October 03, 2012, 11:05 AM — It seems that executives in every organization these days feel the pressure to move to the cloud. The United States government is no exception, as the administration's Cloud First policy is driving federal agencies to move essential systems to the cloud-and fast.
News: Cloud Computing Gains in Federal Government
In response, agency CIOs have scrambled to identify the low-hanging fruit: applications or systems that would be relatively straightforward to migrate. Topping the list are public-facing Web sites, customer relationship management, content and document management and email.
As it turns out, running corporate email in the cloud-email-as-a-service, or EaaS-is on everybody's low-hanging fruit list. After all, there are many public EaaS offerings that already host thousands of organizations and millions of users. Email standards and technology are quite mature, and it's unlikely that your existing on-premises email system responsible for moving emails around today is so decrepit that migrating off of it is a Herculean task. Plus, of course, email is so easy to use that moving to a new system shouldn't involve onerous change management and training.
Or so the reasoning goes. Look closely at your existing on-premises corporate email system, though, and you'll identify a number of gotchas that complicate the move to EaaS.
- Your email system is probably tightly integrated with your identity and access management system, especially if your employees enjoy single sign-on capabilities that include their email accounts.
- Your email is likely connected to your corporate calendar, address book and other collaboration technologies.
- Don't forget that your employees like to check their email on their work computer, their home computer and their smartphone.
Any EaaS migration strategy must take into account all of these issues.
Trade Agreements, Politics Complicate Government EaaS Efforts
The federal government has all these problems and more-not only because if its sheer scale but also because of the diversity of its needs and the regulated nature of its operations. For example, security is obviously a paramount concern, and security requirements vary depending on whether it's a civilian, law enforcement, military or intelligence agency. At the same time, the government's free-trade policies prevent it from restricting contracts to U.S.-based providers unless there is an overarching reason to do so.
Analysis: Email in Security Hot Seat With Rise of Cloud, BYOD
The General Services Administration (GSA) found these competing priorities in a request for quotation it issued in May 2011. This RFQ anticipated the awarding of a blanket purchase agreement for EaaS that would enable many agencies and departments across the government to purchase email from a preapproved list of EaaS vendors-in the process saving the government millions of dollars and satisfying an essential Cloud First mandate.
However, after conversations with the Office of Management and Budget and the office of the United States Trade Representative (USTR), the GSA realized it needed to balance agency security concerns with free trade policy and let agencies select EaaS providers with data centers outside the United States. The GSA's challenge was determining which countries were too risky for hosting government email data centers in a way that complied with law and policy. (Some countries, Iran, Cuba, China and North Korea, were clearly too risky and therefore easy to exclude.)
To this end, the request for proposal called for the restriction of EaaS data centers to countries designated under the Trade Agreements Act (TAA), a list of countries to which all GSA schedule contracts are subject. After all, there was plenty of precedent for this choice, and the list excluded all of the problem countries. The GSA had good reason to believe that using the TAA designated countries list would balance agencies' security requirements with the principle of free trade.
Nothing, however, is ever that simple. A small handful of contractors cried foul, pointing out that the TAA list was excessively arbitrary and would only constrain where data center providers located their headquarters, rather than the locations of the data centers themselves. These contractors filed a protest, and the Government Accountability Office (GAO) agreed. After all, the TAA designated countries list would theoretically allow data center providers in countries such as Yemen, Somalia and Afghanistan while arbitrarily excluding providers in India, South Africa and Brazil. The GAO also agreed that the RFQ as written would allow for the possibility that a company might be headquartered in a TAA-allowed country even though its data centers might be in, say, China.