Public Clouds for the Public's Trust
When the subject is cloud computing, only one thing gets me almost as excited as the implications of cloud platforms for developer productivity – and that's the potential benefits of the public sector's adoption of public clouds.
When a newly elected official needs to deliver on a campaign promise, during the first 100 days of an administration or during the six months before a congressman has to start running for re-election, the fast deployment times of cloud-based applications can make an enormous difference. It's hard to imagine doing a public-sector system any other way, for a host of reasons:
- "In a traditional IT procurement environment, it would have taken us about six months to upgrade USA.gov to better meet the needs of our citizens. However, in the cloud environment we are now able to do upgrades in one day," said David McClure of the GSA's Office of Citizen Services and Communications (as reported on gsa.gov in September 2009).
- The U.S. Census Bureau used a cloud-based application platform to achieve 12-week design and deployment of a system to manage its temporary labor force of 170,000 personnel in 2,200 partner organizations – after it became clear that a planned traditional approach would not meet the fixed deadline of the Constitutionally mandated decennial effort.
- The Family Service Agency of San Francisco estimates a 50% reduction of administrative time, combined with vastly improved outcomes tracking, after migrating its mental health case management process to a cloud-based system.
Public clouds offer headroom for bursts of activity associated with regional or even national events. The private sector has recognized these efficiencies: for example, JetBlue has discussed its use of a cloud-based collaboration tool to enable scalable response to the huge surge of questions and coordination needs that follow any major flight disruption. A library of complex checklists, and a 258-page emergency manual, provide current information in a perfectly consistent manner to all employees regardless of location.
Even more than an airline, a government must be the credible responder of first resort to any of the massive but infrequent workloads associated with natural disaster, terrorist attack, or any number of other such situations. It's wasteful to provision government-owned resources that will be idle for all but a tiny fraction of their useful life, when public clouds can provide scalable capacity on demand that the government agency need not acquire in advance – nor maintain while not in use.
For all these reasons, agencies at every level of government are getting a clear green light from Washington D.C. to pursue cloud options. Casey Coleman, GSA's CIO, stated last year that "We will...work with industry to ensure cloud-based solutions are secure and compliant thereby reducing duplication of security processes throughout government." Coleman's statement both acknowledges, and vows to address, the appropriate commitment of those who hold the public's trust to protect their information and their services.
Public cloud providers are absolutely under an obligation to make the case for their reliability, security, and governability – but this is no more the case in government applications than it already is in financial services, health care, education, and any number of other domains in which cloud services already enjoy wide acceptance. Public clouds, far more than any single private IT installation, are forced to provide a "sum of all fears" level of protection that addresses the demands of the most demanding customer – and provides that level of protection, through the model of multi-tenancy, to all customers on that system.
Are there genuine threats in this connected world? Without doubt, there are, but those threats are already being faced by government agencies that are having to deal with them in an uncoordinated fashion and at their own expense. There's no need to conjure up elaborate scenarios of international cyberwar: the present, quite sufficiently scary reality is more on the scale of the June 2008 attack against a government Web site in Brazil, cutting off legitimate government employees' access for more than 24 hours and reportedly compromising valuable data. A demanded ransom of $350 million was not paid, but that escape was only enabled by a fortunate backup of the data and a week of determined effort to regain control of the resource.
Traditionally, government IT has addressed such security concerns with a model of perimeter defense: a clearly defined trust boundary that has usually reflected a physical separation of authorized internal users from all other points of access. That's less and less an option, though, as governments expand their use of public-facing Web sites to make more services available to citizens and to manage dispersed resources more efficiently. Dean Turner, director of Symantec’s Global Intelligence Network, puts it simply when he says that "[Attackers] aren't breaking into your network. They don't have to. You are going to them." Governments will be targets for a growing range of increasingly sophisticated attacks – and these will arise, not only from the connected outside world, but also from within.
Every subscribing organization, therefore, will still need to assign privileges appropriately, audit actions effectively, and control access to information on its way in and out of the system. This is not a new problem arising from the cloud, but the agency using a public cloud can focus its resources on its own specific mission – while common concerns are addressed by the public cloud service provider, with attendant massive economies of scale.
The issues for discussion in the public cloud are not qualitatively different from those already encountered as governments continue their turn toward use of public networks and Web resources, for all the reasons discussed above. What's different in the enterprise public cloud is the far more affordable cost of providing the rigor, accountability and transparency that the market demands to meet the needs of serious customers – whether in the private sector, or in the pursuit of the people's business.
Licensed under Creative Commons Attribution-No Derivative Works 3.0.
