Public or private cloud? -- Balancing security, cost savings and efficiencies for government agencies
The question of the optimum cloud scenario for use by the U.S. Government -- on-premise, public cloud, private cloud or hybrid architectures -- is becoming increasingly important.
As part of cost saving initiatives, and in accordance with a 25 Point Implementation Plan to Reform Federal Information Technology Management that includes a “Cloud First” policy, all agencies are now mandated to move some applications to the cloud. So, how are government CIOs and IT managers choosing the types of cloud services they will use, and for which pieces of their infrastructure?
Security, of course, is often the central issue in these decisions. It could be that many agencies are playing it safe -- avoiding the cloud at all costs, or building their own cloud so that they can remain in control of their environment and information security. But there are many reasons why this strategy is not the best way forward.
Public or private cloud?
Although the term “private cloud” is relatively new, the concept is not. Organizations have been using private clouds for years, most commonly in the form of computing architectures that provide hosted services. Today, organizations build private clouds in order to utilize the Internet for certain services, without relinquishing control of their infrastructure, data and security.
Public cloud services, on the other hand, are dynamically provisioned on a self-service basis over the Internet using Web services and Web-based applications, with third-party security and storage. Some public cloud services offer multiple levels of control, so that customers can keep a tight rein on their data and who has access to it. In fact, because they service such a wide range of public and private sector organizations, public cloud service providers often have tighter data security and system management capabilities than many enterprises.
Private cloud implementations require expensive in-house infrastructures, management and security measures that the public cloud does not. Agencies that build their own on-premise clouds may be missing out on many benefits of the public cloud, such as cost savings, flexibility and a leaner and more predictable IT profile over time. And in reality, there are massive amounts of data and applications that agencies could safely move to a public cloud in order to leverage these benefits.
Of course, there are also areas of government unsuited to a public cloud environment, such as agencies that create, exchange and/or move data related to:
- National security, such as the Department of Defense;
- The private financial information of citizens, such as the Internal Revenue Service (IRS);
- The personal health information (PHI) of military personnel and Medicare and Medicaid patients.
The problem is that there is so much data generated and/or handled by government agencies that sifting through it line-by-line and determining which data is right for the public cloud is well nigh an impossible task at this point in time.
Because there is so much fluctuation in how data is handled within and between agencies, it makes sense in many cases to err on the side of caution. On the other hand, a lot of the information that agencies store and exchange is already public record -- statistics, historical records, legislation, judicial records, property and financial information, environmental reports, etc. -- and need not be locked into private cloud or on-premise environments. These areas are perfectly suited for the public cloud.
Scalability in the cloud
Government is essentially a very large business, and as such it requires major scalability and flexibility just like any other large enterprise. There are constant ebbs and flows in how information is gathered, disseminated and accessed government-wide. Typically, these ebbs and flows have demanded more servers, more software and more man hours to ensure functionality. But this is no longer the case. The scalability of the cloud is ideal for fluctuating and unpredictable environments, and thus offers the potential to relieve government of the burden of all that excess capacity and added expense.
And the public cloud has advantages that go beyond storage and data exchange -- it is also ideal for secondary and backup infrastructures. For example, municipalities collect property tax information twice a year, causing a temporary information processing glut in the system each time. A secondary infrastructure in the cloud could be used during these peak times to handle the load, rather than having to resort to additional on-premise hardware and software, maintenance and staff.
In addition, with the healthcare industry driving toward a paperless, collaborative environment and giving citizens more control of their own health information, it is sensible that this transpires in the cloud, rather than creating a huge on-premise infrastructure.
Value-added services in the cloud
Government agencies should also consider how the cloud can provide value-added services for the data they already manage. For example, dynamic connections that occur between government and citizens -- such as those between taxpayers and the IRS -- require intensive management. Instead of using standard in-house applications and data storage for this purpose, a public or private cloud can deliver low-risk, high-value services such as validation, integration and data quality assurance, removing the burden from workers and potentially enhancing and extending on-premise applications.
|Event Details||Dates of Event|
|SANS Counter Hack 2013||Nov 7 - 14|
|SANS Pen Test Hackfest 2013||Nov 7 - 14|
|SANS Korea 2013||Nov 11 - 16|
|Military Exports & Compliance Asia||Nov 12 - 14|
|NCT: Counter IED Asia, 12 - 15 November 2013, Bangkok||Nov 12 - 15|
|School Safety Symposium||Nov 13 - 13|
|Southwest Microwave Perimeter Defense Seminar||Nov 13 - 13|
|OWASP AppSec USA 2013||Nov 18 - 21|
|GovSec West Conference & Expo 2013||Nov 19 - 20|
|Southwest Microwave Perimeter Defense Seminar||Nov 19 - 19|
|Oracle 7th Annual Federal Forum||Nov 20 - 20|
|World BORDERPOL Congress||Dec 3 - 4|
|Critical Infrastructure Protection and Resilience Europe||Feb 12 - 13|