Assessments
The federal government is undergoing an important transformation in the way it uses information technology. Two key drivers of this change are the Federal Cloud Computing Initiative and the 25 Point Plan to Reform Federal IT Management, the latter of which requires every agency to deploy three “must-move” services to the cloud within an eighteen month period. To support this transition, NJVC participates in multiple National Institute of Standards and Technology (NIST) working groups in establishing U.S. government use cases, reference models and interoperable standards for cloud computing.
Our internationally known cloud computing experts understand that cloud computing is not about technology, but rather a different model for delivering and consuming IT. We also appreciate that this transition is a multi-year journey and that adoption involves technical, cultural and organization transitions. With this underpinning a strategy, we recommend implementation process that includes:
- A standardized cloud opportunity identification process that reduces risk of project failure by leveraging data on successful cloud implementations
- Specified economic, operational and service metrics with explicit linkage to mission requirement
- A gate-driven cloud adoption process designed to either kill failed projects early or deliver measurable capabilities within weeks, not years
Phase 1: Pilot Assessment
NJVC adheres to the NIST definition of cloud computing in its design, development and implementation process. We see cloud computing as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”. This cloud model is composed of five essential characteristics (on-demand self-service, broad network access, resource pooling,rapid elasticity and measured service), three service models (Software as a Service, Platform as a Service and Infrastructure as a Service) and four deployment models (private cloud, community cloud, public cloud and hybrid cloud). In defining this model, NIST has identified the critical trade space within which agencies can make an informed balance between desired mission enhancements(e.g.,. information access) and possible implementation risks (e.g., portability).
Phase 2a: Pilot Design
Driven by Phase 1 defined mission enhancement goals, economic efficiency targets and risk management directives, Phase 2 focuses on detailed cloud computing pilot design. In this phase, operational managers will work with NJVC consultants to validate selected pilot service model and deployment model mix options. All pilot designs will include economic, temporal and quality metrics with success being defined by improvement in one or more of the following specific measures:
- Reduce time to deliver/execute mission
- Increased responsiveness/flexibility/availability
- Optimizing cost to deliver/execute mission
- Optimizing cost of ownership (lifecycle cost)
- Increased efficiencies in capital/operational expenditures
- Environmental improvements
- User experiential improvements
Technology selection will also assure automated, fail-safe infrastructure governance. Risk mitigation will be a constant and continuous process. While different cloud computing deployment options have very different characteristics, at a minimum, a risk mitigation plan will be developed to address each of these specific risks.
- Loss of information technology governance due to cloud provider failure
- Technology lock-in due to the immaturity of the cloud computing industry and lack of industry standards in tools, procedures, data formats or services interfaces that could guarantee data, application and service portability
- Infrastructure security breaches due to a failure to isolate shared resources in the cloud multi-tenancy environment. This risk category covers the failure of mechanisms separating storage, memory, routing and even reputation between different tenants (e.g., so-called "guest-hopping attacks")
- Risk to the organizations ability to maintain compliance with applicable federal regulations
- Risk introduced by providing direct access to a larger set of IT resources using the Internet, remote access and web browser
- Data protection risks due to a reliance on the data handling practices of the cloud provider which can be exacerbated in cases of multiple transfers of data (e.g., between federated clouds)
- Insecure or incomplete data deletion risk that can be especially dangerous in a multi-tenant, virtualized environment and when multiple copies of data are stored to support continuity of operations requirements
- Risk that may be caused by malicious insiders
Phase 2b: Organization Cloud Readiness
A cloud computing transition represents more than just technological and operational changes. It also represents a cultural change that must be recognized and managed as well. Traditionally, IT organizations have been focused on selecting, acquiring, installing, configuring and maintaining technology as a support group to the core agency mission organizations. In adopting the inclusion of cloud computing as an information technology alternative, organizational IT sourcing and procurement decisions will become decentralized and more centered within agency mission aligned teams. The IT centric organization will morph from focusing on “doing information technology services” to one more focused on “managing information technology services”. These mostly cultural changes will permeate the workforce.
Phase 3: Cloud Implementation
Cloud implementation is typically done in multiple adoption cycles with the pilot representing only the first adoption cycle. Each cycle expands organizational cloud based options, based upon the experience and lessons learned from previous cycles. Each adoption cycle will have specified exit criteria that will typically include:
- Satisfaction of mission, technical and operational requirements as defined by targeted economic, temporal and quality metrics
- Clear understanding of security consideration with no “show-stoppers”
- Verification that cloud governance requirements can be met with current approaches and technical solution
- Economic affordability within a predictable range, allowing adequate estimates for investment or cost and the resultant savings or organizational benefit
- Implementation realism given organizational priorities, staff level and training
To learn more about Cloud Computing, contact us.
