The government sector is on a fast march to the cloud, but Robert Rosen wants to pause for a breath.
"I've been looking at the cloud for a long time, and it's not as simple as all the vendors want to make it seem," says Rosen, CIO of the National Institute of Arthritis, Musculoskeletal and Skin Diseases at the National Institutes of Health in Bethesda, Md. "The federal government isn't this uniform user of IT. So there's no one-size-fits-all. There are places it fits fine, others where it doesn't, and this great middle area where it's 'maybe, maybe not.'"
So even though he's working under a new federal mandate known as "cloud first," Rosen is moving cautiously. He's evaluating how to use cloud computing to store data that his agency doesn't access frequently, a move that could help eliminate the need to build a new data center. But he says he wants to cover all the bases to make sure he doesn't make mistakes. He's looking at the data itself to determine security needs, calculating bandwidth requirements and devising an exit strategy in case he wants to switch vendors or move out of the cloud.
"It's a deliberate process we're going through. We're just not going to leap," says Rosen, a past president of Share, an IBM user group. Still, the pressure is on Rosen and his colleagues to move to the cloud.
Last December, former U.S. CIO Vivek Kundra established the cloud-first policy, telling federal CIOs to move three services to the cloud within 12 to 18 months. In a 25-point plan to reform federal IT management, Kundra cited cost savings, flexibility and speed of deployment as reasons for adopting the policy.
Now, IT leaders like Rosen are grappling with the details involved in making the policy work, but also seeing early successes moving some functions to the cloud as they work toward migrating truly strategic systems there.
"This is a paradigm shift," says Shawn Kingsberry, CIO at the federal Recovery Accountability and Transparency Board and a proponent of cloud computing.
Kingsberry considers this a unique point in IT history, akin to the late 1990s, when IT departments went through drastic upgrades during the run-up to Y2K. Today, dwindling dollars and a shrinking workforce are forcing IT leaders to once again think big. "Now you have a perfect situation where the stars are aligned to make massive change," he says. "When you look at what this means, federal government has the opportunity to make moves forward."
Kingsberry's agency moved its Recovery.gov website to Amazon.com's EC2 cloud service in April 2010. He says the agency decided to make the leap after successfully using the cloud for testing, although IT leaders at the agency still performed a rigorous analysis before making the move. They considered, among other factors, how cloud computing would fare in terms of performance, cost and security.
Classified Data? Not in the Cloud
IT leaders are constantly weighing cloud computing's benefits against its security risks.
In its spring survey of 375 federal, state and local government IT decision-makers and influencers, CompTIA found that 44% of cloud implementers rated network security as a top challenge. Thirty-six percent listed compliance with security mandates as a top challenge, while 35% cited data loss prevention and 35% pointed to hardware security.
Tim Herbert, vice president of research at CompTIA, says CIOs are concerned about keeping data and systems safe from malicious attacks and establishing data governance procedures in an environment that encourages collaboration and sharing.
"It comes up a lot -- security and policies. And it comes up in the private sector, too," he says. "Some of that concern is reality, and some of it is perception."
At the very least, analysts say, those security concerns will keep classified data out of the cloud for the time being even as the General Services Administration and other agencies establish security standards. And it will likely limit to some degree the amount of less-sensitive data that migrates to the cloud as well.
So far, the cloud has delivered, says Kingsberry. Using cloud services saved about $750,000 in the first year for Recovery.gov, a site for sharing data and information related to the federal American Recovery and Reinvestment Act of 2009. Kingsberry says he expects more savings in the future, since the site will be able to scale up without requiring investments in new hardware.
"Obviously, one of the key drivers behind the federal government [cloud initiative] is Vivek Kundra's [push] for cost-cutting," says JP Morgenthal, cloud evangelist at Smartronix, a Hollywood, Md.-based consultancy that helped the Recovery Accountability and Transparency Board move Recovery.gov to the cloud.
Big Bucks on the Line
The amount of money at stake is significant. In its "Federal Cloud Weather Report," released in April, MeriTalk, a social network for government IT professionals, found that cloud implementations could produce $14.4 billion in savings in the first year.
The report, which was underwritten by virtualization vendor VMware, also noted that 64% of 167 federal CIOs and IT managers surveyed in January expect cloud computing to both reduce costs and improve service.
In his Feb. 8, 2011, "Federal Cloud Computing Strategy" report, Kundra listed other benefits beyond cost containment. He said the cloud could create a more agile, responsive and scalable infrastructure that would support more collaboration and innovation -- the same factors that nongovernment IT leaders cite as reasons for moving to the cloud.
Several government projects have already yielded such returns.
The U.S. Treasury Department moved its public-facing websites, including Treasury.gov, to Amazon cloud services earlier this year, with help from Smartronix. Morgenthal says the move enabled the site to be more flexible and scalable.
Analysts point to other cloud initiatives that are yielding cost reductions and service improvements.
"Certainly the migration of USA.gov to a private cloud hosted by Terremark [now part of Verizon], as well as the early cloud development at DISA [the Defense Information Systems Agency] and at NASA, are great examples," Gartner analyst Andrea Di Maio said in an email.
DISA's development of the Rapid Access Computing Environment (RACE) cloud infrastructure is an example of a successful government cloud initiative, agrees Deniece Peterson, a federal industry analyst at Deltek, a Herndon, Va.-based enterprise software vendor whose customers include federal agencies and government contractors. Other successful cloud projects include the U.S. Army's deployment of Salesforce.com and the Customs and Border Protection agency's use of the cloud for its customer relationship management application, she adds.
This spring, the Army announced that it had completed the first phase of a migration of email services to the DISA cloud; officials estimate that the move will save $100 million annually.
Fed CIOs Lag on 'Cloud First' Goals
Federal IT leaders are moving ahead with cloud computing projects, but it appears that many of them aren't moving as quickly as mandated by the "cloud first" policy, which requires CIOs to move one service to the cloud by the end of this year and two more by mid-2012. The "Federal Cloud Weather Report" published in April by MeriTalk, found the following:
52% will move the first service to cloud computing in the next 12 months.
48% will move the next two services to the cloud within the 18-month time frame.
Hurdles to Clear
Even though there have been early victories in the race to the cloud, analysts and government officials alike acknowledge that there are obstacles on the path ahead. Concerns about security, funding and ROI, as well as political opposition, could impact what moves to the cloud and when it goes there. Meanwhile, cultural resistance to change and an institutional reluctance to share resources could hinder adoption of cloud computing even when there are strong business cases for it.
Indeed, in May the Army learned that the House Emerging Threats and Capabilities Subcommittee cut its funding for the email cloud migration project from a requested $85.4 million to just $1.7 million, with subcommittee members saying they want to see a cost-benefit analysis before they will agree to provide further support.
Peterson says that many agencies will have to work with limited funding, even in cases where they can demonstrate clear benefits from moving to the cloud.
"Budget constraints and a lack of resources are always in the mix of being top concerns or challenges," says Tim Herbert, vice president of research at the Computing Technology Industry Association (CompTIA), which has surveyed government IT leaders on subjects such as cloud computing. Other issues that could slow or halt the move to the cloud include slow-moving bureaucracies, fear of change, lack of interoperability between legacy and cloud-based systems, the challenge of coordinating technologies across agencies, and a lack of skilled personnel, he says.
In MeriTalk's recent study, 79% of the federal CIOs polled said budget constraints are a top obstacle to implementing cloud computing, and 71% said security concerns are preventing cloud adoption. Some of those issues could also influence what model of cloud computing -- private, public, community or hybrid -- federal agencies adopt.
Some agencies are large enough to build their own private clouds and still reap financial benefits, Peterson says. But many others are too small to handle such a move and wouldn't see any cost benefits from doing so. That's not to say, however, that there isn't a potential for big savings with private clouds. Peterson points out that large agencies could build private clouds and then sell capacity to smaller agencies under a shared-services model.
But for that model to work and produce a strong ROI, government entities would have to move beyond their often parochial outlooks and build a culture that embraces cross-agency cooperation, say Peterson and other analysts.
"If everyone builds their own private cloud, you won't get the cost savings," Peterson says. "The big thing is, we don't want to see a bunch of cloud stovepipes popping up. That's how the government operates now."
Faulty Road Map?
CIOs Skeptical of GSA's Cloud Aids
The General Services Administration launched the Federal Risk and Authorization Management Program (FedRAMP) last November to "provide a standard approach to assessing and authorizing cloud computing services and products" and to establish security standards for federal cloud computing. But MeriTalk's "Federal Cloud Weather Report" cites the following challenges:
64% of 167 federal government IT leaders surveyed said they understand FedRAMP but aren't optimistic that it will help.
56% said it will neither facilitate nor accelerate federal cloud adoption.
67% said it won't make federal cloud computing more secure.
Public, Private or Hybrid
Analysts say that government agencies, like their private-sector counterparts, are trying all of the cloud options to see which models work best in certain situations.
Government entities that are implementing cloud computing are primarily doing so in one of three ways, according to Marie Francesca, director of engineering operations, and Geoff Raines, senior principal software systems engineer, at The Mitre Corp., a government contractor based in Arlington, Va.
One is to use commercial services such as those offered by Amazon and Google. Examples include the migrations of Treasury.gov and Recovery.gov to Amazon's cloud service.
The second is to share services within the government, where one agency acts as a service provider for others. Examples of this are DISA's RACE system and NASA's Nebula.
The third option is to build a private cloud for an organization's exclusive use.
Francesca and Raines point out that government CIOs have such diverse systems that they can legitimately use any of those approaches, depending on the needs of the applications and data slated for migration to the cloud.
The General Services Administration and the National Institute of Standards and Technology (NIST) are helping federal agencies with their cloud computing moves, according to Francesca and Raines.
The GSA is setting up contract vehicles and schedules that will allow agencies to purchase commercial cloud services in a quicker and more uniform way, they explain. The website Apps.gov will provide a central point for information on this initiative. They say the GSA had already been providing federal agencies with a uniform mechanism for handling other types of contractors.
Meanwhile, NIST is defining cloud concepts, identifying standards and organizing security research.
Despite such guidance, the reality is that many federal entities aren't yet moving to the cloud.
According to MeriTalk's report, 79% of federal CIOs said their agencies aren't adopting the cloud-first policy, and only 64% are planning to embrace that approach in the next two years.
Moreover, at the time of the survey, only 17% of the federal CIOs were using infrastructure as a service, while 15% were using software as a service and 13% were using platform as a service. However, 20% said they were planning to move to infrastructure as a service, 22% were planning to start using software as a service, and 19% said they had a platform-as-a-service project in the works.