Build it, Rent it, or Buy it, Three types of private cloud for government

There are two kinds of clouds we can build “behind the fence”, private cloud and community cloud. Private clouds can be on or off-premises. The primary characteristic of private clouds is that they are dedicated to one customer. There might be sub-organizations but all users would be from the same agency. The value cloud adds in this scenario is around simplification, agility, standardization and better utilization of resources. Even though we might not have the massive scale-out options a public cloud can offer, the users and administrators still get self-service, processes are automated, few administrators are required and standardization occurs because culture shifts from a “what do you require” to a “here are your options” model. All in a secure dedicated environment.

In some agencies this can generate huge cost savings because there are fewer platforms and software environments to maintain. Administrators are happier because they are automating manual processes, including security configuration and approvals. Infrastructure costs go down because workloads are scheduled and stacked more densely so utilization goes up. Users are happier because new environment stand-up shifts from taking weeks or months to taking hours.

There are a few different ways government can implement a private cloud. The first and least desirable is to build it themselves. In the “roll your own” scenario, government IT folks define services in some interesting and agency-specific way, stitch together “best in class” components themselves with spaghetti code, develop automation workflows in multiple tools, then pray. This approach is often attractive to IT shops that have a big investment in legacy tools and are most comfortable doing things the way they have always been done. The problem with this approach is that it doesn’t scale, cannot be easily federated with other environments and becomes exponentially more difficult to maintain as it grows in complexity.

The next approach to private cloud is for the government to pay a system integrator to build or rent them a private cloud. Today’s system integrator community has quite a few big brains and is doing some of the most cutting edge work there is in government IT, especially in the intelligence community. Some have well developed methodologies for delivering private cloud and impressive past performance. Others have data centers where they host vast swaths of government IT and can carve out dedicated environments that are capable of running classified workloads. The challenge with the integrator approach is simply to ensure that the integrator doesn’t take the roll your own approach described in a previous paragraph. It’s best to assume they wouldn’t, but there are a number of government IT shops out there which have been run by integrators for so long, it’s difficult to tell the difference between contractors and government employees. These incumbent teams know how to shape and win government contracts. Agencies just need to be able to ensure they getting the real shift that cloud promises.

The third and final type of private cloud is the engineered stack. This approach leverages cloud platforms engineered by vendors to provide pre-integrated cloud computing environments. The solution provider has done the work of connecting the moving parts and supports the entire cloud environment as a product. Sometimes this is called “cloud-in-a-box”. Some examples are HP CloudSystem Matrix, VMwarevCloud, Microsoft Private Cloud Fast Track, IBM PureFlex System, Oracle PrivateDatabase Cloud. The advantages of this approach include speed of implementation, turnkey delivery, less complex support model, the ability to leverage existing enterprise license agreements and deep integration into the vendor’s other products. It’s hard to compare these solutions apples to apples. Some provide narrow but deep integration in a particular IT tower such as virtualization and don’t do so well serving up cloud services outside their wheelhouse. Others can provide very broad sets of cloud services but require paid consultative engagement to realize their full benefit.

For government IT, the challenge with many of the engineered stacks is accreditation. As I mentioned earlier all government IT solutions must meet agency and government-wide security standards before they can be utilized. These standards were historically defined for component parts not solutions. Applications and hardware were “certified”, usually at the cost of the vendors, so they could be added to approved product lists for a particular agency. As agencies move to cloud models where components are not so important, agencies expect to see the same kinds of certifications on solutions that they saw on individual applications or hardware components. This works ok if you are inside a particular IT tower like storage or virtualization because those stacks are usually based on discrete products from a single vendor, but when you start to do more interesting things with cloud, the lines are blurred. A single cloud service could consist of multiple component services. Think about DevOps Platform as a Service, multi-vendor Database as a Service or Virtual Desktop as a Service. These services all require different kinds of servers (physical or virtual), different kinds of storage (SAN, NAS, iSCSI), network controls (physical, virtual, load balancing, data), security controls (firewalls, IPS, access controls), configuration management, etc. A virtualization vendor may be very good at controlling some of these components as they apply to virtual infrastructure but maybe not so good at reaching out of the virtualization stack to provision applications, databases, networks or physical servers.

This is a new paradigm for government IT security teams. They are used to testing, locking down and certifying individual pieces of the puzzle. All their processes are around discrete components. Now they are being asked to test and accept a “black box” for a service. Naturally they come back and say “Is it on the Approved Products List (APL), is there a Certificate of Networthiness (CON), is it FIPs 140-2, is it Common Criteria Certified, has it been through DIACAP, can it do PL3?” The answer is complicated. Maybe some or all of the components of the service are but now the Designated Approving Authorities (DAA) are being asked to evaluate the solution as a whole. Do they have to go through the accreditation process from scratch for the solution? Will vendors invest in the 1-3 years and millions of dollars to go through certification of an integrated solution that is still in a maturing market? All these questions often lead government entities to decide real cloud, in the commercial context, is a bridge too far and that maybe they will pull back to a much lower level solution, call it cloud and declare victory. There are government teams tackling this problem and many are doing it with a community cloud approach. I’ll talk about that in the next post.

Why some government workloads will always be behind the fence

When we think of cloud computing in the traditional sense, we usually think of public cloud offerings like Google Apps, Office365, Salesforce.com, Rackspace and Amazon Web Services. The government does use these services but more often than not, they shy away from most public cloud offerings. I will talk about why in this post and explain some alternatives. First let’s have a quick civics lesson.

We don’t give government organizations business models, we give them missions. Most government agencies act as agents for jobs the public has decided are important. I won’t debate the politics of whether this is always true or who decides what is important. We just need to understand that government agencies aren’t deciding what missions they have, they are being told what their mission parameters are and usually these mandates are funded with strict constraints on what the agency can and cannot do to accomplish the mission.  Many jobs we’ve given the government involve life and death and require execution of a clearly defined mission that isn’t profitable. Grandma getting her social security check is just as much a life or death mission as foiling a terrorist attack in Washington DC or shooting down a Scud-D aimed at NATO troops.

Commercial entities have different drivers. They may have other objectives besides profit but businesses succeed or fail based on the execution of a sound business model. Investment in the business has to balance with value the business is providing. This usually means, "are they making a profit?". Government agencies might have a business model that describes what they do but their success or failure is more likely to be defined by winning or losing wars, negative media attention, budget pressures, public and political opinion, congressional oversight, international relationships, etc. This isn’t to say that there are not hundreds of thousands of military and government employees who are trying to do the right thing; it’s just that they are working in a greater construct that is top down driven and measured by accountability.

This idea of centralized power and the culture of accountability in government affects how agencies procure IT, including cloud computing, and means there are rules for everything. Some rules come from the agencies themselves, other rules are inherited from higher levels. These rules come in the form of policy, recommendations, regulations, mandates, standards, even laws. Generally, the idea is that these rules benefit the public by ensuring things are done securely, with accountability and that goods are fairly procured at the lowest cost. Unfortunately, these rules sometime conflict with one another, are difficult and expensive to implement, and generate requirements that have not been budgeted. The bottom line is that agencies are rarely free to implement IT functions any way they please and are intensely scrutinized on how they do things.

Many of the rules government IT contends with have to do with regulation of security. We see regulated IT security controls in the corporate world around things like credit card processing and medical information but in government it touches every aspect of IT. Most agencies have always had their own rules for IT security but in 2002 the Federal Information Security Management Act (FISMA) was signed into law and requires every government agency to have a formal plan for IT and information security. Following FISMA a number of information processing standards were published that further define the security controls that must be in place for any IT function. Agencies have to reconcile these information processing standards with their own internal rules for security. Compliance activities usually result in agency specific hardening procedures, approved product lists and patch sets that don’t always keep up with the latest technology. In some cases the security controls become so complex and ingrained in the system that IT becomes quite rigid. Concepts like cloud and virtualization weren’t even around when many of the security standards and process were defined so there is no option to “certify” a system that isn’t based on old technology.

Let’s get back to cloud computing. Imagine you are the CIO of an agency that supports military air bases all over the world. The agency’s mission isn’t IT; it’s keeping military aircraft supplied with fuel and parts, scheduling aircrews, maintaining online maintenance manuals, guarding the perimeter, shoveling snow, etc. IT isn’t your business but today you run small data centers worldwide to support your mission. You pay power bills, buy servers, storage and networks and maintain an IT Staff. You see the benefits of cloud computing and want to make IT cheaper, better and faster for your customers. You want to get your organization out of the business of running IT. Can you move your applications over to a public cloud provider?

Probably not, government agencies, especially the military, are constantly under surveillance and attack by adversaries and the shared nature of public cloud environments present too many attack vectors. It’s a little like leaving your Wi-Fi open or your laptop in a public place. Passwords and firewalls can only do so much, if bad people have access to your system, they will get in.  This doesn’t mean sensitive government workloads can’t benefit from cloud computing. It means we have to think about building the cloud behind the fence. In the next post I’ll talk about three types of private cloud.

Government cloud delivery

At a high level, there are two basic ways government agencies can see benefit from cloud computing. The first way agencies can benefit from cloud is to use existing cloud services instead of building and running the components of those services themselves. The other way agencies can benefit from cloud is by using it as a tool to deliver services to customers. In the first case, government IT is a consumer of a cloud service.In the second, government IT is a cloud provider.

Remember, IT services are only needed because the mission or business requires a capability. We don’t have servers just to have servers. We have servers because we need to run apps. We have apps because we need to access, analyze and manipulate data to some end; forecast the weather, map the genome, find the terrorist. The data is what matters, not how it’s delivered.  

Just like with commercial organizations, when government IT is a consumer of cloud services, they benefit by not bearing all the costs and effort associated with building and maintaining a service. Think about all the things that go into an IT service. You need a facility, servers, networks, storage, cooling, power, backup, load balancing, security. The list, just of things you have buy to get started, goes on and on,. In addition to the start up expenditure of buying facilities, equipment and software for an environment, the costs can be huge to actually implement something complex like email or a server virtualization infrastructure once you have all the parts, even if you have sufficient well-trained staff. If you don’t have the staff it can really get ugly because you have to pay an external entity to build and maintain the system.

There are always trade-offs, but cloud can make much of this pain disappear. Most public cloud service providers are all about specialization and scale. When you do one thing, you can do it very well. When you have fewer processes you can afford to optimize and automate those processes. When you buy 5,000 servers a month, you get them cheaper than someone who buys 100 a year. Many agencies today are asking themselves, “Why should I own this?”. IT is not a core competency at many government agencies and why should it be? We want the IRS to quickly process returns, the Air Force to deliver ordnance to the right targets, and NOAA to keep feeding accurate data to weather.com. Should they be sweating the details of procuring and optimizing discrete components of their system like virtualization platforms, testing systems, etc.?

In the next post in this series, I will discuss why some agencies do need to worry about owning the service and need to build it “behind the fence”. Cloud can still provide a lot of value in this scenario. As provider of cloud-based services government IT can drive down their own costs, through standardization, virtualization, and automation of their platforms and offerings while increasing customer satisfaction and time to market with new capabilities. This is usually called “private cloud” or “community cloud” and it can be built on or off premises. The key characteristic is that it is a dedicated environment.

Overview of how government leverages cloud computing solutions

Cloud means many things to many people, especially in government. It can be a confusing topic for government IT leaders, procurement people, and the vendors and integrators who are responding to government requirements. This article is the first in a series on how government is using the cloud today and some thoughts on how things might work better.

First, let’s quickly talk about what cloud is. Cloud computing is all about making IT better. The end game is to make IT invisible, like electricity. You don’t think about how power gets into your home so you can charge your phone. As a matter of fact, you probably don’t even worry about being home to charge your phone. The plug in your office or hotel room is guaranteed to work. Cloud computing works the same way. Cloud makes the multitude of components powering the services, apps and entertainment we depend on, work invisibly. Cloud is what’s behind the easy button. It’s software, hardware, and smart folks stitching things together.

Cloud computing changes how businesses see IT because now they don’t have to own and maintain all the moving parts. Organizations can now replace components like databases, servers, storage and lots of software tools with a black box. This is great because the care and feeding of the IT food chain gets exponentially harder as complexity increases and harder almost always means slower and more expensive. Cloud services are a no-brainer for most companies today just like they are for you and I. Would you ever consider running an email server in your basement to get your mother-in-law setup on email? Could you build and maintain a service like Dropbox in your basement (or in the lab at work) that let you store, access share documents with anyone, anywhere? Even if you could, should you?

The world of government IT is a little different though. Bureaucracy, regulation, funding, security requirements and many other issues conspire to make IT in government hard. Anything new needs more than a business case to be adopted. It must be tested, documented, added to the approved products list, and procured according to a very complex set of rules that were probably written before cloud even existed as a concept. Add on the reality that government agencies are often running critical IT services at disaster sites or in deserts, jungles, ships or aircraft, sometimes with unfriendly forces doing everything thing they can to hinder the mission. It’s a unique challenge, but one that can benefit from the simplicity and ubiquity cloud can bring to IT services if government can figure out how to safely and efficiently use cloud services.

In follow-on posts, I’ll discuss the types of cloud services the government is using and describe some of the delivery mechanisms for cloud.

Hello World...