Federal Government’s Five Year Push to Cloud is Paying Off, Security Remains Adoption Drag

It’s been roughly five years since the U.S. federal government initiated its Cloud First IT policy. The Cloud First policy is a mandate that, in the Government Services Administration’s (GSA’s) own words states agencies must “take full advantage of cloud computing benefits to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost.”

The effort has saved considerable costs, according to information from the U.S. Government General Accountably Office (GAO), provided below in this post. But not as much as hoped. Many of the legacy systems agencies had in place in 2010 are still in place, but many have moved such things as email and single purpose tools to cloud services.

“In 2015 many agencies are still using cloud computing similar to 2010,” said Mark Kneidinger, director of the Federal Network Resilience Division at the Department of Homeland Security, as quoted in CIO.com.

That assessment is probably true in many areas and and for a lot of different reasons. One big reason is  such trades (legacy systems for cloud systems) are difficult and sometimes it literally takes the legacy systems to break down or become unsupportable in order to force the change to new systems on the organization. Other times the cloud services may be a step-back in capability, or the transfer to a different service may break a few internal dependencies. It’s only been very recently that cloud services have come close to being on par in flexibility with many on-premises or internally developed systems. Sometimes the cloud service seems, even though its a small operational expense, more expensive than maintaining a system or application that is fully paid. While many times it is certainly conversely true that the cloud service is less expensive than paying maintenance fees.

But the biggest boogie-man that seems to recur as justification for not moving to cloud is security concerns. For instance, John Engates, CTO at Rackspace told CIO.com that cloud computing vendors are very good at securing their cloud services and infrastructure. “I think what you immediately gain by working with any one of the cloud providers here and a number of other companies out there in the market is the level of sophistication that they’ve had to grow into and maintain to continue to operate on the Internet today,” Engates was quoted. “To be a player in the cloud you really, literally have to defend against some of the most sophisticated attacks on the planet on a regular basis, and so you get really good at it, and I think those are benefits that could be immediately gained by the use of cloud computing,” he said.

That’s absolutely correct, it seems to me. And it highlights that it’s not actually security (wanting to stop attacks and data breaches) that is still often the hang-up.  It’s (still) far more often than not actually compliance that is the concern: either to outside regulators or compliance to internal security policy. Most organizations do not think that they can necessarily do a better job at securing their data, they are not given the visibility they need in order to comply.

The breakdown is the ability to audit, access these providers, etc. that is required by regulators – and not all regulators will agree to certain controls. It also shows how well intended regulatory compliance rules can hurt security by removing decision making regarding risk from those in an organization who are in the best place to make solid risk management choices.

The effort to go cloud first has had its impact. The federal government spends about $80 billion a year on IT. According to the GAO (in a report published a few weeks ago) these efforts have saved about $3.6 billion in IT costs. “Slightly more than half (or about $2.0 billion) of the savings and avoidances were from data center consolidation and optimization efforts. Notably, of the $3.6 billion total, the Departments of Defense, Homeland Security, Treasury, and the Social Security Administration accounted for about $2.5 billion (or 69 percent),” the GAO wrote.

The data are incomplete here, according to the GAO, most agencies didn’t meet the requirements to submit their reinvestment plan information. Only five agencies of the 27 agencies required to submit reinvestment plans did so.

My bet is, the next five years will see a much broader cloud adoption and increased cost reduction even accounting for increased use of information and application services. And, oh yeah, they will be more secure as cloud providers become more open with their security and compliance efforts that will satisfy more regulators and internal audit groups.

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.