Can PaaS carve out its place in the federal cloud?

Shutterstock image: cloud infrastructure.

Platform as a service promises significant savings of both time and money. The biggest names in cloud computing all offer PaaS solutions — as do countless providers that specialize in everything from mapping to content management to mobile app development. A few offerings already comply with the Federal Risk and Authorization Management Program, and a 2013 survey of federal IT professionals found that 95 percent believed their agency would benefit from migrating to PaaS.

So why is PaaS still mysterious to so many?

Partly it’s been a matter of structure and security. Many of the most popular early PaaS solutions, such as Heroku and Engine Yard, were available only in the public cloud, limiting their practical appeal for most federal agencies. Today, however, a wide array of PaaS providers offer private enterprise versions, while Pivotal’s Cloud Foundry and Red Hat’s OpenShift also come in downloadable, open-source versions that can be hosted locally or in a user’s own cloud.

The key question: What do you control?

The lines between different categories of cloud services can be blurry, but here’s how the National Institute of Standards and Technology defines SaaS, PaaS and IaaS:

Software as a service (SaaS)
The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Platform as a service (PaaS)
The capability provided to the consumer is to deploy onto the cloud infrastructure applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.

Infrastructure as a service (IaaS)
The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications, and possibly limited control of select networking components (e.g., host firewalls).

Source: NIST Special Publication 800-145

A more significant challenge, however, might be pinning down what qualifies as PaaS. While software as a service (SaaS) is now a familiar concept and the paired pressures of FedRAMP and data center consolidation have put infrastructure as a service (IaaS) on most agencies’ radar, PaaS remains something of the muddle in the middle — more easily defined by what it isn’t than what it is.

The National Institute of Standards and Technology has detailed the differences between PaaS and its sibling services (see below), but it boils down to this: In addition to virtualized and easily scalable hardware, PaaS provides a ready-to-use suite of code libraries, change-management tools and other application-building resources that the provider installs and maintains.

That toolkit, combined with the convenience of not having to install and tune the core software stack, promises to slash deployment times and clear the way for more agile and API-driven development.

Federal Communications Commission CIO David Bray said PaaS lets agencies “ideally begin to build up this library of reusable modules, much like a quilt,” so that functions such as user authentication or map-based data visualization can be built once and then used by many different systems. “Then in the future, if Congress...or the president asks us to do something, it’s not a matter of building a system from scratch.”

The FCC is actively moving toward PaaS, Bray said. Once the agency shifts its servers offsite in December and January, the next step will be to move its data into a common data platform. And from there, he said, “we will use our [PaaS] to have that catalog of different modules.”

The FCC is not alone. “There are some early adopters scattered throughout government,” Bray said, particularly in the Defense Department and the intelligence community. However, PaaS remains aspirational for many agencies. In the 2013 survey (a Red Hat-sponsored MeriTalk study) that showed overwhelming belief in the benefits of PaaS, just 12 percent of respondents said they were already using it. And although 71 percent said they were at least considering a transition to PaaS, a recent search of FedBizOpps found just one solicitation in the past year that explicitly called for PaaS.

Other IT leaders said the slow embrace likely reflects uncertainty — not about PaaS’ potential benefits but about most agencies’ specific needs and the type of developer skills that will be available.

Compared to IaaS, “PaaS has a greater degree of ease and efficiency, but it also comes with a significant loss of freedom,” one agency’s senior developer said. “The needs [can be] so diverse that paying for and committing to a platform as a service doesn’t make a lot of sense right now.”

A year to 18 months down the road, “once things settle down a bit,” the developer added, “that’s when we would commit to PaaS.”

And even when an agency is prepared to zero in on a particular platform, there’s still the small matter of payment. With the operation and maintenance of legacy systems consuming 70 percent or more of agency IT budgets, there’s precious little money available to try something new — particularly when a PaaS investment cannot be directly tied to a mission system.

“That’s why we have to make the case to Congress for the initial investment” in PaaS, the FCC’s Bray said. “We need that little bit of breathing room so that we get out of the existing legacy model. Otherwise, the legacy model is just going to get more and more expensive.”

About the Author

Troy K. Schneider is the Editor-in-Chief of both FCW and GCN, two of the oldest and most influential publications in public-sector IT. Both publications (originally known as Federal Computer Week and Government Computer News, respectively) are owned by GovExec. Mr. Schneider also serves GovExec's General Manager for Government Technology Brands.

Mr. Schneider previously served as New America Foundation’s Director of Media & Technology, and before that was Managing Director for Electronic Publishing at the Atlantic Media Company, where he oversaw the online operations of The Atlantic Monthly, National Journal, The Hotline and The Almanac of American Politics, among other publications. The founding editor of NationalJournal.com, Mr. Schneider also helped launch the political site PoliticsNow.com in the mid-1990s, and worked on the earliest online efforts of the Los Angeles Times and Newsday. He began his career in print journalism, and has written for a wide range of publications, including The New York Times, WashingtonPost.com, Slate, Politico, Governing, and many of the other titles listed above.

Mr. Schneider is a graduate of Indiana University, where his emphases were journalism, business and religious studies.


  • Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    Congratulations to the 2021 Rising Stars

    These early-career leaders already are having an outsized impact on government IT.

  • Acquisition
    Shutterstock ID 169474442 By Maxx-Studio

    The growing importance of GWACs

    One of the government's most popular methods for buying emerging technologies and critical IT services faces significant challenges in an ever-changing marketplace

Stay Connected