Blog archive

Does CBP’s Tombe expect too much from the cloud?

Wolf Tombe, Customs and Border Protection (Photo: Flickr/GTRA)

Readers critical of CBP CTO Wolfe Tombe suggested he was overly demanding of cloud service providers.

Readers were divided over comments made by Customs and Border Protection CTO Wolf Tombe in a Jan. 29 FCW article headlined “Moving to the cloud? Learn from CPB’s mistakes.” To some readers, Tombe came off as overly demanding of cloud service providers, while others said his comments should be a “must read” for federal CIOs.

One reader wrote:            

"Tombe said agencies should demand 99.999 percent -- sometimes called the five nines -- and should subsequently demand not to pay extra for it. Really??? How does that work? Each "9" is an order of magnitude more effort to deliver, and that entails additional cost. Someone's gotta pay for it. Why not just demand ten 9s?”

Another said:

“Demand commercial pricing and then demand additional services that commercial pricing doesn't include and then refuse to pay for it and then test it out in 'small' programs that are just trying to get their work done since nobody cares about them if they fail. Pretty much sums up cloud-first, huh?”

Frank Konkel responds:

I think Tombe’s comments are hardened from experience. Clearly, he and the agency at large were unhappy with one of its initial forays to the cloud – a botched email-as-a-service effort that the agency is still feeling repercussions from.

This isn’t someone saying you should start small in “low profile, low visibility” projects because larger enterprise efforts don’t belong in the cloud; this is someone saying start small and fail fast because practice makes perfect. The mission is still affected if a small program gets botched, but it’s affected a lot more when a large service like email goes down. Guaranteed, if CBP could have a do-over on a few of its troubled cloud efforts, it would take one faster than you can say “infrastructure-as-a-service.”

As for Tombe’s request for 99.999 percent availability without paying extra for it, I believe Tombe is saying that the five-nines of availability are a standard. Reliability is an important factor when considering any kind of cloud service, so it should be part of an organization’s business case. To me, Tombe is saying federal agencies should request what has become standard without paying extra money for it. In a competitive market, his statements – especially for cash-strapped agencies – make sense to me.

Posted by Frank Konkel on Feb 11, 2014 at 6:27 AM

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Thu, Feb 13, 2014 Linda Y. Cureton United States

I do agree w/ OccupyIT that the blind request for 5 9s is unrealistic. The real issue is that CIOs just don't know what to ask for. Email has been "best effort" by design. To ask for 5 9s, is clearly prohibitively expensive. What we really need is to be better informed consumers of IT. But we are still stuck on old models where we ran data centers and applied terms and conditions to motivate specific behaviors from hardware providers. Times have changed. IT executives need to change too.

Wed, Feb 12, 2014 OccupyIT

Make up your mind. Is he just stating the obvious, "federal agencies should request what has become standard", or not? He certainly is saying 'ask for more'. Why is the only thing taken out of agile 'fail fast' as if the failing part is what's key. Let's start at the basic principle that you do the simplest thing first and run with it until it proves insufficient. Five 9s is NOT industry standard for small applications of the type mentioned for pilots (unless you don't include schedule downtime, only during working hours, not including outages by FedRAMP IaaS vendors like Microsoft Azure and Google, etc.) - this is less than 5 minutes off-line per year - without a lot of redundancy most applications don't need to afford. I've seen blind requests for five nines coupled with 24 hour backup cycles?!? If you can lose a day's work then you don't need five nines. When push comes to shove the real requirement is probably on the order of three nines at the application level. Don't confuse network uptime with application uptime. That's just CIO jousting. Bottom line is not to defend poor performance but rather to stop throwing out blanket generalities (cloud-first, five nines is minimum, don't pay for non-typical requirements, etc.) just confuses buyers and adds misinformation to an already poor procurement environment. Hire people that do good work and stick with people that are supporting you. Ask yourself why more email cloud migrations have failed after being the nirvana of CIOs? I love the way 'industry standard' is the way to go until 'industry standard' doesn't work based on our additional glombed on 'requirements' and it becomes 'industry's fault'. Perhaps there really is no one at the dance that meets your unrealistic requirements for a future spouse. Keep asking new partners until you find Cinderella...

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group