|By Kevin Jackson||
|September 15, 2011 02:00 PM EDT||
(This is part 3 of the series entitled "Implementation of Cloud Computing Solutions in Federal Agencies". First published on Forbes.com, this series provides the content of a whitepaper I recently authored. A copy of the complete whitepaper will be available at NJVC.com starting September 7, 2011.)
While the benefits and value of the federal cloud computing policy can be debated, the world’s transition to cloud computing as an integral component of any IT infrastructure cannot be denied. The prudent government executive should, therefore, heed the lessons learned from the many private industry corporations that already have miles behind them on this journey.
When identifying a potential cloud computing project, one should always count on a multi-year transition. Organizations should always use a consistent cloud opportunity identification process to reduce the risk of project failure by leveraging data from successful cloud implementations. Clients need to determine set metrics (economic, operational and service) with direct linkage to specific mission requirement(s). Use of a gate-driven cloud adoption process designed to terminate failed projects early in the project lifecycle and deliver measurable capabilities within a quick timeframe (weeks—not years) is highly recommended.
A risk mitigation plan also must be formalized that addresses each of the following concerns:2
- Loss of Governance. When moving to a cloud environment, clients relinquish control to the CP on a number of security-related issues. A gap in security defenses may also exist as service level agreements may not adequately address CP-related security requirements.
- Portability. Issues related to provider lock in are outlined in the Challenges section of this white paper on page 5.
- Isolation Failure. Multi-tenancy and collaboration are at the core of cloud computing. Resource isolation failure addresses mechanisms separating storage, memory, routing and reputation among different clients on the same cloud (e.g., guest-hopping attacks). However, it must be noted that attacks on these mechanisms are not as pervasive and much more difficult to attempt versus attacks on traditional operating systems.
- Compliance Risks. Investments in certifications (e.g., industry standard or regulatory requirements) may be compromised or lost when moving to the cloud.
- Management Interface Compromise. Security is an issue with client management interfaces with the public cloud provider. The reason? These services are provided via the internet and permit access to a larger set of resources than traditional operating systems. Security risk can dramatically increase when this is combined with remote access and web browser vulnerabilities.
- Data Protection. It may be difficult for clients to effectively check the data-handling practices of their CPs to ensure critical and sensitive data is handled lawfully and ethically. This problem can be aggravated in cases of multiple transfers of data (e.g., between federated clouds). However, it must be noted that some CPs share information on their data-handling practices with clients and others offer certification summaries on their data processing and data security activities and their various security controls (e.g., Statement on Auditing Standards 70 Certification.
- Insecure or Incomplete Data Deletion. As with most operating systems, when a request to remove a cloud resource is made, a true erase of data may not happen. Adequate or timely data deletion also may not be feasible (or undesirable from a client perspective) because extra copies of data are stored but not readily available or the disk to be destroyed also houses other data from other clients. When multi-tenancies and the reuse of hardware resources are added to the mix, this risk can increase.
- Malicious Insider. Cloud architectures necessitate the creation of certain staff positions (e.g., CP system administrators and managed security service providers) that can be extremely high risk in terms of internal security threats.
Creating a Cloud Computing Roadmap for Federal Agencies First Steps
According to, GovCloud: Cloud Computing for the Business of Government, when a government agency is ready to undertake the implementation of a cloud-based solution, it must determine which IT services, business functions and processes to deploy in the cloud environment. A five-year roadmap should be created that includes the desired order to move each of the services to the cloud for each year during that time period.3 Requirements for each service to be deployed in the cloud should be developed and a cost/benefits analysis performed to establish the rationale why each targeted service should move to the cloud.
Implementation of a Low-Risk Test Case
A low-risk test case should be implemented prior to undertaking a wholesale transfer of services to the cloud.4 This is harder than it may sound as some IT services that may seem simple to deploy to the cloud are not so easy. Four questions should be asked (and answered) to decide which IT services are best suited to live in the cloud5:
- Can compliance requirements be balanced with other IT prioirities?
- Is this an IT function or service the agency has mastered?
- Can the agency use a standardized service?
- Is the test case easily implementable?
A misconception may exist that just because an application or service being deployed to the cloud isn’t mission critical, the process will be simple and straightforward. This is not always true. If the agency is new to the cloud and wishes to establish a private cloud it will take time to determine the appropriate split of responsibilities between the service provider and the agency’s IT team.6 Compliance and liability issues can also be tricky, as defining compliance conditions and establishing liability for intellectual property protection with cloud vendors reach well beyond the IT world—and, as such, with so many moving parts may take time to properly address and resolved.7 NIST has launched the U.S. Government Cloud Computing Business Case Working Group to assist agencies with the development of cloud-compatible user cases. Email, geospatial data exchange and services management are among the first user cases currently in development.
The authors of GovCloud: Cloud Computing for the Business of Government also offer seven recommendations that must be considered during the development and implementation of an agency’s cloud roadmap:
- Own the information, even if you own nothing else. An agency must claim its right to own the information even if it doesn’t own the infrastructure, application or service associated with that information. Any agency is liable for its information—regardless of where it lives—and some education will likely be needed about this fact among its IT team. While it may be unrealistic to prevent departments from provisioning their own cloud application, the agency must institute policies and procedures to ensure it can monitor how information deployed to the cloud is managed. As it is often hard to envision future uses of information, it also is recommended that agencies make sure cloud-dwelling data can be brought back into the enterprise if needed.
- Don’t take terminology for granted. It is vital to ensure that important terminology is defined in the same way by the agency and the cloud service provider—room for different interpretation always exists. A review of information governance policies must take place to identify the areas of highest risk so authoritative definitions for vocabulary in these areas can be developed and adopted.
- Hope for standards, but prepare to integrate. In short, the cloud is young and isn’t established enough to have developed standard specifications for platform interoperability and data exchange. Strategic groundwork for future data integration needs to be laid in the early stages of any movement to the cloud. Agencies must insist that their cloud service providers provide clear documentation on the data formats and schemas used for information storage in their systems.
- Control cloud platform proliferation. Agencies should minimize the number of different cloud platforms that require support to limit information fragmentation and decrease the chance of a future huge integration effort. To the greatest extent possible, an agency’s IT team should help departments look for shared requirements in standardized business functions. The team can identify cloud platforms that meet these needs and consolidate the agency’s services on them, when possible. Not only will the ability to share information increase, this will result in greater leverage when negotiating contract terms and pricing.
- Make the information “cloud ready.” Agencies that organize their data sets well enough for use across multiple platforms will be best positioned to take advantage of cloud services, and will be better able to deploy enterprise information to the cloud more easily.IT teams need to get into the habit of encrypting data into one common format (probably XML)—a process even more important if data moves through externally operated resources to the cloud.
- Master solution integration. The shift to the cloud requires IT professionals to change their focus from owning and operating enterprise systems to becoming master information service integrators. In addition to linking legacy databases to SaaS, IT teams need to connect their private and public clouds to create a seamless technology environment that works like a single cloud custom-made for their specific enterprises.
The 3rd International Internet of @ThingsExpo, co-located with the 16th International Cloud Expo - to be held June 9-11, 2015, at the Javits Center in New York City, NY - announces that its Call for Papers is now open. The Internet of Things (IoT) is the biggest idea since the creation of the Worldwide Web more than 20 years ago.
Nov. 28, 2014 01:00 PM EST Reads: 1,916
"We help companies that are using a lot of Software as a Service. We help companies manage and gain visibility into what people are using inside the company and decide to secure them or use standards to lock down or to embrace the adoption of SaaS inside the company," explained Scott Kriz, Co-founder and CEO of Bitium, in this SYS-CON.tv interview at 15th Cloud Expo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Nov. 27, 2014 07:00 PM EST Reads: 1,914
15th Cloud Expo, which took place Nov. 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA, expanded the conference content of @ThingsExpo, Big Data Expo, and DevOps Summit to include two developer events. IBM held a Bluemix Developer Playground on November 5 and ElasticBox held a Hackathon on November 6. Both events took place on the expo floor. The Bluemix Developer Playground, for developers of all levels, highlighted the ease of use of Bluemix, its services and functionalit...
Nov. 27, 2014 07:00 PM EST Reads: 2,052
The 4th International DevOps Summit, co-located with16th International Cloud Expo – being held June 9-11, 2015, at the Javits Center in New York City, NY – announces that its Call for Papers is now open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's large...
Nov. 27, 2014 06:00 PM EST Reads: 2,354
Some developers believe that monitoring is a function of the operations team. Some operations teams firmly believe that monitoring the systems they maintain is sufficient to run the business successfully. Most of them are wrong. The complexity of today's applications have gone far and beyond the capabilities of "traditional" system-level monitoring tools and approaches and requires much broader knowledge of business and applications as a whole. The goal of DevOps is to connect all aspects of app...
Nov. 27, 2014 06:00 PM EST Reads: 1,803
SAP is delivering break-through innovation combined with fantastic user experience powered by the market-leading in-memory technology, SAP HANA. In his General Session at 15th Cloud Expo, Thorsten Leiduck, VP ISVs & Digital Commerce, SAP, discussed how SAP and partners provide cloud and hybrid cloud solutions as well as real-time Big Data offerings that help companies of all sizes and industries run better. SAP launched an application challenge to award the most innovative SAP HANA and SAP HANA...
Nov. 27, 2014 05:00 PM EST Reads: 1,737
When an enterprise builds a hybrid IaaS cloud connecting its data center to one or more public clouds, security is often a major topic along with the other challenges involved. Security is closely intertwined with the networking choices made for the hybrid cloud. Traditional networking approaches for building a hybrid cloud try to kludge together the enterprise infrastructure with the public cloud. Consequently this approach requires risky, deep "surgery" including changes to firewalls, subnets...
Nov. 27, 2014 04:45 PM EST Reads: 1,992
Want to enable self-service provisioning of application environments in minutes that mirror production? Can you automatically provide rich data with code-level detail back to the developers when issues occur in production? In his session at DevOps Summit, David Tesar, Microsoft Technical Evangelist on Microsoft Azure and DevOps, will discuss how to accomplish this and more utilizing technologies such as Microsoft Azure, Visual Studio online, and Application Insights in this demo-heavy session.
Nov. 27, 2014 04:45 PM EST Reads: 1,736
DevOps is all about agility. However, you don't want to be on a high-speed bus to nowhere. The right DevOps approach controls velocity with a tight feedback loop that not only consists of operational data but also incorporates business context. With a business context in the decision making, the right business priorities are incorporated, which results in a higher value creation. In his session at DevOps Summit, Todd Rader, Solutions Architect at AppDynamics, discussed key monitoring techniques...
Nov. 27, 2014 04:30 PM EST Reads: 1,901
Cultural, regulatory, environmental, political and economic (CREPE) conditions over the past decade are creating cross-industry solution spaces that require processes and technologies from both the Internet of Things (IoT), and Data Management and Analytics (DMA). These solution spaces are evolving into Sensor Analytics Ecosystems (SAE) that represent significant new opportunities for organizations of all types. Public Utilities throughout the world, providing electricity, natural gas and water,...
Nov. 27, 2014 04:00 PM EST Reads: 1,988
The security devil is always in the details of the attack: the ones you've endured, the ones you prepare yourself to fend off, and the ones that, you fear, will catch you completely unaware and defenseless. The Internet of Things (IoT) is nothing if not an endless proliferation of details. It's the vision of a world in which continuous Internet connectivity and addressability is embedded into a growing range of human artifacts, into the natural world, and even into our smartphones, appliances, a...
Nov. 27, 2014 04:00 PM EST Reads: 2,076
How do APIs and IoT relate? The answer is not as simple as merely adding an API on top of a dumb device, but rather about understanding the architectural patterns for implementing an IoT fabric. There are typically two or three trends: Exposing the device to a management framework Exposing that management framework to a business centric logic Exposing that business layer and data to end users. This last trend is the IoT stack, which involves a new shift in the separation of what stuff happe...
Nov. 27, 2014 03:00 PM EST Reads: 2,093
The Internet of Things is tied together with a thin strand that is known as time. Coincidentally, at the core of nearly all data analytics is a timestamp. When working with time series data there are a few core principles that everyone should consider, especially across datasets where time is the common boundary. In his session at Internet of @ThingsExpo, Jim Scott, Director of Enterprise Strategy & Architecture at MapR Technologies, discussed single-value, geo-spatial, and log time series dat...
Nov. 27, 2014 03:00 PM EST Reads: 2,240
An entirely new security model is needed for the Internet of Things, or is it? Can we save some old and tested controls for this new and different environment? In his session at @ThingsExpo, New York's at the Javits Center, Davi Ottenheimer, EMC Senior Director of Trust, reviewed hands-on lessons with IoT devices and reveal a new risk balance you might not expect. Davi Ottenheimer, EMC Senior Director of Trust, has more than nineteen years' experience managing global security operations and asse...
Nov. 27, 2014 01:00 PM EST Reads: 2,132
The Internet of Things will greatly expand the opportunities for data collection and new business models driven off of that data. In her session at @ThingsExpo, Esmeralda Swartz, CMO of MetraTech, discussed how for this to be effective you not only need to have infrastructure and operational models capable of utilizing this new phenomenon, but increasingly service providers will need to convince a skeptical public to participate. Get ready to show them the money!
Nov. 27, 2014 11:00 AM EST Reads: 1,957
SYS-CON Media announced that Centrify, a provider of unified identity management across cloud, mobile and data center environments that delivers single sign-on (SSO) for users and a simplified identity infrastructure for IT, has launched an ad campaign on Cloud Computing Journal. The ads focus on security: how an organization can successfully control privilege for all of the organization’s identities to mitigate identity-related risk without slowing down the business, and how Centrify provides ...
Nov. 27, 2014 10:00 AM EST Reads: 1,799
The Internet of Things will put IT to its ultimate test by creating infinite new opportunities to digitize products and services, generate and analyze new data to improve customer satisfaction, and discover new ways to gain a competitive advantage across nearly every industry. In order to help corporate business units to capitalize on the rapidly evolving IoT opportunities, IT must stand up to a new set of challenges. In his session at @ThingsExpo, Jeff Kaplan, Managing Director of THINKstrateg...
Nov. 27, 2014 10:00 AM EST Reads: 1,955
"SAP had made a big transition into the cloud as we believe it has significant value for our customers, drives innovation and is easy to consume. When you look at the SAP portfolio, SAP HANA is the underlying platform and it powers all of our platforms and all of our analytics," explained Thorsten Leiduck, VP ISVs & Digital Commerce at SAP, in this SYS-CON.tv interview at 15th Cloud Expo, held Nov 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Nov. 27, 2014 08:15 AM EST Reads: 1,653
One of the biggest challenges when developing connected devices is identifying user value and delivering it through successful user experiences. In his session at Internet of @ThingsExpo, Mike Kuniavsky, Principal Scientist, Innovation Services at PARC, described an IoT-specific approach to user experience design that combines approaches from interaction design, industrial design and service design to create experiences that go beyond simple connected gadgets to create lasting, multi-device exp...
Nov. 27, 2014 08:00 AM EST Reads: 1,939
Enthusiasm for the Internet of Things has reached an all-time high. In 2013 alone, venture capitalists spent more than $1 billion dollars investing in the IoT space. With "smart" appliances and devices, IoT covers wearable smart devices, cloud services to hardware companies. Nest, a Google company, detects temperatures inside homes and automatically adjusts it by tracking its user's habit. These technologies are quickly developing and with it come challenges such as bridging infrastructure gaps,...
Nov. 27, 2014 07:45 AM EST Reads: 2,064