How Government's Driving Cloud Computing Ahead

Cloud computing may still be emerging as an IT delivery model, but U.S. government agencies are forging ahead with plans to adopt cloud services or build their own. The attitude among government technology decision makers seems to be that the benefits outweigh the risks and that the risks can be mitigated with planning and careful implementation.

With a nudge from federal CIO Vivek Kundra -- Kundra was an early adopter of Google Apps when he was CTO for the District of Columbia -- a growing number of federal agencies are plugging into the cloud. The Defense Information Systems Agency (DISA), for example, is well along in building an internal cloud in its data centers. And NASA's Ames Research Center recently launched a cloud computing environment called Nebula.

At the same time, government technology planners are working to ensure that the rollouts go smoothly. The National Institute of Standards and Technology has drafted a definition of cloud computing to keep implementers on the right track. And the General Services Administration has issued an RFI to cloud service and platform providers, in an effort to scope out the market in advance of demand.

At the Federal IT On A Budget Forum in Washington in May, speakers from the Army, DISA, GSA, NASA, NIST, and the departments of Defense, Energy, and Interior hashed through many of the problems they face as their organizations adopt, or contemplate adopting, cloud platforms and services. Security, compliance with federal regulations, interoperability, and IT skills development all came up as issues still to be resolved.

Yet a can-do mind-set has government technology managers sounding like it's a matter of when, not if, they'll overcome those hurdles and implement cloud services. "You're seeing adoption in some places you never would have expected," says Henry Sienkiewicz, technical program director with DISA's Computing Services Division.

DISA, which provides IT services to the military branches of the Defense Department, is among the most progressive of the early movers, with a strategy for implementing infrastructure as a service, platform as a service, and software as a service. As part of that effort, DISA's building an internal cloud, called Rapid Access Computing Environment, that will let its clients access data center resources from a self-service portal with a drop-down menu of virtualized IT services. Among the benefits it hopes to achieve are lower IT costs, pay-per-use accounting, accelerated deployment of mainframe-class systems, data center standardization, and flexibility in scaling up and down.

Sienkiewicz expresses optimism that DISA will be able to work through the inevitable challenges. In the area of cloud security, he cites recent "breakthroughs" in user access and control. For example, DISA is adopting a model in which "tenant" applications must comply with a standardized hosting environment, thereby inheriting the access controls of the host. On the question of interoperability, APIs will be the answer--though Sienkiewicz admits he's not sure how that interoperable environment is going to be built. "We don't know who's going to define it, but we're not going to allow vendor lock-in," he says.

Government IT managers and cloud computing vendors have huddled several times over the past few months in early attempts to define standards and specifications. As is always the case with such industry efforts, the standards process takes time. The trick for DISA and other cloud computing implementers is to develop service architectures that won't require an overhaul in the future based on specs yet to be defined. The way some are doing that is by building on tech platforms that seem well positioned now: VMware's vSphere and the open source Eucalyptus software, for example.

There's a level of bureaucracy, to be sure, in getting a new model embraced by government. But private sector adopters might take interest in what the government is producing, given the debate over definitions that seems to pop up whenever cloud computing gets discussed. NIST's definition of cloud computing, now in its 14th draft, serves as a starting point for government agencies. The document describes five "essential characteristics" of the cloud, three delivery models, and four deployment models (see below). "These definitions, attributes, and characteristics will evolve and change over time," write authors Peter Mell and Tim Grance, with NIST's IT Laboratory.

NIST has been working with other government agencies, including the GSA, and tech vendors in coming up with its cloud definition. NIST's definition--all 677 words of it, posted at informationweek.com/1235/nist--is more comprehensive than some of the ad hoc attempts floating around the industry, articulating the difference between platform as a service and infrastructure as a service, and describing "community clouds" that are shared by organizations with common interests. "We're scientists, and we weren't content with fuzzy definitions that encompassed anything and everything," Mell says. "We took a taxonomical approach to it that was not always common in definitions."

Cloud, Defined

"A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

Data: National Institute of Standards and Technology, draft definition, version 14