Whose cloud is it anyway? Without a doubt, cloud computing has entered into the peak on the vaunted hype cycle. Vendors are touting the virtues of their clouds as the calls of “come to our cloud” echo through the social media sphere and even old fashioned media streams. I even have dreams – more like nightmares – wherein a late night infomercial host spouts with a very assertive voice; “come to our cloud – it slices, it dices, it blends, automates, and even manages!” Although these clouds no doubt add value and have a role to play in the ecosystem of cloud service providers, a major question remains: Which cloud is right for your agency?

Not all clouds are created equal. Clouds are built to address the common requirements of their intended user community. Security and service levels need to be carefully considered. The following figure depicts an evolving strategy and model for Federal cloud adoption. At one end of the spectrum [A], security requirements and service levels are relatively low. Such an environment is conducive to public facing workloads. Although still substantial, security requirements for public data are considerably less than other data types. Service levels, such as availability, hover at only three nines (e.g., 99.9%).

uploads_user/11000/10663/Federal_Cloud_Model.pdf

At the other end of the spectrum, both security and service level requirements are extremely high [C], demanding the strictest confidentiality, integrity, availability, and service level performance (e.g. 99.999%). Examples might include applications and data that directly support national security, defense, transportation, or other critical infrastructure missions. Generally, such stringent requirements are best met by a private cloud approach. A private cloud gives agencies total control over the configuration, management, compliance, and security services necessary to ensure the high performance of mission critical applications and associated level of security assurance.

Between these two lay sensitive but unclassified workloads [B] such as core financials, human resources, procurement, and other application services involving personally identifiable information (PII). Its security and service level requirements are higher than public-facing services but somewhat less than truly mission critical workloads. Architectures built to support FIPS-199 moderate or high levels are usually sufficient. Since these workloads tend to be common and commoditized, external cloud service providers such as the Federal Shared Services Centers, commercial shared services providers, or internal agency-wide service providers are options.

Security and service levels, therefore, are driving the formation of “communities” of members with shared requirements. A hybrid cloud model is taking shape along these lines. Federal agencies with private clouds need control over monitoring, management, and mobility, which requires an open standards API-based framework. Moreover, the ability to maintain compliance efficiently within a holistic incident detection and response capability is necessary. In this manner, Federal agencies will gain the considerable value cloud has to offer and avoid the pitfall of “cloud silos.” The ability to secure, manage, and control the cloud environment from one central location with modern management frameworks becomes imperative in the hybrid cloud model. Based on their dynamic nature, clouds require a new level of control and management that helps orchestrate and protect themselves. But this is only the beginning. The real mission value becomes evident when services support end user communities of interest.

And this brings us back to where we started. Which cloud is right for your agency? It’s not one cloud at all. Rather, it’s a hybrid cloud that consists of multiple clouds – private, virtual private, and public – to meet the varied requirements of your agency. These clouds are tied together and controlled from within your private cloud, but still have the flexibility for you to choose which workloads you want to run and where you want to run them. Your cloud is a flexible, agile hybrid cloud that you control.