Cloud: Getting beyond the cost conversation

When FCW convened cloud leaders from across the government on Aug. 23, their opinions varied when it came to security, government/industry relationships and the best ways to approach migrations from traditional data centers to the cloud. However, there was one area of overwhelming consensus: The savings-driven sales pitch that has dominated the conversation since "cloud first" became official policy misses the bigger picture, and in some ways, it is hindering the government's ability to take full advantage of cloud services.

The discussion was on the record but not for individual attribution (see box below for a list of participants), and the quotes have been edited for length and clarity. Here's what the group had to say.

Stop talking about cost savings

Cloud services can certainly cost less than legacy data centers, the participants said, but migrations cost real and identifiable money, and the saving can be hard to quantify.

"I think cloud was sold wrong, to be honest, when it first came out," one CIO said. Although the sales pitch was all about saving money, "it changes the proposition from being some cost over time to maintain a system that you put in place versus…operational cost."

That budget flexibility, along with other benefits, is far more important than the exact cost per server hour, several participants said. One went so far as to argue that the balance sheet-focused, return-on-investment mindset does not even make sense for a federal agency.

"That's not what we're here for," the executive said. "We're here for providing service to the American public. That is what we should be talking about. I think the idea of going to the cloud is really about how do we most effectively get technological services deployed, which actually should be needed to solve the problems that should be solved. That's the way to sell it."

Security: Cloud can (mostly) do it better

Participants also took issue with long-standing objections that cloud services are not secure enough for sensitive government work. Many agency officials have come around to the view that the cloud can offer comparable security to legacy on-premises systems, but few fully appreciate how much more secure and resilient a cloud service can be.

That perception is largely due to scale and staffing. "I like the cloud because it gives me architectural agility so that if we need to change, we can," one executive said. "But I also believe that my cloud service provider is hiring people I couldn't possibly hire with the salaries they can pay."

Another recalled an independent assessment of his agency's in-house security operations, which "found that our own security teams weren't actually doing what they were signing off on."

"I have no doubt [the Defense Department] can do it on their own," that executive said, but for smaller agencies, relying on cloud service providers results in far better visibility into "what's going on outside our network, what's talking back, what's calling home and what's coming in that needs to be stopped than if we did it ourselves."

Other participants argued that cloud security is that happy rarity where market incentives align almost perfectly with government needs. "The consequences of an [Amazon] or a Microsoft or a Google having a breach of the government's data is a huge hit on their market share," one said. "I'm not going to say that market alignment is going to solve all the problems, but I'm saying in this instance we have a rare case where our vendors are aligned existentially with us on this."

That view was not universally held, however. Several participants said that although the large-scale cloud infrastructure providers have security well covered, the situation is much more uneven in the exploding universe of software-as-a-service offerings. One recounted a SaaS provider that had 150 known problems with meeting various federal security controls.

"We're a little hesitant in putting anything sensitive in that environment," the executive quipped.

Others agreed that SaaS providers were still evolving toward government-grade security. "We're all about SaaS as the way of the future," one CIO said, "but we had to evaluate certain things, and say, 'Our agency will not use a certain SaaS application until it reaches that mark.'"

As efforts such as the Federal Risk and Authorization Management Program's Tailored initiative attempt to address SaaS challenges, there was general consensus among participants that agencies must do a better job of determining what controls really matter.

"I would bet that most of us can't [say], 'Those are the controls that matter most for my data or for my environment,'" one participant said.

Another added that agencies should start sharing their control sets through FedRAMP rather than simply sharing the authority to operate. That approach would enable agencies to make smarter choices about existing ATOs and better answer questions their inspectors general pose about cloud security.

Even though security controls and service-level agreements continue to improve, the group said, it's critical for agencies to understand and embrace their own security obligations.

"As my mission partners move their applications into those environments, we are still responsible for ensuring the applications meet all the security requirements necessary for our data," one executive said. "There's this fire-and-forget mentality that some people have. 'Oh, I'm going to move my stuff to the cloud, and I'm done.' It doesn't work like that."

Are infrastructure and services inherently governmental functions?

Several participants said the question of who is responsible for which security obligations is part of a larger debate about just how much IT agencies should own.

"I'm spending my money on the wrong things," one executive said. "If I own all this hardware, I'm spending my time on operational thinking, making sure that stuff is up and running."

It's nearly impossible for IT leaders to think strategically and be a true mission partner "if you own stuff," he added. "If you own the hardware, if you're running the data center — I would even argue if you were running [infrastructure as a service] — you can't divorce yourself from that."

Multiple participants said that by taking away much of the responsibility for operations, cloud technology enables them to work on the right problems.

"We need to get back to remembering why we are here," one executive said. "As a government organization, we are not here to replicate what commercial industry can do — and frankly can do better. We need to get back to the premise of we're here to deliver services to citizens."

A data center "has no inherent value to the citizen," the executive added, "so why are we doing it when there's a model that's better?"

Dedicated government data centers made sense at one time, another noted. From the 1960s until fairly recently, he said, "what the government wanted did not necessarily exist in a commercial sector. There are still some things that we have to do, but I think the time has passed for us to build and run our own data centers."

Others said that even for high-level innovation, industry cloud services can bring scale and intellectual capital with which agencies simply cannot compete. Even the intelligence community is struggling to attract the talent needed for artificial intelligence work, one participant said. The only practical way to get the necessary machine learning algorithms might be to buy them via cloud platform solutions, he added.

Yet although no one at the table argued that basic storage and computing power were inherently governmental functions, several rejected the all-or-nothing approach.

"If it is core to what your agency does, do it in-house," one said. "You get no credit for buying a data center or for running a perfect platform. You do get credit for doing your mission correctly. If cloud-powered machine learning is something that is going to address your mission, do that in-house. These are domain-specific things."

Another participant said the best approach might be to focus on building in-house expertise at the policy and program management levels.

"You need to have enough technical expertise to oversee what the contractors are doing," the official said, before again stressing that the emphasis should be on the mission-specific aspects. "For machine learning, I would love to have people on staff who understand the data enough to apply it to the algorithm but who are not doing the guaranteeing of the servers to have elasticity to do the processing."

"So much of this exists already in the public domain," another official said. "As a contractor makes this a case to deliver, we can actually worry about the important stuff, which is the mission itself."

Is SaaS the answer?

Although the security concerns for today's SaaS offerings are significant, most roundtable participants agreed that big cloud benefits will come as agencies move beyond basic infrastructure to SaaS and platform-as-a-service solutions.

The shared-services possibilities are too tantalizing to ignore, they said. One participant cited human resource systems and desktop-as-a-service as the two low-hanging fruits that should be aggressively pursued as governmentwide offerings.

"DOD alone, back in 2015, was spending $11.5 billion on just HR IT," the official said. "It's a big problem, but I'm pretty sure we could do it for less than $11.5 billion for the entire government."

"We recognize that not everybody's the same," said another participant who has been spending significant time addressing the shared-services question. "But really, helping agencies get out of the business of building, supporting and updating these commodity workloads is one of the great opportunities for SaaS."

"There's more and more of a demand for SaaS," another executive said, "and specifically on the commodity side" — not just HR, but also office automation, communications and collaboration tools. Yet another said mission partners are demanding specific SaaS solutions as well.

"More and more I get the call, every Friday at 5:00, that says, 'Hey, my boss says I need to move to' — pick a platform — 'by next Friday," the official said, to laughter around the room. "That's usually the way it happens."

The real ROI

Significant savings can be realized in a single cloud migration, but most roundtable participants said the real value comes from the sharing that cloud technology makes possible.

On the security front, for example, FedRAMP authorizations have been reused more than 500 times to date. Because it can cost an agency $250,000 to go through an ATO process from start to finish, using existing authorizations translates into "a cost avoidance of approximately $130 million across the federal government, which is about a 221 percent return on investment," one participant said.

There's also the benefit of borrowing from others who've already made, then fixed, cloud mistakes. "I want to use somebody else who's already learned how to build a house wrong," one participant said, "and then we learn from that."

Broader budget benefits can come from proving that IT can effectively modernize. By embracing cloud, one participant reported reducing the share of IT spending devoted to operations and maintenance from 85 percent to less than 50 percent. Now, even though the agency faces budget cuts in fiscal 2018, agency leaders decided "the one thing that's not going to get cut is IT," that official said.

But the biggest benefit, the group agreed, lies in facilitating entirely new ways of delivering on agencies' missions. As one participant put it, "The real prize is innovation and transformation that would be impossible to do inside the infrastructure that exists today."

Several officials said information sharing is increasingly essential, and practically speaking, it can only happen in the cloud. "How many of us have disparate datasets in our own agency, let alone across agencies?" one official asked. "And how many problems we face today in the United States are in the domain of just one department?"

"It doesn't have to be the same platform," another participant said, but it does have to start with cloud infrastructure. "It must at least be out there where it can be used and leveraged and processed so the machine can make sense of it and so humans can make sense of it. Speed is nice, resiliency is nice, but if we're actually going to ever start working as one government, then we have to find better ways to share."

Cloud technology alone can't do that, the group agreed, but it can begin to make such changes possible.

As one official summed it up, "What cloud gives us is the ability to work on the problems that our agency really wants us to work on."