'Cloud Smart' does not mean 'cloud always'

The White House outlined its new Cloud Smart cloud computing strategy last fall,  which I view as not an overhaul, but rather a natural evolution of the Obama administration’s Cloud First vision issued in April 2011. While Cloud First emphasized the cloud’s potential and mandated adoption whenever possible, Cloud Smart endorses a more real-world, practical application, incorporating all that government IT teams have learned about the cloud and their own apps over the last eight years.

Put another way: Cloud Smart represents a more informed commitment and focus on making certain supporting technology platforms, cloud- or non-cloud, fit an application’s mission.  In tactical terms it means:

Understand that not all applications belong in the cloud

A sizeable “repatriation” of applications from the public cloud, back to on-premise or private clouds, has occurred over the past year. A recent IDC survey found that 81 percent of IT decision-makers have undertaken such migrations.

While security concerns are the most prominent underlying reason, other factors, like availability and reliability, may also be drivers. Even the most reputable cloud service providers are not immune to unexpected downtime for broad swaths of users, and moving to the cloud involves some forfeiture of control over data security and application reliability. This is a reality that some government IT leaders find too unsavory for their liking, especially where mission-critical data and apps are concerned.

Just because data and applications can be moved to the cloud does not necessarily mean that they should be moved. This is the very core of a methodical Cloud Smart approach -- understanding that while some non-critical, non-citizen facing applications (like human resources, for example) may be ideally suited to the cloud’s cost-efficiencies and economies of scale, other mission-critical applications may be better kept on-premise.

A Cloud Smart approach also challenges the notion that the choice to use the cloud (or not) is an absolute, black-and-white scenario. It recognizes that modern applications are the sum of many parts -- from front-end systems of engagement like web servers to back-end, mission-critical systems of record like the mainframe, which handles transaction processing. Blending the unique attributes of the cloud and the mainframe -- known for its superior security and reliability --  in a hybrid IT model is often the most logical, cost-effective approach for these types of mission-critical applications.

This is a likely reason we are seeing the mainframe continue to endure in government IT. Recent surveys have hinted that the number of mainframe-resident applications in government IT is diminishing, but these findings don’t tell the whole story.  While there may be fewer applications housed solely (and entirely) on mainframes, transaction volumes for mainframe applications are exploding. Additionally, while respondents may note plans to migrate their mainframe applications, there’s a good chance they are simply migrating to another mainframe owned and operated by a third-party, rather than moving to another platform type.

Whenever possible, leverage the application code and platform investments already in place

One key difference between private enterprise and government IT -- and it’s a critical one -- is that government IT doesn’t have a choice when it comes to supporting increasing user volumes.

If a private enterprise is facing restricted investments, it can make certain budgetary decisions such as delaying a launch in a new market. Government IT teams -- who may be administering public services like Social Security benefits, food stamps, unemployment compensation and more -- rarely have this luxury.  If a growing volume of citizens needs access to such services, government IT must deliver, period.

A Cloud Smart mindset is highly resource-conscious and looks to preserve and leverage existing application code and supporting platform technologies that are already cost-effectively working, whenever and wherever possible. Before any platform migration decision is made, government IT teams carefully analyze the risks involved and lost access time (during which a citizen service will be inaccessible) against potential benefits to be gained from re-platforming.  If the former outweighs the latter, the decision to move is a questionable one.

Those who work in government IT probably know someone who has faced pressures to move “everything” to the cloud -- with insufficient regard to the needs of the data applications involved.  This is re-platforming for the sake of re-platforming, assuming huge amounts of resources and risk when in fact all that may be needed is a little application and platform modernization. Cloud Smart acknowledges this and instead focuses on mapping application performance (speed, availability) needs with the corresponding level of capacity and cost that makes the most sense, whether the ideal solution is the cloud, or something else.

Realize you are still ultimately responsible for security, even in the cloud

Most cloud service providers do an excellent job ensuring security for their servers and networks. But the fact remains that with the wealth of personal data residing there, cloud storage platforms are high-value, irresistible targets for hackers. Penetrating just one cloud service provides a free-access pass to data from thousands of cloud enterprise users.

In a Cloud Smart approach, government IT teams can pause and ask themselves some honest and hard questions. These teams are responsible for storing and protecting some of the most vital, sensitive data, including Social Security numbers, birth and death certificates, child adoption records, military operations and unmarked police vehicle license numbers. Do the benefits of cloud storage outweigh the potential outcome of hackers being able to access, steal or manipulate this information?

Cloud Smart also means that even when the cloud is used, government IT teams still understand their ultimate responsibility for their own data protection. There are certain threats that cloud service providers cannot protect clients against, such as insider threats -- any malicious, accidental and inadvertent activity that comes from employees, former employees or contractors with credentials to access privileged information.

A credentialed employee may copy and paste a sensitive database and save it in a network file accessible to unauthorized users. Recent surveys show that preventing/detecting insider espionage has been identified as the top security threat not being adequately addressed in today’s enterprises. Cloud Smart quashes the notion that data is automatically protected and secured just because it lives in the cloud. All cloud users must take an active, ongoing role in their own data protection, including techniques that can identify potentially risky insider behavior trends.

Conclusion

The cloud is great for many things, but in hindsight, Cloud First was marked by some exuberance. The transition from Cloud First to Cloud Smart aligns well with Gartner’s hype cycle, with Cloud First being a “peak of inflated expectations” and Cloud Smart serving as an entrée to a “plateau of productivity.”

Cloud First was a well intentioned concept, but its gold rush mentality led to many unforeseen mishaps along the way. Cloud Smart puts practicality and reason firmly back in control. With several years of cloud experience firmly under their belts, government IT teams now have the insights and lessons they need to adopt the cloud in a more informed, productive way.