Cloud computing’s benefits outweigh the risks associated with moving data and applications to the cloud, panelists said at the Cloud Computing Caucus Advisory Group meeting this week.
Cultural hurdles and practical concerns about making the transition from legacy systems to cloud computing continue to prevent more rapid adoption of cloud computing initiatives, and Federal agencies still spend an estimated 80 percent of IT funding to support legacy systems. But agencies that move to the cloud have seen financial benefits.
“One of the most important advantages I’ve found is automation. You can do so much more automation in the cloud, and that has saved us a lot,” said Roopangi Kadakia, web services executive at the National Aeronautics and Space Administration (NASA). “Just think about it. Everything that somebody was doing manually, now you can automate it, especially things like patching and updates.”
Moving just 30 percent of the agency’s public data to the cloud would represent a financial windfall, Kadakia said. “I think I can save a lot of money for NASA, especially since we have such a big public data presence,” she said.
In addition to saving money, cloud computing can help improve security, panelists said.
“If the solution is architected properly for the cloud, it will provide a more secure platform,” said Tom Sasala, chief technology officer at the U.S. Army Information Technology Agency.
The National Institute of Standards and Technology (NIST) plans to help agencies do that this year, said NIST Chief Cybersecurity Advisor Donna Dodson. The agency will complete its framework so agencies understand the security reference architecture they need to support cloud computing initiatives.
“I think that uniformity that you can get from a cloud-based security environment really gives you tremendous opportunities,” Dodson said. “But you still have to do your homework on your data and the protections it needs. It goes back to planning and execution – understanding your data and understanding how and what you need to protect it.”
Moving to the cloud helped NASA expose – and fix – potential security vulnerabilities, Kadakia said.
“What we’ve been able to do is find some of those deep-down vulnerabilities that people were not able to find in the past,” she said. “Moving to the cloud has been great. The transparency has really helped us become more secure.”
Agencies still struggle to overcome cultural hurdles.
“You really don’t know where your data is at any given moment, and that’s a cultural change … especially [for] the Department of Defense,” Sasala said. “You literally have people who, if they don’t see the blinking light every day, they’re assured, they believe in their soul, that their data has been trucked away to some foreign land.”
Kadakia, who moved 160 applications to public clouds over the past two years, won over her NASA colleagues by convincing them that information in the cloud would be secure and easily accessible. Striking that balance between security and control – giving engineers autonomy over their data – sold them on the cloud.
“They have given us so many kudos because of that balance between autonomy and governance,” Kadakia said. “So now they are our biggest advocates when it comes to showing others how they can partner with the CIO office and do the right thing. I think that’s one of the biggest things on how to get away from everybody wanting to hug those servers. If you can show value – and the value is not going to be ‘you give me the data, and I’ll take care of it.’ It’s really partnering with your stakeholders and making sure that you can show them how they will benefit, whether it’s from a cost reduction perspective, an agility perspective…and from a risk management perspective.”
Views on FedRAMP
Panelists also praised the work of the Federal Risk and Authorization Management Program (FedRAMP), the Federal government’s cloud security program.
FedRAMP has saved NASA “a lot of money” by preventing the agency from having to do its own risk assessments, Kadakia said.
Looking ahead, Kadakia said she hopes FedRAMP develops a risk assessment program for more commercially available software and mobile apps that agencies want to use – like collaboration and file sharing tools.
Sasala said Federal agencies would benefit from better assessment of cloud service providers (CSPs) so agencies have “more quantifiable evidence that [CSPs] are meeting the requirements,” he said. “Trust but verify. Okay, I got it. You’re FedRAMP certified, but really prove it to me. Somehow.”
Members of Congress Attend
Three members of Congress attended the Cloud Computing Caucus Advisory Group meeting – Reps. Gerry Connolly (D-Virginia), Ted Lieu (D-California), and Mark Walker (R-North Carolina). Rep. Connolly is a founding member of the Cloud Computing Caucus and serves as co-chair of the Cloud Computing Caucus Advisory Group along with Reps. Walker and Lieu.