Given the guidance from our Federal CIO in the recently published Federal Cloud Computing Strategy, Federal agencies must examine cloud computing for reasons of IT agility and overall cost savings and embrace the Cloud-First policy. This policy, along with other initiatives in Industry (e.g. Cloud Security Alliance) and Government (e.g. FedRamp) will hopefully help crush the notion that cloud computing is too risky. While the risks associated with clouds still persist for certain classes of workloads, clouds also present a very viable and secure alternative for delivering and consuming many IT applications and services.
About a year ago, there were lots of nay-sayers in the Industry and Government who pointed out plenty of impediments to enterprise adoption of cloud computing. Having spent the last decade in the Public Sector, serving the needs of Federal CIOs and addressing their day to day challenges to manage and deliver IT services, I was, in hind-sight, perhaps one of those nay-sayers. I felt it was my fiduciary responsibility to point out the pitfalls of general purpose public clouds for mission critical agency data. Key issues with cloud computing I pointed out that resonated the most with my clients include:
- Inability to conveniently migrate enterprise apps into a cloud
- Vendor lock in – Most cloud service providers use proprietary development environments that make it almost impossible to move your application or data out of a particular cloud
- Lack of transparency and control – No visibility into where my data is, who has seen it, who can touch it, and with virtually no control over that portion of the cloud that is rendering services to me
- Difficulty of managing cloud applications and the underlying infrastructure
- Lack of SLAs – I equated this to getting best-effort “consumer-grade” service, rather than “enterprise-class” services that most of my clients demand
- Risk – Inability to identify and manage legal or regulatory risks that impact the mission or business objectives
- Lack of measurable cost advantage for cloud computing
Any one of these issues became reason enough for a CIO to justify keeping the IT environment of an Agency or an Enterprise exactly the way it has always been; over-provisioned, under-utilized, dedicated, unable to scale, and most importantly, expensive.
While it is arguable that many of these impediments still persist, I have come to realize one thing; that migration to cloud computing is a marathon, and not a sprint, and we must get up and go and begin taking the steps on this journey. The promise of cloud computing is too great for enterprises to wait till all these impediments are fully addressed and the companion risks fully addressed.
At the end of the day, the pace of cloud traction will be driven by our perception of risk to embrace cloud computing. Just like a person living in Cleveland elects not to buy earthquake insurance because the risk of an earthquake in Ohio is very low, CIOs and CTOs of enterprises need to assess the risk of placing appropriate workloads into clouds and make pragmatic decisions that deliver value to their enterprise. Rather than eliminating the risk, we must pragmatically identify the risks and manage them.
Often, enterprise CIOs and CISOs underestimate the risks associated with their current IT environment while exaggerating the risks of something new, like Clouds. There is also a tendency to treat all risks like the very worst scenario. For example, requirement of a single application that demands onsite storage with heavy security controls should not result in a general conclusion that cloud computing is too risky for all applications or systems. CIOs must take caution not to make such broad assessments, but rather make decisions based on performing risk assessment of specific workloads that are being considered for clouds. What they will find is that each enterprise workload has a unique risk profile and its own set of corresponding mitigation strategies that allow the CIO to decide if a particular application or service is a good candidate for a cloud environment.
So, CIOs should embrace the cloud-first approach and get ready for the Enterprise of the Future. The Enterprise of the future will be simple, scalable, secure, and sustainable, delivering IT performance and efficiencies that Federal agencies require. It will span private virtualized environments, and community and public clouds, with agility and security that enables workload portability. And, it will be deployed in phases to strategically manage transformational change that enables agencies to procure, consume, and deliver IT as services for enduring value.