NIST cloud roadmap: Too much too fast?

The new cloud computing roadmap designed to help federal agencies accelerate their cloud adoption could inspire agencies to do too much, too fast, warns an analyst.

The National Institute of Standards and Technology released the two-volume roadmap on Nov. 1. It lays out guidelines on how the federal government and private sector can best implement cloud computing. Although the roadmap is a “good, solid structure,” agencies still have their own legacy needs, technology limits and budget concerns to deal with, said Shawn McCarthy, a research director at IDC Government Insights and a contributor to Government Computer News’ Internaut column.

“It’s very important to continue urging agencies toward an enterprise architectures standard or as close to that as you can,” he said. “But every agency is going to have to proceed at its own pace, and it’s unlikely that anyone will be able to comply with every piece of it because of their own unique limits.”

Related story:

The actual migration to the cloud could be an easy, quick process, but when factoring in security requirements and the service level an agency might need, investment in time eventually pays off, McCarthy said. 

“Can you get some things in the cloud quickly? Yes. Is that the way to do it? Not necessarily,” he said. “It’s not exactly a checklist but people could view it like one: Have I looked at low- and high-priority security requirements? Do I understand how my data could be affected? Should I go in a cloud direction? Do I understand the requirements to collaborate with other agencies if I were to do this and share data?”

Agencies looking to follow the suggested guidelines should first pinpoint which services they need and which workload they should migrate, said Norm Laudermilch, federal chief operating officer at Terremark, a subsidiary of Verizon. Cost is another obvious element to consider: When the federal government decided to move USA.gov to the cloud, it first compared the costs of running the website internally with the expenses of outsourcing it, he explained.

Although a growing number of companies are planning on getting in on the cloud market, not everyone will be able to provide the security the proposed standards call for, Laudermilch said.

“The security requirements are going to be all about the physical facilities that these cloud pods reside in, and very few cloud providers can meet those requirements,” he said. “It will help the government tremendously in their vendor selection process.”

In the midst of a continuous cyber blitzkrieg on the public sector, federal agencies are concerned about security more than everything, Laudermilch added. The first question federal agencies typically ask is how secure is the cloud, not “how fast does [the migration] go or how much does it cost or how big can it get,” he said. 

“We see federal agencies that say, ‘we’re not convinced to move to the cloud yet; you have to prove to us how secure it is,’” Laudermilch said. “That’s where the recertification and meeting all the audit criteria come into play for us. We see a very, very high level of diligence in security.”