Security tops the concerns of federal information technology managers as they look to move data and applications into the cloud – and that’s consistent with other public sector IT executives. But federal managers are substantially more likely to settle on private cloud solutions when compared to those managing state and local or higher education IT services.
Five trends that define the differences between how IT chiefs in each sector are approaching cloud migration:
1 Feds Keep it Private
Some 64 percent of federal IT managers said they are most likely to place a majority of their cloud-based applications in a private cloud, according to a recent study by market researcher MeriTalk. That compares with 54 percent of state and local IT managers and only 50 percent of those handling IT services for institutions of higher education.
Confining agency data to private clouds does not necessarily mean building a cloud from scratch.
Amazon Web Services has built a private cloud for the intelligence community, the Pentagon’s Defense Information Systems Agency offers private cloud services to defense clients and the Department of Agriculture’s National Information Technology Center provides cloud services to a range of civilian agencies, such as the Federal Aviation Administration.
Experienced government technology providers have also created “government community clouds” – private environments shared across agencies with similar requirements, such as being certified as meeting Federal Risk and Authorization Management Program (FedRAMP) requirements.
“This provides confidence to the agencies since other tenants in the community cloud are all other government agencies also in need of FedRAMP compliance,” explains Srini Singaraju, chief cloud architect at General Dynamics Information Technology, which has its own government community cloud offering.
2 Special Handling Required
Regardless of affiliation, IT managers surveyed favored private cloud in three situations in particular:
- Applications that handle sensitive information – managers were five times more likely to prefer private cloud over public cloud, 78 percent vs. 14 percent
- Highly specialized applications used by only a select target user group – managers were three times more likely to recommend private cloud (69 percent vs. 21 percent)
- Applications that are constantly evolving – managers were twice as likely to recommend private over public cloud (51 percent vs. 26 percent)
“Government customers have sensitive data requiring special handling,” Singaraju says. “They feel more comfortable keeping that data in a private cloud.”
3 Security is a Federal Concern
Feds are nearly one-third more likely to cite security and privacy concerns as major drawbacks to placing data in public clouds – 68 percent vs. 52 percent for state and local managers and 55 percent for higher education IT managers.
This is where shared private clouds answer the mail for government IT managers. Sharing the resource helps cloud operators gain the size and scope to make cloud computing cost effective; specializing in government support – either as a government entity or a contractor specialized in meeting government requirements – ensures that security requirements are met at every level of every system stack.
“Our platform-as-a-service is FedRAMP and FISMA certified all the way through the system layer,” says Chuck Gowans, USDA’s chief architect for enterprise data centers. USDA provides all the support, he said. That differs from typical commercial infrastructure-as-a-service offerings, which secure the infrastructure layer, but do not include application-level “patching, scanning, logging, monitoring.”
GDIT’s Singaraju agrees. “Security should be a key element in any cloud implementation. It should be included right from the beginning and should not be an afterthought.” That means applying security best practices at the software, platform and infrastructure layers and complying, at a minimum, with FedRAMP security controls.
4 Feds Stay a Step Ahead
In general, the MeriTalk study found government IT managers are still feeling their way as they step gingerly toward cloud migrations. Only about half of agencies consistently take steps such as:
- Identify and mitigate risks
- Develop migration strategies
- Prioritize applications for migration
- Build cost models
- Prepare their workforces for the transition.
But the study also found differences among federal IT managers when compared to those in state and local government or higher education. Feds were significantly more likely to:
- Identify and mitigate risks (63 percent to 51 percent for state/local/higher education)
- Assess the required computing, network, and/or storage needs (53 percent to 41 percent)
- Prepare the workforce for the transition (50 percent to 40 percent)
5 Keeping it Close
Across the board, respondents told MeriTalk that their preferred means of building trust with their cloud providers was to maintain as much control and physically keep systems as close as possible:
- 34 percent said they keep security functions on-premise and/or in-house (including access controls and monitoring functions)
- 31 percent said they require data be located on dedicated servers, storage or network infrastructure – essentially demanding private even when moving into public cloud setups
- 31 percent said they require access to their cloud providers’ systems for security and procedural audits
Reducing risk does not mean having to control every step in the process, however. “Having an experienced system integrator providing managed services reduces the risk to an agency,” Singaraju says. “Integrators have the experience and expertise to handle government applications and data and the technical sophistication to leverage industry best practices.”