in government.

"Pilot projects will be implemented ... to identify enterprisewide common services and solutions," states an analytical perspectives document released on Monday to provide more IT guidance on the budget. "These projects should lead to significant savings, achieved through basic changes in future federal information infrastructure investment strategies and elimination of duplicative operations at the agency level."

The administration envisions agencies tapping into a pool of servers, storage devices, business applications, help desks, remote workstations, financial management systems and citizen communication tools, curbing the costs associated with owning the underlying infrastructures.

"The announcement on cloud computing is a clear signal from the administration that the government must get more out of each dollar that it spends on IT," said David Mihalchik, manager for federal business development at Google, adding this is "a green light for agencies" to implement cloud computing services.

While Jennifer Kerber, vice president for federal and homeland security policy at a TechAmerica, a technology trade association, agreed with Paller that agencies and cloud suppliers should work together to define performance requirements, she cautioned agencies against being overly prescriptive in writing contracts.

"Sometimes it's hard for the government to know exactly what they want if they don't understand the capabilities or the services," she said. "Rather than [say,] 'I need a red hammer that is 12 inches high,' " tell the supplier " 'I need something that can shove a nail into a board in five seconds flat and never miss.' "

Kerber added that agencies that craft rigid contracts could end up buying technology that is outdated by the time it is installed.

While the budget heavily promotes cloud technology, it is careful to stress the concept demands a different approach to risk management than agency data centers require. This is because the cloud typically involves more information sharing.

"It appears that [the White House] recognizes that security is an important issue and has said a few of the right words about security in the budget document," said McNulty, a former federal IT official who is now an executive consultant at the government technology firm McConnell International.

The fiscal plan urges agencies to establish a proactive program management office for implementation and directs the federal community to create new security measures.

But Kerber argued it is a myth that cloud computing frameworks need tougher security standards. The model comes with the "same vulnerabilities you would [find] behind an agency firewall. Discovery and auditing and compliance also need to be thought about," whether the computer system is inside or outside a cloud, she said.

The upfront costs of moving the federal enterprise to a cloud are expected to be recouped by consolidating data centers and allowing federal employees to work remotely, thereby reducing travel costs, according to the budget plan.

Some agencies already have begun buying into the cloud.

The federal government's homepage, USA.gov, switched to a cloud computing platform earlier in May and expects to cut Web management costs in half.

"The move is progressing remarkably smoothly, with no major surprises or problems, just the process of learning new systems," said Thomas Freebairn, acting director of USA.gov technologies at the General Services Administration.

The State Department is using a Google-hosted application to enhance interactions with citizens, although not a direct cost-cutting venture, the company said.

Taking a cue from Waldo, State launched a kind of "Where's Hillary" map http://www.state.gov/secretary/trvl/map/ to show users where Secretary of State Hillary Clinton has traveled and where she is at any given time.

"I think that you'll see agencies, just like USA.gov ... adopt a cloud-based approach," said Dan Chenok, who was a member of the president's transition team and former branch chief for information policy and technology in the White House Office of Management and Budget. "But I wouldn't necessarily use commercial cloud computing in classified environments."