How the feds learned to stop worrying and love the cloud
Given the constant stream of news about hackers and data breaches, you'd think our nation's 17 intelligence agencies would be among the last to share classified information using cloud technology. But you'd be wrong.
For decades, the intelligence community (IC) pursued a "castle-and-moat approach," with each agency jealously guarding its own data stores, says Jennifer Kron, who until recently was acting CIO of the Office of the Director of National Intelligence (ODNI).
Now all 17 members of the ODNI have embraced secure data sharing using GovCloud, a private cloud that uses Amazon Web Services (AWS) but is managed by the National Security Agency (NSA).
"Regardless of what organization somebody is in, if they have appropriate security clearances, training, and the mission need to know, they can access that data," Kron says. "The [new] motto of the intelligence community is, 'Data is a community asset.'"
To manage this securely, the IC uses highly sophisticated access controls, she adds.
"We know who everyone in the IC environment is, and what clearances, training, and mission they have. If you say a particular piece of data can go into the cloud but can only be accessed by someone who has red hair and the initials JFK, we can do that," she jokes.
In many ways, the intelligence community's embrace of the cloud is a model for the rest the federal government. In 2010, when then-U.S. CIO Vivek Kundra declared that the government must move to a "cloud first'' policy, he didn't give any deadlines. Now, the clock is ticking.
In September, the Modernizing Government Technology Act (MGTA) of 2017 was passed by the Senate; it's expected to be signed by President Trump later this year. The MGTA calls for federal agencies to consolidate IT efforts by using commercial cloud services and infrastructure, accelerate adoption of cloud email and collaboration tools, and improve existing shared security services.
Some agencies, like those in the intelligence community, are already using private clouds. Others are using a mixture of private and public cloud infrastructure, and a handful are beginning to deploy software-as-a-service offerings.
Right now, it's still more like a steady trickle than a flood. The proposed 2018 federal IT budget calls for 70 percent of its nearly $96 billion to be spent on maintaining legacy hardware, with cloud services slated at just under 9 percent. But that's up from 8.2 percent in 2017.
"Will 2018 be a year when everything changes? Probably not," says Steve O'Keeffe, founder of MeriTalk, a public-private partnership focused on improving the outcomes of government IT. "I think we'll see incremental, not monumental, change."
It starts with email
Like a glacier carving through the tundra, cloud adoption is slowly and inexorably making its way through the federal government. For many agencies it starts with email, which is typically viewed as low-hanging fruit.
The General Services Administration was the first federal agency to adopt cloud email back in 2010, and the National Oceanic and Atmospheric Administration (NOAA) followed a year later, migrating its 25,000 employees and contractors to Google Suite Enterprise.
At first, NOAA tried to modernize its on-premises email system, says Zachary Goldstein, who was the agency's deputy CIO at the time. But at the same time, it was also running a long-term pilot testing the Google cloud environment. When the on-prem upgrade hit roadblocks, the agency decided to go all in on cloud email.
When NOAA CIO Joseph Klimavicz moved to the Department of Justice in April 2014, he brought the idea with him. The DOJ began migrating all 150,000 of its inboxes from Microsoft Exchange Server to Office 365 in December 2016. At publication time, it was about halfway done with the move, he says.
Five years ago, the department used more than 20 disparate on-premises email systems, says Klimavicz. By the end of 2018, it aims to have just one, hosted in the Microsoft Azure cloud.
This is part of a more fundamental shift to a hybrid cloud model for the DOJ, which has shrunk its infrastructure footprint from 110 data centers to just over 30 in the space of seven years. That alone has saved the department more than $100 million in operating expenses, says Klimavicz.
For NOAA and the DOJ, the main drivers for the move were system consolidation and money savings. Stefan Leeb, enterprise services branch chief for NOAA, estimates that continuing to run email on premises over the past six years would have cost $55 million—money the agency simply didn't have. Operating in the Google environment cost a mere $19 million in comparison.
But the real benefit of cloud adoption for these agencies is enhanced data sharing and collaboration. Operating under a common Office 365 environment makes it possible for DOJ personnel to set up meetings with hundreds of staff across the organization, sharing screens, audio and video files, and more, says Klimavicz.
"It helps the department stay connected, share information across teams, and make faster, more informed decisions," he adds.
At NOAA, agency personnel used to share documents manually or via email, mark them up, and recirculate them, says Leeb. A single document could take months before it was finally submitted for approval. Now, using the cloud, they can mark it up and submit it within days, he adds.
"It's a tremendous change in the way people do business," Leeb says. "It greatly increases the pace of collaboration and innovation, too."
In addition to email, the DOJ is taking advantage of some two dozen SaaS, PaaS, and IaaS solutions, from AWS to Box. NOAA is using cloud-based services for its help desk, mobile device management, and emergency notification systems. And while both agencies are looking to adopt even more cloud services, a hybrid model is likely to prevail for some time to come.
"We run a lot of highly classified systems," says Klimavicz. "We plan to keep those on prem."
With clear cost savings and obvious benefits for collaboration and data sharing, why aren't agencies moving more quickly to the cloud? A key barrier is the massive number of customized legacy systems that have built up over the years.
"The problem really is all this legacy technology," says Lawrence Pingree, a vice president at Gartner Research. "Agencies have huge amounts of infrastructure due to their size, and there's a fair amount of integration and customization for different missions."
Even migrating to cloud email poses legacy challenges, says the Klimavicz.
"I don't even know how long some of these on-premise email systems have been around," he says. "You find a lot of dependencies that people have built in over the years, and they're not always well-documented. So you end up with a few glitches along the way. Those are the two main challenges I've seen, and that's probably true for most cloud migrations in most government agencies."
Federal security regulations like the GSA's Federal Risk and Management Program (FedRAMP) and its Trusted Internet Connections (TIC) mandate are also hampering agency efforts. Originally conceived in 2007, the mandate requires that all external connections to the Internet get routed via an agency designated as an approved TIC access provider.
The idea was to reduce the number of federal Internet gateways from over 1,000 to 50, deploying the Department of Homeland Security's Einstein intrusion detection system to protect them against attacks. But the rapid growth of cloud connections through a limited set of hardware devices created a bottleneck, negating the scalability and flexibility of cloud services. Worse, agency users are unable to access TIC providers via their mobile devices.
The GSA is working with cloud vendors on modernizing the TIC framework to allow for multiple cloud connections with sufficient monitoring and security controls.
Hearts and minds
The more difficult challenge may be persuading longtime federal employees to stop worrying and learn to love the cloud.
"Maybe the biggest barrier is actually cultural," says Goldstein, who is now CIO at NOAA. "People like to see where the stuff is stored. It's not just legacy systems; it's also legacy attitudes."
Klimavicz says cultural change remains one of the DOJ's biggest challenges.
"When you go from on-prem self-managed systems to commercially managed offsite systems, you can't run down the hall to cut your servers if something happens," he says. "It puts more emphasis on understanding your business partners' environment and processes."
Kron says a lot of user reluctance has to do with misunderstandings about the legality or security of sharing data in the cloud.
"The IT is not the hardest part of this," says Kron. "We know how to do this technologically. Often when folks say they can't share information it's because they think, 'Well, this is very sensitive [so] it can't go into the cloud.' Yes, it can, and we can demonstrate that using fine-grained access control."
Kron says the best way to convince agencies to adopt cloud services is by demonstrating the clear benefits they can provide.
"What you don't want to do is say, 'We have built this and you will adopt it,'" she says. "What you want to do is build services that so clearly improve mission outcomes and increase information sharing, security, and effectiveness that agencies want to migrate to them because they see the value."
Government cloud computing: Lessons for leaders
- The Modernizing Government Technology Act of 2017 calls for federal agencies to consolidate IT efforts by using commercial cloud services and infrastructure, accelerating adoption of cloud email and collaboration tools, and improving existing shared security services.
- Government agencies are using more cloud-based services, but a hybrid model is likely to prevail for a while.
- Highly classified systems will be kept on prem, says one expert.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.