Mapping Government’s Journey to the Cloud: 8 Success Stories Mapping Government’s journey to the cloud 1
2
A GovLoop Guide
Contents Executive Summary
3
Cloud Spending in Government
4
Mapping Your Journey to the Cloud
5
Peace Corps: Identifying Agency Needs
6
Why Digital Cloud Platforms Are Vital for Government
9
Department of the Navy: Developing Requirements
10
Delaware: Procuring Cloud Services
12
Making the Most of Cloud
15
State Department: Addressing Security Standards
16
Q&A with FedRAMP Agency Evangelist Ashley Mahan
18
are you ready to embrace clouD?
21
Miami-Dade County: Implementing Services
22
Colorado: Changing User Experience with cloud
24
A complete approach to cloud computing
27
Hawaii: Planning for Version 2.0
28
Cloud Computing Glossary
30
About & Acknowledgments
32 Mapping Government’s journey to the cloud 1
The road to change isn’t easy, especially when it involves people and processes. 2
A GovLoop Guide
Executive Summary Just think about the last time your agency rolled out a new departmentwide system or changed a work process that affected nearly every employee. There was plenty of office chatter about what was happening, why it was happening and how it would affect everyone, right? We know from experience that navigating these changes can be exciting, confusing and scary all at once. But the payoffs are huge. Let’s use cloud computing as an example: All of the above can be used to describe the government’s journey to adopt this innovative information technology model. For those agencies that have embraced cloud computing, the ability to buy access to software and hardware as a service has and continues to transform the way government operates. But as the U.S. General Services Administration has noted, “the customer journey down the path [to cloud] can be fraught with lack of information, and there are a multitude of places where even the most experienced IT manager can make mistakes.” With that in mind, how do agencies successfully move from considering cloud to actually buying cloud services? How do agencies implement those systems and ensure they are secure? Addressing these issues is often easier said than done, especially when critical applications are involved. But finding the best way forward and executing that plan isn’t impossible. There are numerous success stories about agencies moving human resources, financial management and other systems to a cloud environment — some of which you’ll read about in this GovLoop guide. To help you map your path to the cloud and beyond, this guide includes eight case studies that highlight key aspects of the cloud journey and how agencies addressed the following: ®®
Identifying agency needs
®®
Developing requirements
®®
Procurement
®®
Securing the system
®®
Implementing the system
®®
Using the service
®®
Planning for version 2.0
Make sure to check out the “Tips for Success” section included with each case study. These useful insights will help you proactively address some of the common pitfalls that plague government cloud projects.
Mapping Government’s journey to the cloud 3
Cloud Spending IN Government The federal government spends about $89 billion annually on IT, according to the president’s fiscal 2017 budget.
refreshing infrastructure, application development and other things that are easy to cut.
More than half of that funding, however, is tied up in sustaining legacy technology, or what is commonly referred to as operations and maintenance costs. Only about 20 percent of the overall IT budget funds new development, modernization projects and IT enhancements.
“This is not a case where you can save your way to success,” Scott said. “We need to invest a little to get the outcomes that we want.”
U.S. Chief Information Officer Tony Scott blames the huge disparity in spending between new and older systems on tight budgets and the impact of automatic budget cuts known as sequestration. Scott explained it this way: You can ask CIOs to save money, and they will — but they’ll also stop spending on
The good news is a small but growing portion of government IT investments are funding cloud projects. Collectively, agencies currently spend more than 8 percent of the federal IT budget on provisioned services, such as cloud. According to the White House, this level of spending is on par with leading private-sector companies. On the right is a breakdown of federal IT spending, including cloud services.
Federal IT Spending (Millions of Dollars)
2015
2016
Department of Defense*
2017
(PROPOSED)
36,727
37,987
38,551
Non-Defense + 49,965
50,726
51,300
Total = 86,692
88,713
89,851
*Note: Defense IT spending includes estimates for IT investments for which details are classified and not reflected on the IT dashboard. All spending estimates reflect data available as of Jan. 19, 2016. Source: The President’s Budget for Fiscal 2017
The chart below shows the percentage of federal IT funding spent on Development Modernization Enhancement, Operations and Maintenance and Provisioned IT Services (which includes cloud).
Development, Maintenance & Services Spending 8.5% $6.9b
22.9% $18.7b
Development Modernization Enhancement (DME)*
These projects lead to new IT assets/ systems and changes to existing IT assets. The purpose is to greatly improve capability or performance, implement legislative or regulatory requirements, or meet an agency leadership request.
Operations & Maintenance (O&M)*
O&M assets produce the same product or provide a repetitive service, also known as steady state.
68.6% $55.9b DME
4
A GovLoop Guide
O&M
Provisioned
Provisioned IT Services
These are shared or cloud IT services that are owned, managed and operated by the organization, a third party or a combination of the two. The service may exist on- or off- premises, and the agency consumes it on an as-needed basis. *Note: DME and O&M services can be delivered via the cloud. Those services fall under the Provisioned IT Services category. Source: Federal IT Dashboard
Mapping Your Journey to the cloud Cloud computing is gaining traction in government, thanks in large part to state and federal policies that require agencies to consider cloud first when making new IT investments. But the period between identifying a viable cloud service and actually implementing it for use can take months or even years. Planning for cloud investments within the confines of the government budget cycle has its challenges, and vetting the security of that service takes time — even with programs like the Federal Risk and Authorization Management Program (FedRAMP) in place to improve that process. According to GSA, here are the key issues you can expect to work through when migrating to the cloud:
Agency Need
Reqs Devo
Identify Agency Needs As agencies begin their journey to the cloud, they first must have a determined agency need, such as responding to a directive, replacing a system or optimizing it.
Develop Requirements After a need is determined, an agency must research the actual requirements for the system, which can be a unique challenge because legacy systems must be translated to cloud-based ones.
Secure
Secure The agency has to secure the system to ensure that it can appropriately safeguard federal and citizen data.
Procure
Procure Next up is the acquisition process to find a solution that meets the agency’s needs, including security.
End of Life
Implement
Use
Implement Then an agency needs to implement the system and make sure it’s functional and able to integrate into any necessary backend systems or requirements.
Use Now, an agency finally gets to use the service, but as with most cloud services, agencies must also address the need for updates, new services and continued optimization.
End of life/Version 2.0 At some point, an agency will need to retire the current system or move to a new one.
Next up, we’ll look at eight case studies that highlight each component of the cloud journey. You’ll hear from federal, state and local officials on how they addressed these issues, as well as tips for success.
Mapping Government’s journey to the cloud 5
Agency Need
Reqs Devo
Procure
Secure
Implement
Use
End of Life
Peace Corps: identifying agency Needs The sweet spot for Heather Schwenk, the Peace Corps’ Volunteer Delivery System Expert, is when the agency’s business and technology teams align and mission needs drive tech adoption — not the other way around. “Here, the tech team that we work with gets that 100 percent,” said Schwenk, a nearly 14-year veteran at the agency who oversees the entire business process, from the time people apply for volunteer assignments to the time they enter on duty. “It’s like programming drives budget; budget doesn’t drive programming,” she said. “It’s the same exact model.” These deeply rooted beliefs set the tone for a major cultural and technological shift in the way the Peace Corps does business, specifically when it comes to volunteer recruitment. It wasn’t until recently that the agency allowed applicants to apply to specific positions. For the first time, thousands of potential volunteers could decide what they wanted to do and where they wanted to go. In the past, “people believed that you signed up for the Peace Corps, and it maybe wasn’t entirely about applying to the job,” Schwenk said. “That’s where there was this cultural shift,” she said of the agency’s move to make positions visible to applicants. And with that shift came the adoption of new technology solutions to support the change. For example, the application process used to take eight hours; now it’s roughly an hour long, thanks in part to a more user-friendly
6
A GovLoop Guide
interface. Internally, employees no longer have to circulate printed application forms for review. Instead, they can view applicant data directly in the agency’s system, which means more efficiency. The focus for Schwenk and her colleagues has been aligning the Peace Corps’ business processes with the innovative capabilities that technologies like cloud can offer. In fall 2015, the Peace Corps awarded a contract for an upgrade to its cloud-based recruitment platform. The Software-as-aService (SaaS) solution will run in a hybrid cloud, on infrastructure that meets the government’s FedRAMP requirements. “It’s easy to build systems and processes that work best for us, but at the end of the day, we have to remember that the process works best to find the best volunteers,” Schwenk said. “Sometimes that means tight deadlines, sometimes that means being more transparent, getting more phone calls and questions, but that’s what we wanted to do. We wanted to be transparent and build the process to find the best volunteers.” Today, applicants can filter for the job they want. But when they’re applying, they’re not truly applying to that particular job through the technology. For now, they’re grouped together in a general applicant pool when they apply. That will change in the upgraded cloud-based system. The technology will also enable the agency to ask applicants job-specific questions. In the future, if someone applies for a forester position in Paraguay, for example,
“It’s easy to build systems and processes that work best for us, but at the end of the day, we have to remember that the process works best to find the best volunteers”
Heather Schwenk Volunteer Delivery System Expert, Peace Corps
TIPS FOR SUCCESS the candidate will be asked if she has a degree in forestry and can speak Spanish. Another benefit: The application process will be optimized for mobile users. Many applicants use mobile devices as their primary communication tool. To what extent people use their devices to apply for Peace Corps openings isn’t clear, “but we want to have it as mobile-friendly as possible, so people can make their own choices,” Schwenk said. Her team is also weighing how the agency will use a Facebook-like feature in the system that allows communities of users and Peace Corps employees to communicate and share timely information about volunteer assignments. The guiding light for change was a drive to be more innovative and pinpoint how technology could support a more efficient application process that attracts the most qualified and passionate volunteers. For everyone involved in selecting and designing the new cloud-based recruitment system, having the agency’s vision in mind was key. “Those were the people who we needed as champions,” Schwenk said. “That was who I was looking for. And so we created our team. It was very expansive. We definitely needed them to be talking to their colleagues, making sure people were informed, advising us on the process but also moving forward. Champions are key, at all levels.”
Don’t focus on the exception to the rule or addressing problems that affect only a minority of users. Instead, adopt a solution that meets the needs of the majority, and determine if internal processes need to be reworked. Identify champions at all levels, from the top all the way to end users at their keyboards. These champions should be innovative and collaborative and have the agency’s vision in mind. You can’t make change in an organization if you don’t have support at the top. Champions at the senior level should be well-versed in the issue and understand its impact. If you really want to see change, get your leaders to speak openly about the new way forward.
Mapping Government’s journey to the cloud 7
ACQUIA PROVIDES THE LEADING CLOUD PLATFORM FOR BUILDING, DELIVERING, AND OPTIMIZING DIGITAL EXPERIENCES. Acquia is the enterprise platform behind Drupal, the leading open-source content management system, recognized as a Magic Quadrant Leader by Gartner two years in a row. Our platform enables agencies to foster greater digital engagement with citizens and securely deliver mission essential information and services with greater speed, agility, and resiliency. The City of LA, State of New York, FEMA, Department of Homeland Security and many other government agencies rely on the Acquia platform to build websites and digital experiences that meet the needs of their citizens, internal users and IT teams while moving their missions forward.
acquia.com/government
State of Georgia Case Study
8
A GovLoop Guide
City of Los Angeles Case Study
FEMA Case Study
Australian Govt. Case Study
INDUSTRY SPOTLIGHT
Why Digital Cloud Platforms are Vital For Government An Interview with Dan Katz, Technical Director, Public Sector, Acquia The real value of cloud computing doesn’t come from agencies shifting their data from government data centers to a cloud vendor’s facility. Where agencies get the most value for their money is in digital cloud platforms that enable them to offload operations, such as information security around the data, and shift the control burden from their IT teams to service providers, said Dan Katz, Technical Director for Acquia’s public sector business. This frees up agencies to focus on their missions and meeting their users’ needs. Today, citizens have come to expect fast, efficient and accessible services from government agencies. But to be successful, agencies must ensure that their digital strategies increase user engagement and address opportunities to save money. Managed cloud platforms and open source software are enabling agencies to do both. So what exactly is a managed cloud platform? A prime example is managed Platform-as-a-Service (PaaS), which is seen as the next evolution of digital experience management. PaaS comes with the orchestration layer pre-built and provides organizations with a true end-to-end platform stack specifically designed to support digital experiences. This enables organizations to focus on the experience itself rather than the infrastructure behind it. Modern digital experience management requires much more agility, and PaaS environments allow digital teams to focus on creating experiences that serve users and connect all the systems required to power those experiences.
A growing number of government agencies are also using open source software to support their digital operations. Today, Drupal powers about 40 percent of U.S. government websites. But the real power lies in agencies combining their cloud and open source approaches. “For agencies to operate in the modern era on shoestring budgets, they need the managed PaaS in the cloud, and the flexibility and innovation of open source,” Katz said. “Agencies that are able to do so successfully are emerging as leaders and paving the way for others to follow.” But there are a few things agencies should know as they look to combine their cloud and open source strategies. Many large cloud-hosting providers serving government agencies advertise the ability to support mission-critical Drupal solutions, but more often than not these providers are focused on infrastructure and offer virtual machines in a data center with canned configurations and some level of managed support that is often very expensive. “It’s true they may meet the requirements on paper, but buyers beware,” Katz warned. “Moving your website from an internal data center to a managed cloud host is no different from moving a car from your own garage to a rented space down the street. In both cases, you’d need to provide expensive maintenance and care for the car, no matter where it is located.” In contrast, a true digital cloud platform, such as Acquia Cloud, provides tools and application program interfaces for DevOps, monitoring and health checks designed for managers and non-technical users, application-level support and service-level
agreements, and deep integration between the application and the platform. “In this instance, using the car analogy, you would not have to worry about keeping the car running or providing regular maintenance,” Katz said. “You would not need to provide a team to keep the car tuned up and ready to roll at any time. That would be a service provided for you.” A great real-world example is the state of Georgia. When the state moved to Acquia’s Digital Cloud in 2012, it projected $4.7 million in cost savings based on the freedom the state would gain from using a true digital platform with application-level support. Putting support in the hands of people whose full-time job is to support the cloud brought the state cost savings, expertise, scalability and better time management. Nikhil Deshpande at the Georgia Technology Authority said, “Experts can monitor our platform and servers 24/7, providing recommendations to updates and changes if needed at a moment’s notice. We have had some issues with distributed denial-of-service attacks where Acquia was able to bring our websites back up and running in a fraction of the time compared to other state government websites that experienced the same attacks.” That’s the power of a digital cloud platform. “The key takeaway is that it’s not enough to host in the cloud,” Katz said. “Instead, your organization needs a digital cloud platform that significantly offloads the operations to a qualified provider and enables you to realign your resources toward innovation and improving citizen services.”
Mapping Government’s journey to the cloud 9
Agency Need
Reqs Devo
Procure
Secure
Implement
Use
End of Life
Dept. of the Navy: Developing Requirements The Defense Department has been slower than most government agencies to adopt cloud services. Addressing security concerns in the cloud took some time, but that wasn’t the only holdup.
One of the criticisms early on was that all DoD cloud procurements had to go through the Defense Information Systems Agency, a combat support agency that provides IT and communications support for the department, including warfighters. But restrictions on how DoD components buy commercial cloud changed in December 2014, when department CIO Terry Halvorsen gave component agencies the green light to work directly with commercial vendors, rather than coordinating procurements with DISA. “One of the things that we’re going to change, to give us more opportunities to move faster, is to let the military departments do their own acquisitions of the cloud services and not have to funnel that through one agency — in this case, DISA,” Halvorsen said a few months before issuing the memo. Since then, the military services have charted paths forward into the cloud while adhering to overarching DoD requirements. But even before the memo’s release, the Department of the Navy (DoN) had already begun testing low-risk data in the cloud. “This early pilot activity added to and informed the follow-on innovative engineering techniques and dedicated time spent working through complex security requirements to arrive at the current
10
A GovLoop Guide
“The difference is that they are operating from within the commercial environment, are paying only for the amount of service they need, can turn the service off when they don’t need it and have access to performance and availability metrics as part of monitoring the service.” approach to getting the job done,” said Susan Shuryn, a Technical Adviser and Cloud Lead for the DoN CIO.
business side of the service for them once they’ve migrated to the commercial cloud environment, Shuryn said.
The DoN, which is composed of both the Navy and Marine Corps, used those lessons to launch a cloud store in March 2016 as the department’s official resource for buying cloud services. Vital to the store’s success is an understanding of internal customers’ requirements.
Her team also had to address security requirements. As required by DoD, the DoN had to build and accredit a cloud access point to the DoD Information Network for sensitive Level 4 data.
For now, the focus is on providing IaaS for two distinct user groups: “The first level is the application owners, who are responsible for the day-to-day operations and security of the application, as they would be in traditional hosting environments,” Shuryn said. “The difference is that they are operating from within the commercial environment, are paying only for the amount of service they need, can turn the service off when they don’t need it and have access to performance and availability metrics as part of monitoring the service,” she said. “The second level is the end user of the application. For that user group, the biggest change is the broad internet access that is provided by the commercial offering.” Application owners who are interested in moving apps to the cloud must first undergo an initial interview to determine if the application is a good candidate for the service being offered. The DoN’s current IaaS offering can host publicly releasable data, or Level 2 data, and Level 4 data, which is sensitive data that requires greater security.
“The cloud access point is an interface, a set of security capabilities — both protection devices and sensors — that allows DISA to monitor traffic and apply security policies,” said Dave Mihelcic, DISA’s Chief Technology Officer. “It is a DoD-controlled demarcation point between the DoDIN, which is under direct DoD control, and the commercially hosted component that is a shared responsibility between the system owner and the cloud provider. “The idea is to make sure that if a vulnerability exists and is exploited on a commercially hosted site, it cannot be exploited to the point of endangering others on the DoDIN,” he said. Shuryn and her team aren’t just concerned about meeting current requirements. They are also considering future security requirements. The plan is to incorporate more commercial cloud offerings in version 2.0 of the store, which is set to launch in early 2017.
Susan Shuryn Technical Adviser & Cloud Leader for the Dept. of Navy CIO
TIPS FOR SUCCESS Educate yourself and others about cloud computing service and deployment models and how the classification of data — whether sensitive or not — may affect implementation. Develop roles and responsibilities for providers, integrators and government. Determine how these three entities will interact in deploying, securing and sustaining solutions. Build security into the design process up front and involve your authorizing official (AO) early in the development. In government, the AO is responsible for operating an information system at an acceptable level of risk.
“There is plenty of opportunity for continued innovation in the engineering designs that will take us to the next level in leveraging what the [cloud] providers have to offer,” she said.
There’s a Managed Service Organization that assists application owners throughout the process and also manages the
Mapping Government’s journey to the cloud 11
Agency Need
Reqs Devo
Procure
Secure
Implement
Use
End of Life
Delaware: Procuring Cloud Services We’ve all been on the dreaded tech support line — languishing in despair as the wait time increases and real help seems like a distant dream. There has to be a better way, right? If only the government could find one.
[virtual private network] in with two-factor authentication and all these different things to actually access the system,” Collins said. Until the new solution rolled out, “there wasn’t a lot of proactive communications going out.”
The Delaware Department of Technology found that solution. In 2013, the department implemented a cloud-based, software-as-a-service solution that allows employees to track IT assets and applications. The most-used feature allows employees to process help tickets and work requests via the cloud. As soon as the ticket is submitted, it’s routed to the right people. Based on the severity level of the ticket, it is assigned a certain level of tracking and escalation.
But despite the successful cloud implementation, Collins warned that the process of procuring cloud solutions is still difficult for governments.
Every agency in the state can submit tickets, making it a truly centralized solution. For Delaware, this capability is transformative. “There is no agency that is not heavily dependent upon technology,” said James Collins, Delaware’s CIO. “When that technology is not functioning properly, it brings their ability to serve citizens to a halt. This new process is just a way for us to quickly be made aware of the issues, get the right classification and escalation, and monitor it through to resolution.” The cloud allows the department and state employees to interact with the system whenever and wherever they are. Historically this access hasn’t been available to users. “We’ve had these systems that were behind our firewall, and you had to VPN
12
A GovLoop Guide
“We have more than 175 different cloud applications and each one of those contracts is slightly different,” said Collins. “I have a lot of challenges to overcome when it comes to making sure the right cloud solution is implemented.” To help ease the procurement process, Collins and his team created a terms and conditions document. “Potential vendors have to agree to our terms and conditions in order for state information to be hosted in their environment,” he said. Those terms and conditions act as a roadmap for agencies considering moving their programs to the cloud. Featured prominently in the document are sections on security and data ownership. “Per our state laws, data that is classified as non-public is required to be encrypted at rest and in transit,” Collins said. “Additionally, data is required to be housed in the continental U.S. If a vendor can’t agree to those terms, we can’t contract with them.”
“On the ownership side, we specify in our contracts who owns the data. It is very explicit in our terms and conditions that the data belongs to the state.”
James Collins Chief Information OFficer, Delaware
TIPS FOR SUCCESS “On the ownership side, we specify in our contracts who owns the data,” Collins said. “It is very explicit in our terms and conditions that the data belongs to the state.” Safeguarding a solution that processes help-desk tickets may not seem like a big issue, but it contains sensitive data about the state’s IT systems. And any system that contains personally identifiable information (PII) must be secured. “We really put vendors through the paces when there’s going to be PII of citizens, or employees or pensioners of the state as well,” Collins said. He isn’t worried only about current contracts, either. In the terms and conditions, the state included clauses that ensure it can exit the contract. “One of the biggest risks related to moving to a cloud environment is the ability to leave the contract,” Collins said. “Realistically, what happens when you move to a cloud environment is that you don’t have an on-premise infrastructure to host this application. In some instances, the contract specifies that you need to move to a proprietary platform, so that even if you decide to leave that vendor, the application, that language is proprietary to that vendor. So while the data is still yours, you don’t have a system to use that data in.”
Take a risk-based stance during the procurement process. Create a terms and conditions document ahead of time so that vendors are clear about who owns the data, where it is stored and how it is secured. Do your homework. It is imperative to have a real assessment of a cloud provider’s infrastructure policies and practices. For example, see if the provider is FedRAMP-certified or has other similar qualifications. Look to the future. Understand the ongoing cost commitment in the out years, and try to control that as much as you possibly can. Create price caps; that way even if adoption goes up, costs stay relatively flat over that time period.
To address this issue, Collins recommends that agencies ensure a true exit strategy is in place before signing a contract.
Mapping Government’s journey to the cloud 13
14
A GovLoop Guide
INDUSTRY SPOTLIGHT
Making the Most of Cloud An interview with David Blankenhorn, Chief Technology Officer at DLT Solutions It seems everyone in government is talking about cloud computing. But even so, it can still be a difficult path to navigate alone. That’s why DLT Solutions is working closely with agencies to make their journey to the cloud seamless and cost-efficient. As a public-sector IT reseller and managed services provider, DLT partners with cloud vendors such as Amazon Web Services (AWS) and ScienceLogic to help agencies adopt solutions that best support their missions. David Blankenhorn, Chief Technology Officer at DLT, spoke with GovLoop about how the company works with agencies to implement cloud services and manage complex hybrid IT infrastructures, saving them money and increasing productivity. In the past five years, Blankenhorn has seen a major shift in the conversation about cloud. In the beginning, customers wanted to know what cloud was and how it could be used. Two years later, the conversation shifted to how they could securely use cloud. Within the past year, he has noticed a new shift: “People are saying, ‘I get what cloud computing is, and I understand how it can be used securely, now how do I budget and acquire it?’” That’s where DLT comes in. As a premier consulting partner for AWS, DLT helps make the path to cloud seamless and cost -efficient for agencies by offering lifecycle engineering and services a la carte, allowing agencies greater flexibility. “We do everything from helping customers size their cloud accounts and making sure they have the right resources to helping them deploy, all while providing 24/7 U.S.citizen-on-U.S.-soil-based support,” Blankenhorn said. DLT’s partnership with ScienceLogic is especially helpful, as agencies
can use ScienceLogic’s AWS monitoring and dashboard services to track and manage their cloud platforms. The persistence of cloud conversations is due in part to the federal Cloud First policy, which started the conversation and directed agencies to consider cloud services. This opened the door to a greater understanding of how cloud could play an important role in achieving mission success. “In many cases, there’s a shortage of money for new products and services,” Blankenhorn said. “Using cloud technology allows agencies to leverage limited funds to try new things out.” Blankenhorn attributes cloud’s success to its elastic nature. “One of the most compelling value propositions of the cloud is the ability to scale up and scale down and change the amount of resources consumed based on workload,” he said. That capability drives two key initiatives: accelerated time to market and public-sector innovation. Elasticity has meant that agencies can more rapidly deploy new services by reducing the amount of extraneous work and resources poured into a project. In terms of innovation, “there are a lot of great ideas out there, but organizations are often hobbled by a lack of resources, whether it’s computing power, storage or networking,” Blankenhorn said. Cloud enables organizations to test things quickly and inexpensively. If the ideas work, they can be scaled up and sent to production. If they do not, agencies can go back to the drawing board without incurring a great loss.
As organizations migrate to cloud, they face the challenge of managing complex, hybrid IT infrastructures that include on-premise data centers as well as cloud services. This hybrid environment creates unique management challenges, as agencies need to leverage both their cloud capabilities and their on-premise investments. Ideally, agencies should be able to use a common set of tools to manage both the on-premise and cloud resources. Blankenhorn recommended that IT management tools handle three distinctive views all at once. First, the tools should monitor an agency’s traditional IT, such as servers, software and other assets the agency has in its data center. Second, the tools should be able to monitor and manage resources that are deployed in the cloud, such as virtual machines, elastic compute cloud resources, operating systems and applications. Third, tools should be able to look at the cloud platform itself and determine the health of the infrastructure, analyze tech performance and provide security monitoring. Adopting the right cloud solution and having the proper tools to manage hybrid infrastructure require proper planning up front and dialogue between agencies and vendors during the acquisition phase. Doing so ensures that there is maximum flexibility in the contract for agencies to use the cloud platform in a manner that best meets their needs. “Cloud is a different way of consuming information technology, and there’s definitely a learning curve to it,” Blankenhorn said. “We spend a lot of time working hand in hand with contracting officers and acquisition specialists to help them understand what the right models are and how to properly manage and monitor the acquisition of cloud services.”
Mapping Government’s journey to the cloud 15
Agency Need
Reqs Devo
Procure
Secure
Implement
Use
End of Life
State Department: Addressing Security Standards It’s well known that becoming a Foreign Service officer for the State Department can take a person on the journey of a lifetime. From serving in Nigeria to Thailand to Colombia and beyond, Foreign Service officers work to promote peace, support prosperity and protect American citizens while advancing U.S. interests abroad. But there’s a different kind of journey that the State Department has been on, and it’s equally important — the journey of successfully adopting and deploying cloud computing technology departmentwide, and doing so securely. Cloud computing plays a major role at the State Department when it comes to enabling and empowering frontline diplomats to carry out their roles and responsibilities. Minh-Hai Tran-Lam, Acting Deputy CIO for Business Management and Planning, at the department, knows this well. She recently helped update State’s cloud computing policy and stand up a Cloud Computing Governance Board. The goal of the board is to streamline cloud adoption across the department by instituting a single authority for evaluating cloud services. Putting together a board and a guidance policy on cloud computing for the department that provides transparent communication, methodologies and assistance on how to adopt cloud and meet all of the federal cloud requirements, in addition to addressing what the users need on the
16
A GovLoop Guide
“[fedramp] is a shared responsibility between the cloud service provider and the customer. Just because a service is fedramp certified, that does not mean the entire security responsibility resides with the provider.”
Minh-Hai Tran-Lam Acting Deputy CIO, Business Management & Planning, State Department
TIPS FOR SUCCESS front end, hasn’t been an easy journey. But it’s been an important one.
most simple request to the most complex request about security,” she said.
“Our goal is to actually provide a one-stop shop to give guidance for anyone in the department who’s interested in using the cloud,” Tran-Lam said. “We want to help them go through the process, so that they’re not being left alone when they say, ‘Hey I want to go to the cloud. What do I do?’ It’s all set up from a procurement standpoint, from a user-friendly security standpoint and a business requirement standpoint.”
Another common question for the board comes around FedRAMP — the governmentwide program that provides a standardized approach to security assessment and authorization for cloud products.
Engage partners early. It’s critical to ensure that you have all the proper stakeholders engaged early on, and you must work to understand what their needs are from ther perspectives of procurement, security, operations and business.
“We often get asked about FedRAMP,” Tran-Lam said. “This is a shared responsibility between the cloud service provider and the customer. Just because a service is FedRAMP-certified, that does not mean the entire security responsibility resides with the service provider.”
Understand the business need first. If you want to go to the cloud, decide first what issue or problem going to the cloud will solve.
The Cloud Computing Governance Board was created toward the end of 2015, and the department is now working on putting the right people in place to run it — and making sure they’re not just folks from the IT department. “We’re making sure to have a mix of people on the board,” Tran-Lam said. “We’ve got the business partners we have in the department, our cybersecurity partners, our procurement partners, our secretary’s office. There are also our public diplomacy counterparts and the regional bureaus. We’re looking at cloud use in the State Department from a holistic standpoint, not just an IT perspective.” That said, Tran-Lam said the board often gets questions about security and the cloud. “The requests may differ between a very simple request just asking about the process, or it may be a more robust one where the person in question doesn’t really know what the security requirements are. And so the requests actually span from the
There is a collaborative parternship among the Information Assurance Directorate, Bureau of Diplomatic Security and Privacy Office to help customers facilitate the process. Tran-Lam admits that although worthwhile, supporting and running the Cloud Computing Governance Board can be difficult. “You’re going to get all sorts of different questions,” she said. “But we do have the IT expertise, and the understanding of all different aspects of cloud, from a security standpoint to a technological standpoint. We have to share the knowledge.
Communicate, communicate, communicate. Being proactive in communication and answering a question will take your cloud adoption a long way, Tran-Lam advised. “There are no small questions, and it’s important to be a really good partner to your customers.”
“If you’re committed and you over-communicate and you help the customer get what they need, I think everyone will be more likely to adopt cloud computing services,” Tran-Lam said.
Mapping Government’s journey to the cloud 17
GOVLOOP: What does a typical day/week look like for you? What types of people are you meeting with and what do you discuss?
6 Questions for FedRAMP Agency Evangelist Ashley Mahan In the federal government, you can’t talk cloud security without mentioning FedRAMP. It’s short for the Federal Risk and Authorization Management Program, but you’ll rarely hear people rattle off the entire name. The governmentwide program was designed to speed secure cloud adoption across federal agencies by establishing standard security requirements for cloud vendors. In March 2016, the FedRAMP program office announced plans for getting vendors through that process quicker. Both industry and government have been working through the growing pains of speeding the process and addressing lingering security concerns often associated with cloud computing. To better understand agencies’ needs and support their cloud journey, the program brought on Ashley Mahan, its first Agency Evangelist. Her goal is to help agencies embrace FedRAMP and ultimately adopt secure cloud services. GovLoop spoke with Mahan about her new role and the cloud computing issues she’s seeing across government.
18
A GovLoop Guide
MAHAN: Each day and week looks different. I do regularly meet with agencies, cloud service providers (CSPs), 3PAOs [Third Party Assessment Organizations], the Joint Authorization Board and the FedRAMP Program Management Office team. While each conversation is different, I always focus on: How can FedRAMP facilitate more cloud adoption by the federal government by using FedRAMP-compliant cloud services? GOVLOOP: What are you seeing at the agency level in terms of cloud adoption and the types of capabilities agencies are looking for in the cloud? MAHAN: Recently, one of the trending conversations I have with agencies is in regards to innovative SaaS offerings that are not yet FedRAMP-compliant. Agencies are very interested in learning more about the specific capabilities FedRAMP-compliant and in-process cloud services offer. In addition to solving their practical challenges, agencies are expressing their desire to learn from one another and ask for my assistance to help. It is a very exciting time as the FedRAMP Agency Evangelist! GOVLOOP: What have you seen as the pain points and concerns agencies face when it comes to security in the cloud? What advice/tips are you sharing with those agencies? MAHAN: Agencies are primarily concerned with effectively managing risk, and secure cloud products are pivotal to their risk-management strategies. We are noticing that agencies have a couple of concerns when it comes to cloud security: The cloud is “newer” and less tangible than legacy IT solutions that agencies are used to, and with that comes a discomfort in adopting a new way of doing business via the cloud. Individual agencies can accept their own level of risk associated with a cloud service when authorizing that cloud service (as allowed by the Federal Information Security Management Act), [but] one agency may be hesitant to “re-use” another agency’s authorized cloud solution because it may not trust the risk tolerance associated with that authorized cloud solution.
To help ease these concerns, FedRAMP is supporting agencies to: 1) Provide highlevel education about the cloud, security and the FedRAMP program. 2) Standardize the documentation and review process. FedRAMP encourages agencies to perform their due diligence in reviewing all security documentation that is located within the FedRAMP secure repository prior to issuing an authorization. 3) Clarify the risks that the authorizing agency accepted. FedRAMP is applying safeguards to ensure agencies are well informed prior to reusing an agency-sponsored Authority to Operate (ATO). The FedRAMP team reviews each sponsored agency standard ATO package and provides a summary report (three to four pages) outlining the system risk to ensure each agency makes an informed review and decision. FedRAMP retains a copy of all authorized CSP security documentation, and we assist agencies to perform their due diligence in reviewing all security documentation.
the number of conversations I am having with agencies regarding their cloud needs and solutions. Of course, FedRAMP is not solely responsible for agency cloud adoption, but we are doing what we can to help. GOVLOOP: What three takeaways about cloud and security do you want our government readers to know? MAHAN: Cloud technologies provide cost-effective solutions to business and mission needs. Agencies need cloud capabilities to improve their core agency functions to meet their mission and cost-effectively optimize business functions. FedRAMP exists to help provide a unified framework for federal agencies to securely adopt cloud technologies; we are proactively working with agencies to promote collaboration and share information. I am here to help — if you are an agency or a CSP working with an agency in obtaining an authorization and need FedRAMP assistance, please contact me at agency@ fedramp.gov or @FedRAMPAshley.
“FedRAMP exists to help provide a unified framework for federal agencies to securely adopt cloud technologies; we are proactively working with agencies to promote collaboration and share information.”
GOVLOOP: What specific challenges do agencies face when it comes to fully embracing FedRAMP? What advice/tips are you sharing with those agencies? MAHAN: Some agencies are still trying to understand how FedRAMP will help them, and we offer more services than just the “authorization.” As stakeholders better understand the services we can provide, they will know that they can come to us for more support. We are strengthening communication channels among agencies and between agencies and the FedRAMP PMO by establishing a FedRAMP Agency Point of Contact at each of the 24 CFO Act agencies. An agency’s FedRAMP liaison will coordinate and facilitate increased collaboration among agency partners and cloud adoption. GOVLOOP: How do you measure success in your role, and what does that mean for the agencies you serve? What gap do you see yourself filling? MAHAN: FedRAMP has done a lot of great work over the last few years. And, as we have evolved, we have made it a priority to help agencies adopt the secure cloud. We have already seen success — as can be measured by an increase in the number of agency ATOs and an increase in
Look out for these @FedRAMPAshley hashtags #FeedBackFriday
We want to hear from you! On Fridays, I pay special attention to the questions you post, so I can respond with what FedRAMP is doing and how we can help. We want to bring the FedRAMP community closer together; it’s a true partnership.
#oneteamonedream
We are all on one team. FedRAMP is a program for the American public, and we have one overarching goal: to provide secure and compliant cloud technologies to the federal government.
#Agencyroadshow
This is my agency listening tour. I am actively engaged with all 24 CFO Act agencies and meeting with a diverse set of stakeholders. I use this hashtag to inform the public of which agencies I am meeting with and when.
#Wheresashley
I enjoy meeting a lot of people, including cloud service providers, 3PAOs and the public. This hashtag communicates where I am and with whom I am meeting. Also, it ties into my agency road show, which reflects the agencies that I meet with.
Mapping Government’s journey to the cloud 19
use ViON to deploy and manage a secure enterprise-class private cloud. ViON can help you embrace the cloud. Whether your agency is looking for a private, hybrid or public cloud solution, ViON will help you prepare the applications and services you need to migrate to the cloud and create a pathway toward success. ViON will work with your team to leverage the flexibility, innovation and cost savings of cloud at every stage of the journey. ViON possess over a decade of cloud delivery and management experience, providing you with absolute security and the highest performance levels.
Learn more about the benefits of cloud at ViON.com/cloud
20
A GovLoop Guide
INDUSTRY SPOTLIGHT
Are you ready to embrace cloud? An Interview with Rob Davies, Executive Vice President of Operations at Vion Are you ready for cloud? For agencies that want to get out of the business of owning IT resources, the short answer to that question is likely a resounding yes. “I think everybody in the government can benefit from a cloud model because every agency could use greater predictability in their budgets, an ability to meet a surge in capacity, the ability to have a consistent and reliable disaster-recovery strategy and modernization in their organizations,” Davies said. It’s not so much a question of whether you should move certain applications to the cloud, but when and more importantly, how. But Davies also noted that cloud readiness is about much more than a desire or need to adopt cloud services. The real question is: How do agencies know which applications are ready and what workloads are the right ones to move to the cloud? Some of the greatest barriers to cloud readiness don’t involve the technology. Often, the issues are misunderstanding, fear and anxiety. To help ease any fears and inform potential cloud buyers, Davies offered these five tips to prepare for the cloud: Start small. Use a development environment to better understand how an application is supported before moving it to a cloud environment. If you haven’t done an analysis of that workload or application, you don’t know what interdependencies exist between applications and whether moving them out of your enterprise will affect how they perform. Focus on non-critical applications first. Ideally, you don’t want to do a technology refresh for a large system and then opt to
move it to the cloud. Consider starting with a system that isn’t critical to performing your agency’s mission and then evaluate more critical systems. Again, a development environment can help you better understand how the app performs in the cloud. Consider virtualization. Legacy applications in a mainframe environment aren’t the best candidates to port directly to the cloud because they are older systems that are not modernized to function well. On the other hand, if you have a virtualized environment running VMware or another hypervisor, you could be on the road to cloud readiness for that system. However, you still need to do an assessment of your operational environment and determine if it’s a likely candidate for cloud. Ensure cloud vendors talk specifics. When you’re talking to vendors about cloud readiness, require that they talk specifics. For example, have them walk you through a checklist of the types of requirements that you want met when workloads move to the cloud. Do a thorough assessment of your operational environment. This should be done across all applications to determine the characteristics of all apps, their workload performance, what types of software and what versions those applications are using, as well as the platform they’re running on. “Our definition of cloud readiness is about being ready for use, and we help agencies through this process,” Davies said. “That means you’ve migrated, you’re up, you’re ready to go and you can turn that over to your user base, wherever they are.”
services and options for how to manage and host them, whether in-house or in a third-party facility. But even before that’s decided, agencies have to consider which applications can and will move to the cloud. For example, let’s say you’re the head of a fee-for-service agency. You have a major mission application that does all your transaction processing of different charges. And you use this system to collect revenues. That’s probably not the system you’re going to put in the cloud first. That may be the last thing you put in the cloud, or you may not put it in the cloud at all. But then there are other systems and applications, such as public websites, that customers use to interface with your agency and pay their fees. There are elements of that application you may put in the cloud, but the backend system and user data may be stored on-premise. The key questions cloud buyers should answer when deciding what type of cloud best meets their needs are: ®®
What do you need to manage?
®®
What can someone else manage?
®®
Who is the end user?
®®
What type of data would be in the cloud?
Agencies must keep in mind that these questions should not be considered independent of one another. They all play a collective role in assessing what type of cloud can best meet their needs.
Choosing the right service model is also part of the journey to adopting cloud solutions. There’s no shortage of cloud
Mapping Government’s journey to the cloud 21
Agency Need
Reqs Devo
Procure
Secure
Implement
Use
End of Life
Miami-Dade County: Implementing Services There’s no denying that cloud computing has saved government agencies a lot of money and made IT operations more efficient. But too often conversations about the tangible benefits overshadow the work required to ensure that those benefits become reality. Sure, agencies can easily purchase some cloud infrastructure services online with a credit card, but other solutions require more legwork to roll out. Often, agencies work closely with contractors to implement the cloud system, make sure it’s functional and ensure that employees can use the service and integrate it into any necessary backend systems. Gary Lee, Systems Support Manager for Miami-Dade County’s IT Department, has firsthand knowledge of this process. But unlike many of his government counterparts, Lee and his technical staff don’t rely on outside expertise to implement cloud solutions. Everything is done in-house. “We’ve found that one of the big drawbacks of having consultants come in and install applications or hardware is that when they leave, they take away the technical expertise,” Lee said. “And you’re left with just enough knowledge to barely manage infrastructure. With us, we procure, install and manage the infrastructure and do all the equipment refreshes, and all that is done in-house.” His staff is actively involved in the cloud journey, including the procurement process and equipment replacements and
22
A GovLoop Guide
upgrades later on. “They’ve been through the whole cycle,” Lee said. One of the county’s most recent projects involved implementing software to back up its entire virtual cloud environment and replicating data offsite to ensure it is accessible in the event of a disaster or incident. This automated process happens in the background without users even knowing, but it’s vital to the work they do. “It’s part of the whole cloud deployment,” Lee said of the county’s private cloud environment. “Not only are we deploying the physical infrastructure to provide [departments] computing resources, but we’re also protecting that infrastructure by doing data backups every day, and replicating it offsite.” In the past, when it came time to recover data from those backup systems, it would take several hours before employees could use their systems again. The department would first have to reinstall operating systems and applications and recover any data lost on the server. The newer backup technology that the county uses today ensures that everything is saved as a full image, including the operating system, applications and any configurations on the server, before it goes down. This change has helped cut recovery time by more than 50 percent, Lee said. The new software has allowed the county to distribute the load of data recovery among different pieces of software, rather than relying on just one product to do all the work.
“We’ve found that one of the big drawbacks of having consultants come in and install applications or hardware is that when they leave, they take away the technical expertise.”
Gary Lee systems Support Manager, Miami-Dade County’s It Department
TIPS FOR SUCCESS Faster recovery times mean the agencies that depend on the county’s virtual cloud environment can get back to fulfilling their missions sooner if there is a disruption. But having the right technology in place is just part of the equation. Governments need skilled employees who understand how the solutions work and integrate with other systems. “We actually provision and manage 99 percent of all our infrastructure in-house,” Lee said. “We seldom get a vendor to come in and offer consulting services. It just so happens that our staff are trained and are experienced with managing almost the entire environment.” Unfortunately, that’s not the norm for most government IT departments. One reason is staff are stuck maintaining legacy systems and they don’t get the opportunity to build their skills. Even those who have the technical expertise may find themselves hampered by budgets. “The success of what you do within IT is really dependent on the level of expertise of the technical staff,” Lee said. “And that is what Miami-Dade has. The level of expertise is fantastic, and that has really made the difference.”
Develop your staff’s technical skills through training and new opportunities. Employees should hone their skills and be prepared to compete in any environment, whether it’s working for the county or not. Keep in mind that it’s about the entire team working together, including the technical staff and managers. Although the technical staff may have great ideas, they must work closely with managers to implement them. If your IT department provides cloud services, consider using a chargeback model. One of the major problems in IT departments is finding the funds to upgrade technology. But under the chargeback model, the department collects funds from its agency customers and uses that money to maintain and update technology.
Mapping Government’s journey to the cloud 23
Agency Need
Reqs Devo
Procure
Secure
Implement
Use
End of Life
Colorado: changing User Experience With Cloud Colorado CTO David McCurdy isn’t alone in his quest to make the state a leader in delivering cloud services. But McCurdy doesn’t want that designation just for the sake of it.
“We want to be driving better customer outcomes and better citizen outcomes,” he said. “Colorado takes pride that we’re bringing the best in cloud business to our citizens.” To achieve that goal, McCurdy focused the state’s cloud strategy around a specific understanding of the five core principles of cloud services. For a service to be cloud technology, it must enable on-demand self-service; have broad network access, meaning you can access it across the network from any location on a variety of devices; provide resource pooling to serve multiple consumers; enable rapid elasticity, or the ability to quickly or even automatically adjust capabilities to meet increasing or decreasing user demands; and it must be a measured service, the transparent monitoring of resource usage and directly tying that to payment. By using this specific language in requests for proposals, the state ensures that the vendors it uses provide the outcomes its agencies want and need. Cloud must empower them to better serve citizens. Colorado’s Benefits Management System is an award-winning example of how cloud services is improving the citizen experience. The system’s cloud-based customer portal, Program Eligibility and Application Kit (PEAK), allows citizens to determine their state benefits eligibility. Previously, the process entailed corresponding with
24
A GovLoop Guide
“We want to be driving better customer outcomes and better citizen outcomes. Colorado takes pride that we’re bringing the best in cloud business to our citizens.”
individual state agencies and could take more than 45 days. Now, citizens can use the cloud-based portal to see if they are eligible for a service such as Medicaid within 45 minutes. “We created a platform that the citizens could interact with directly,” said William Chumley, the state’s Chief Customer Officer. “They’re able to walk through this process without a back and forth that was happening before, either through correspondence, or through going into local offices or making phone calls.” There are more drop-down menus for users to easily enter information. “It allows them to get directly to the point much quicker, and because we capture the information once and apply it multiple times, now the citizen doesn’t have to re-enter that data over and over and over to apply for additional benefits,” Chumley said. The front-end portal that citizens use is hosted in the cloud, and some of the data is as well, McCurdy said. But the state is looking to migrate the backend system to the cloud because his internal customers want the benefits of a flexible IT architecture that supports innovative solutions and measured services. Another PEAK feature is the universal application. Citizens who apply for Medicaid are often eligible for other state services, especially early childhood services. When people apply for Medicaid, they can find out immediately if they qualify for early childhood benefits, such as daycare. Through this service, the portal promotes greater awareness of state programs and an easier application process.
Hosting PEAK in the cloud offers other benefits. For example, if citizens find that they are not eligible for Medicaid, the portal connects them to the state’s health exchange. In addition, the scalability of cloud services allows PEAK to handle massive workloads. With the implementation of real-time eligibility, counties handled 60,000 applications, twice their usual load, without a staff increase. Chumley noted that PEAK is also unique in Colorado for its use of the agile development process. The user experience was placed at the front end of the planning process, and implementation included more than 50,000 hours of testing to ensure that the product was usable. The partnership between the Office of Information Technology (OIT) and the agency customers helped create a more effective and user-friendly product that continues to evolve. OIT’s tagline is “Serving people, serving Colorado.” Chumley connected OIT’s work with the citizen experience, noting, “We, as a government, are trying to be more efficient and offer more elegant solutions for agencies to achieve those five cloud outcomes. Ultimately, that saves the citizen money and delivers a better service to the citizen. That’s really how the whole thing goes together.”
David McCurdy Chief Technology Officer, Colorado
TIPS FOR SUCCESS Relate the five core outcomes of cloud computing to user needs. You need to know what benefit the end user will actually receive from a shift to the cloud. Understand your data. You should know exactly what will move to the cloud, and whether it will comply with security standards. This will help you find a vendor that can enable you to provide the best user experience. You should go into any cloud negotiations with a clear idea of the outcomes you want for your user. Make sure you’re actually entering into a cloud agreement on terms you want. There are vendors that use old platforms behind a new front-facing interface, and they can create challenges, such as lack of scalability and agility, as well as fixed pricing.
Mapping Government’s journey to the cloud 25
Public Sector
Leaders 20 of the 20 Top Global Governments 15 of the 15 Federal Cabinet Departments 50 of the 50 States 20 of the 20 Top Counties 20 of the 20 Top Cities
Get Better Results oracle.com/government or call 1.800.633.0584
26
A GovLoop Guide
Copyright Š 2016, Oracle and/or its affiliates. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates.
INDUSTRY SPOTLIGHT
A Complete Approach to Cloud Computing An interview with Oracle’s Sarah Jackson, Group Vice President, Sales Consulting, Public
Sector Applications & Mark Johnson, Oracle Director of Modern Platform for Government The early years of cloud adoption in government were marked by curiosity and skepticism about delivering secure IT-asa-Service, but time has proved that cloud has enormous potential to improve government service delivery. Agencies are discovering they can simplify their IT, improve back-office business functions, such as procurement and HR, and often reduce costs. The first step to starting your cloud journey is to ask three questions:
transcend pure cost, says Mark Johnson, Director of Modern Platform for Government at Oracle. He notes that the flexibility of being able to create new virtual machine environments at any time and nearly any scale is powerful — almost as powerful as deleting those environments when no longer needed to save money. PaaS and IaaS can also be part of an overall agency strategy to reduce IT administration by outsourcing data center and hardware operations.
®®
Why do we want to move to the cloud?
®®
What functions do we want to move?
Which Cloud?
®®
How do we make the change?
Agencies will easily recognize the allure of most SaaS applications. SaaS allows them to stay current on software without hefty upgrades and leverage modern technologies for agile program execution. Employees and citizens win with intuitive, mobile interfaces while agencies deliver secure, scalable applications. Adopting a cloud mindset is critical for agencies to be successful in this transition. They must embrace industry best practices delivered by the service, eliminating existing customizations while receiving two to three software updates each year.
Why Cloud? Many assume cost savings is the main driver, but the biggest benefit of cloud is the pace of innovation, says Sarah Jackson, Group Vice President, Sales Consulting, Public Sector Applications at Oracle. “We are rolling out enhancements every six to 12 months. The demands of our government customers are changing and increasing more rapidly than ever. Intuitive design, social collaboration, policy automation and mobile capabilities are no longer nice to have. They are fundamental for agile, modern and effective service delivery.” The cost savings with cloud services is really how much the cloud service provider (CSP) does in ongoing operations, so this makes Software-as-a-Service (SaaS) much more valuable than Infrastructure-as-a-Service (IaaS). Jackson notes that organizations already spend a lot of time maintaining major applications —particularly those that run core government operations like HCM, financials, and citizen relationship apps. For these functions, moving to a SaaS model can offer dramatic savings. Likewise, Platform-as-a-Service (PaaS) is more valuable than IaaS because it transfers more maintenance costs to the CSP, but the advantages of PaaS and IaaS can
For functions that can’t move to SaaS, an agency should look to PaaS next and see what functions it can leverage from the CSP. Specific advantages of PaaS include helping developers spend less time on maintenance and more time adding value to the organization. Another decision to be considered is whether to use a public cloud (owned by the CSP and offering limited services) or a private cloud, which may be owned by either the CSP or the agency, but offers complete control to your agency. Efficient private clouds not only beat public cloud economics after two to three years, but they also provide many intangible benefits, including allowing you to decide what security to implement, how to deploy services, when to patch and more. If you
need to save money in a tight budget year, then you can defer a hardware refresh in a private cloud, but not in a public cloud.
The Road to Cloud As you create a cloud roadmap, consider both incremental and longer-term transitions. Not every application has to move at the same time, but while you are in transition, it’s important to consider how to integrate applications and data across this hybrid environment. Choosing cloud technologies that use open standards for integration and even the same underlying technologies will simplify many integration challenges, Jackson notes. The ability to personalize and extend SaaS applications is also a critical consideration for governments moving to the cloud. For sensitive data in the cloud there are certification programs, such as HIPAA, CJIS and FedRAMP — but not every system or environment moving to the cloud needs these certifications, Johnson notes. For training or basic development, you shouldn’t use sensitive data, so why pay a premium for a certified cloud? Use the lowest-cost cloud for development or trials of new services, and then migrate the solution to another (secure) location for final test and production.
A Complete Approach to the Cloud The cloud offers governments an unprecedented opportunity to modernize services and execute more effectively and efficiently on their mission. The best approach to when and how to transition to the cloud varies for each organization, which is why Oracle allows customers to personalize their roadmap. Only Oracle offers Public Sector customers the breadth of software, platform and infrastructure cloud services based on nearly 40 years of experience committed to serving the public sector community.
Mapping Government’s journey to the cloud 27
Agency Need
Reqs Devo
Procure
Secure
Implement
Use
End of Life
Hawaii: Planning for Version 2.0 Can you imagine living in a world devoid of paper cuts or desks overflowing with messy, displaced documents? In Hawaii, state employees are moving in that direction. “Our governor wants Hawaii to be a paperless government,” said Hawaii CIO Todd Nacapuy. “In order to be a paperless government, we need to enable digital workflows.” But for Nacapuy, the push to paperless has less to do with saving the environment or desk space and more about building a truly efficient government. “If we can cut down on the amount of time it takes for a document to be processed, we not only save the government time, but money,” he said. To enable the governor’s goal of going paperless, Hawaii invested in a SaaS E-Signature platform. The reason: You can’t be paperless without a digital workflow. To enable a digital workflow, you must first enable digital signatures. It sounds a bit complicated. But think of it this way: All employees in Hawaii must sign a time and attendance form known as a G-1 when they want to take a vacation or leave for any reason. They used to manually fill out the document, which needed to be signed first by employees, then managers and then sent to human resources. “It was really silly how manual that process was,” Nacapuy said. “We’ve just enabled digital signature and digital routing for the G-1 form. Now, anytime someone wants to
28
A GovLoop Guide
take a leave of absence, instead of taking 15 to 20 minutes, it takes two minutes.” Hawaii’s goal is to have more than 100,000 documents digitally signed in the first six months. And it’s well on its way. In just two months, the state had already filed more than 10,000 digital signatures. The Aloha State isn’t just focused on the current digital signatures implementation. Officials are also thinking of future implementations — the next round of paperless. “When we rolled out this program, we brought all the stakeholders in the room,” Nacapuy said. “Our partners needed to understand the state’s business needs, not just for digital signatures but future ones too. If there needs to be a tweak or change to a product, we’re in there with them. We work with them to create a change to the future product.” In fact, due to the nature of Hawaii’s decentralized approach to IT (each agency has its own IT department), the state’s Office of Enterprise Technology Services was in charge of “selling” the cloud technologies to the various departments in an enterprise-style approach. Hawaii used internal solution delivery managers (SDMs) to market the E-Sign service offerings to the different departments. “It’s the SDMs’ job to understand the departments’ business needs, their requirements and implement the solution for them,” Nacapuy said.
“Our partners needed to understand the state’s business needs, not just for digital signatures but future ones too. If there needs to be a tweak or change to a product, we’re in there with them. We work with them to create a change to the future product.” The SDMs’ sales were made easier for two reasons: First, the CIO’s office was able to get deep discounts from buying the technology at a larger scale. Second, the state’s IT employees were more willing to work with SDMs because they “didn’t feel they were shoving new technologies down their throat,” Nacapuy said. “The process of using SDMs has a very different connotation and it helps with adoption in state agencies because it’s not a consultant coming in and telling them how to do their jobs. The SDMs are asking them, ‘How can we help you be more efficient?’” The process is beneficial to the contractor, too. “The partner doesn’t have to do the sales stuff, [and] they don’t have to push the product,” Nacapuy said. But for that partnership to work, there needs to be a lot of trust between the contractor and the government.
Todd Nacapuy Chief Information officer, Hawaii
TIPS FOR SUCCESS Agencies and contractors alike have to understand the current and future business needs for the government’s use of the technology. Find a provider that wants to have a true partnership with you. All of those expectations of what you want from a vendor need to be laid out. It’s really about delivering value. Get leadership buy-in. In Hawaii, the digital signatures launched first with the governor. The governor pushed a mandate that states he’d give priority to signing things that are sent digitally.
In Hawaii, officials focus on finding what Nacapuy calls a true partner. “We are heavily involved with the partner’s design process, and the next rollout of their software. We have direct input into our contractor’s product team on what changes needed to be made to the software to help our business,” he said. “We’re partnered directly with [the] project team and program team, so the next rollout of their software, they will incorporate specific business needs for the state of Hawaii.”
Mapping Government’s journey to the cloud 29
Cloud Computing Glossary The National Institute of Standards and Technology set the record straight on what constitutes cloud computing: It’s a model for providing widespread, convenient, on-demand network access to a shared pool of resources, whether it’s servers, storage or software applications. But to help you better understand what the cloud has to offer, here are a few key terms:
Cloud Deployment Models
Cloud Service Models
Community cloud: A community cloud is used by organizations with
Infrastructure-as-a-Service (IaaS):
shared concerns, which may be a mission, security
IaaS is one of the three cloud service models. In
requirements or compliance considerations. Like
IaaS models, the provider manages the underlying
the private cloud, it can be hosted by one or more
cloud infrastructure, while the user controls the
organizations in the community or by a third party
operating system, storage, applications and select
and can also be on- or off-premise. Source 1 | Source 2
networking components, such as firewalls. IaaS
Hybrid cloud: A hybrid cloud is a mix of two or more cloud types.
platforms are highly scalable and are well suited for temporary and variable workloads. Source 1 | Source 2
The individual types remain unique entities, but
Platform-as-a-Service (PaaS):
they are tied together by standardized and propri-
PaaS is one of three cloud service models. In PaaS
etary technology that allows for data and applica-
models, the provider manages the infrastructure,
tions to easily transfer from one cloud service to
including the network, servers, operating systems
another. Hybrid clouds allow for greater flexibility
and storage. The user manages the hosted appli-
and more data deployment options. Source 1 | Source 2
cations and user-defined configurations for the
Private cloud: Private clouds are designated for a single organization’s use, though that may include multiple con-
application-hosting environment. PaaS lets users develop and run new applications without having to install in-house hardware and software. Source 1 | Source 2
sumers. These clouds may be hosted by an organi-
Software as a Service (SaaS):
zation in its data center or by a third-party company
SaaS is one of the three cloud service models. In
in an off-premise center. Source 1 | Source 2
SaaS models, the user can access the provider’s
Public cloud (off-premise):
applications that run on a cloud infrastructure. The user does not manage any part of the infrastruc-
Public clouds are hosted by businesses, academic
ture except for limited user-specific application set-
institutions or government organizations, and they
tings. Benefits of SaaS include easy administration,
are available for open use by the public. The cloud
compatibility and global accessibility. Source 1 | Source 2
provider hosts them onsite. Source 1 | Source 2
30
A GovLoop Guide
Cloud service provider (CSP):
On-demand self-service:
A cloud provider or cloud service is a company that
On-demand self-service is one of the five essen-
provides users with cloud computing technology,
tial characteristics of cloud computing, as defined
typically in the SaaS, PaaS or IaaS models. Providers
byNIST. This characteristic means that a customer
differ in the level of cloud access and control, and
can use cloud computing capabilities, such as server
users should determine what their cloud needs are
time and network storage, when they need it with-
before choosing a provider. Source 1 | Source 2
out requiring human interaction with the CSP. Source
FedRAMP:
Pay-as-you-go (PAYG):
The Federal Risk and Authorization Manage-
Pay-as-you-go cloud computing functions like utility
ment Program is the government’s standardized
bills. Customers are charged only for the resources
approach for securing and authorizing the use
they use. The flexibility allows customers to use the
of cloud products and services. The program is
cloud service without any wasted resources. Source
housed within GSA. FedRAMP uses a “do once, use many times” framework for vetting the security of cloud services. This saves the government time and
Service-level agreement (SLA): The service-level agreement is part of a cloud service
money. Source
contract. The SLA describes different levels of service
NIST 800-53 (revisions):
serviceability or performance for the user. The SLA
with regard to attributes such as cloud availability,
NIST 800-53 is a special publication on security and
also contains specific thresholds for those attributes
privacy controls for federal information systems and
and lists financial penalties that the provider will incur
organizations. The publication includes rules and con-
if the thresholds are not met. Source 1 | Source 2
trols for access, incident response, business continuity, disaster recoverability and more. A fourth revision was released in 2015 and addressed the increasing sophistication of cyberattacks and included new controls for areas such as mobile and cloud computing, applications security, and insider threats. Source
Vendor lock-in: Vendor lock-in is a challenge customers face when they cannot easily move from one CSP to a competitor. This can be caused by proprietary CSP technology that is incompatible with the competitors’ products, inefficient processes or contract constraints, in addition to other issues. This often serves as a barrier to cloud service adoption. Source
Mapping Government’s journey to the cloud 31
About & Acknowledgments ABout GovLoop GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government. For more information about this report, please reach out to info@govloop.com. www.govloop.com | @GovLoop
Thank You Thank you to Acquia, Amazon Web Services, DLT, Hitatchi Data Systems Federal, Oracle & ViON for their support of this valuable resource for public-sector professionals.
Authors
Nicole Blake Johnson, Technology Writer Emily Jarvis, Senior Online & Events Editor Catherine Andews, Director of Content Sonia Chakrabarty, Editorial Fellow
Designer
Kaitlyn Baker, Graphic Designer
Photo Credit
All photos licensed for use under Creative Commons 2.0. Nan Palermo, Steven Bratman, U.S. Navy, U.S. Peace Corps
32
A GovLoop Guide
Mapping Government’s journey to the cloud 33
1152 15th St. NW, Suite 800 Washington, DC 20005 Phone: (202) 407-7421 | Fax: (202) 407-7501 www.govloop.com @GovLoop
34
A GovLoop Guide