Why some government workloads will always be behind the fence

When we think of cloud computing in the traditional sense, we usually think of public cloud offerings like Google Apps, Office365, Salesforce.com, Rackspace and Amazon Web Services. The government does use these services but more often than not, they shy away from most public cloud offerings. I will talk about why in this post and explain some alternatives. First let’s have a quick civics lesson.

We don’t give government organizations business models, we give them missions. Most government agencies act as agents for jobs the public has decided are important. I won’t debate the politics of whether this is always true or who decides what is important. We just need to understand that government agencies aren’t deciding what missions they have, they are being told what their mission parameters are and usually these mandates are funded with strict constraints on what the agency can and cannot do to accomplish the mission.  Many jobs we’ve given the government involve life and death and require execution of a clearly defined mission that isn’t profitable. Grandma getting her social security check is just as much a life or death mission as foiling a terrorist attack in Washington DC or shooting down a Scud-D aimed at NATO troops.

Commercial entities have different drivers. They may have other objectives besides profit but businesses succeed or fail based on the execution of a sound business model. Investment in the business has to balance with value the business is providing. This usually means, "are they making a profit?". Government agencies might have a business model that describes what they do but their success or failure is more likely to be defined by winning or losing wars, negative media attention, budget pressures, public and political opinion, congressional oversight, international relationships, etc. This isn’t to say that there are not hundreds of thousands of military and government employees who are trying to do the right thing; it’s just that they are working in a greater construct that is top down driven and measured by accountability.

This idea of centralized power and the culture of accountability in government affects how agencies procure IT, including cloud computing, and means there are rules for everything. Some rules come from the agencies themselves, other rules are inherited from higher levels. These rules come in the form of policy, recommendations, regulations, mandates, standards, even laws. Generally, the idea is that these rules benefit the public by ensuring things are done securely, with accountability and that goods are fairly procured at the lowest cost. Unfortunately, these rules sometime conflict with one another, are difficult and expensive to implement, and generate requirements that have not been budgeted. The bottom line is that agencies are rarely free to implement IT functions any way they please and are intensely scrutinized on how they do things.

Many of the rules government IT contends with have to do with regulation of security. We see regulated IT security controls in the corporate world around things like credit card processing and medical information but in government it touches every aspect of IT. Most agencies have always had their own rules for IT security but in 2002 the Federal Information Security Management Act (FISMA) was signed into law and requires every government agency to have a formal plan for IT and information security. Following FISMA a number of information processing standards were published that further define the security controls that must be in place for any IT function. Agencies have to reconcile these information processing standards with their own internal rules for security. Compliance activities usually result in agency specific hardening procedures, approved product lists and patch sets that don’t always keep up with the latest technology. In some cases the security controls become so complex and ingrained in the system that IT becomes quite rigid. Concepts like cloud and virtualization weren’t even around when many of the security standards and process were defined so there is no option to “certify” a system that isn’t based on old technology.

Let’s get back to cloud computing. Imagine you are the CIO of an agency that supports military air bases all over the world. The agency’s mission isn’t IT; it’s keeping military aircraft supplied with fuel and parts, scheduling aircrews, maintaining online maintenance manuals, guarding the perimeter, shoveling snow, etc. IT isn’t your business but today you run small data centers worldwide to support your mission. You pay power bills, buy servers, storage and networks and maintain an IT Staff. You see the benefits of cloud computing and want to make IT cheaper, better and faster for your customers. You want to get your organization out of the business of running IT. Can you move your applications over to a public cloud provider?

Probably not, government agencies, especially the military, are constantly under surveillance and attack by adversaries and the shared nature of public cloud environments present too many attack vectors. It’s a little like leaving your Wi-Fi open or your laptop in a public place. Passwords and firewalls can only do so much, if bad people have access to your system, they will get in.  This doesn’t mean sensitive government workloads can’t benefit from cloud computing. It means we have to think about building the cloud behind the fence. In the next post I’ll talk about three types of private cloud.