Federal agencies must be assured priority and uninterrupted access to public cloud resources before fully embracing the technology for national security and emergency response IT functions, a recent report finds.
The government's "Cloud First" policy mandates that as many applications and workloads be moved to the cloud as possible, but a report from the President's National Security Telecommunications Advisory Committee finds that cloud technologies related to service uptime, interoperability and security are largely not yet mature enough to handle some of the government's most sensitive workloads.
LESSONS LEARNED: The 7 most common challenges to cloud computing
SCIENCE CLOUD: Higgs boson researchers consider move to cloud computing
Will the federal government eventually move those national security and emergency preparedness (NS/EP) functions to the cloud? "If and when cloud computing can demonstrate a regime of policy, legal authority, security and oversight that is comparably rigorous, complete and trustworthy relative to those currently in place for NS/EP activities via legacy means, then the response is 'yes,'" the report states. But first, the cloud market needs to mature a little bit more.
No doubt there are benefits to embracing the cloud, the report states. Outsourcing IT functions to commercial cloud providers can reduce IT capital expenditures and the ability to scale up workloads creates more agility. But for NS/EP IT functions, cost savings are secondary. The priority is improved mission performance and being assured those resources are available during a national emergency. Downtime is unacceptable. "Fundamental requirements of NS/EP include a high degree of assured availability under any condition of stress; high measures of system and content integrity; confidentiality as required by specific missions; and mechanisms for priority access to resources in the performance of NS/EP functions," the report states.
The report's findings resonate as outages from major cloud providers have impacted customers in recent weeks. Amazon Web Services, for example, experienced a power outage during an electrical storm, knocking out service to some customers in late June. Salesforce.com, the major software-as-a-service (SaaS) provider, has had two outages in as many weeks.
The report lists some qualities of service level agreements (SLAs) that should be addressed for NS/EP functions to be moved to the public cloud. These include continuous monitoring of the cloud infrastructure by the provider, third-party audits, data encryption and various certifications and accreditations, including continuously evolving accreditation requirements from the Federal Risk and Authorization Management Program (FedRAMP).
Jamie Dos Santos, president of Terremark Federal Cloud and a member of the NSTAC, runs an infrastructure-as-a-service (IaaS) offering aimed specifically at public agencies and she says the government is in a unique position to push public cloud providers to meet the security standards needed to host NS/EP functions. She says it's a constant work in progress.
"Government agencies need to work with cloud service providers to design and implement business continuity plans that will ensure the availability of mission-critical data during national security and emergency situations," she says. "Ensuring that the cloud service provider has achieved and exceeded regulatory compliance for the security and reliability of the infrastructure powering their cloud environments is critical."
One way to ensure availability is to spread the workloads across multiple cloud providers, but that's difficult at this point, the report notes. Even if the federal government does encourage providers to meet certain security criteria, there is no guarantee those will be adopted across the entire industry. The lack of standards in the industry prevents the portability of workloads across various cloud providers, the report states.
So will the public cloud ever get to the point of being able to host critical government information? The report says federal government processes related to NS/EP will be ready to move to the cloud "if and when cloud computing can demonstrate a regime of policy, legal authority, security, and oversight that is comparably rigorous, complete, and trustworthy relative to those currently in place for NS/EP activities."
Dos Santos says many federal agencies are already moving swiftly to cloud infrastructures, such as the General Services Administration's email services and many of the Veterans Affairs IT functions. But there is a large portion of sensitive information that is not yet in the cloud, and the cloud market needs continuing maturation before it is.