How HHS and NASA are handling hybrid-cloud challenges
Connecting state and local government leaders
Both agencies have found valuable uses for hybrid cloud, but the security and standardization issues aren't easy fixes.
Gartner reports that 70 percent of organizations are pursuing a hybrid-cloud approach. In government, NASA and the Department of Health and Human Services have been among the early movers toward such solutions -- but that doesn't mean they've ironed out all the wrinkles.
At a June 10 FCW event on cloud security, IT executives from both agencies discussed the security, privacy and organizational challenges they've encountered and the steps being taken to address them.
Roopangi Kadakia, NASA's web services executive, and Beth Anne Bassinger-Killoran, executive director of HHS' Office of IT Strategy, agreed that the benefits of hybrid cloud are clear: Sensitive data and applications can be kept inside agency networks, without anchoring other, connected systems that can be moved safely and effectively to the cloud.
“There’s a lot of stuff that has to stay within our own infrastructure,” Kadakia said. “We have supercomputers; I’m not going to put all of this stuff in the cloud. However, now I can actually start building applications, I can take advantage of that data in different ways, in more innovative ways that wouldn't be possible if we had to keep it all within our environment.”
However, both agencies are wrestling with challenges involving visibility, organizationwide integration and the ability to create a risk model that works across the enterprise.
NASA, for example, must assess security risks for more than 64,000 applications. According to Kadakia, the biggest current cloud-related risk issue is NASA’s more than 1,500 external-facing websites, many of which incorporate interactive applications and analytical tools that do far more than just display information on a page.
Assessing the risk is crucial, and Kadakia said NASA had struggled to craft a risk model that could work across the entire agency. So NASA is triaging the risk and looking to move at least 10 percent of its publicly accessible websites to the cloud each year. That staggered approach lets the agency do risk assessment at a manageable scale, and work toward a model that's appropriate agencywide.
NASA also has engaged stakeholders across the agency to develop an effective cloud governance framework. Kadakia said the NASA IT security division works closely with this cloud governance team to ensure some consistency in how cloud services are procured and how different assets are integrated.
HHS, Bassinger-Killoran said, is taking similar steps, but the agency's federated structure has hampered her team's ability to clearly see what the operating divisions are doing with cloud, unless it involves an enterprisewide initiative.
To tackle this, she said, HHS has established function-based enterprise governance in three areas: administrative and management; health community services; and science and research. The goal is to understand the largest capabilities that each component organization has, and federate accordingly so that each of the organizations can manage the smaller pieces.
This effort only allows HHS to know that what cloud efforts exist, not to manage or standardize them, Bassinger-Killoran said, but the increased visibility is an important first step.
And security-wise, HHS does have a strong system-development life cycle that was established at the department level. Bassinger-Killoran said that each HHS organization is required to go through that system for cloud and on-premises systems alike.
"We’re trying to be as proactive as possible before an event, so that we don’t have to respond,” Bassinger-Killoran said. "That means making sure the seams are in place at the beginning."
Note: This article was updated on June 15 to correct the number of public-facing NASA websites.