Eddie Cochran sang that there are three steps to heaven but it seems it takes a couple more to get to the cloud. Federal agencies have been on this journey to the cloud for eight years now; some are further along than others. The cloud is not a one-size fits all solution, and, as such, the government is looking to invest in two or three cloud models to support the differing security and risk-tolerance postures of agencies and to leverage various shared services, according to the President’s IT Modernization Report.

The Office of Management and Budget (OMB) and the General Services Administration (GSA) are in the process of conducting a data call requesting that agencies identify systems that may be ready for cloud migration, and can be migrated securely, but have not yet done so due to perceived or encountered difficulties. After this data call, OMB and GSA will review the impediments to moving to the cloud outlined by agencies and will prioritize an infusion of technical talent, capital, and updated security policies as needed to enable prioritized cloud migrations.

To get a better sense of how lessons learned from agencies transitioning to the cloud can be translated into best practices for other agencies, MeriTalk spoke with Maria Roat, Chief Information Officer of The Small Business Administration and industry experts from CSRA, Veritas, and VMware.

“As agencies migrate on-premises data and workloads to the cloud, they face major challenges including visualizing their data, migrating data in a simple and cost-effective manner, as well as protecting workloads in the cloud, on-premises, and in complex hybrid environments,” said Themis Tzamarias, senior manager of system engineering with Veritas.

“They need 360-degree visibility, so they can truly understand the data they have, how to classify it, what to keep, and how to protect it,” Tzamarias noted.

Here are five best practices agencies embarking on a cloud transition, and those embroiled in that transformation, can apply for smoother results and deployment, according to experts:

Develop a Cloud Strategy or Plan: The cloud is just another delivery model that offers better scalability than systems in a legacy data center. So, it is a transformation shift of a delivery model. Anytime an organization does any type of change, there must be a plan or strategy, said Neil Kronimus, director of digital adoption with CSRA.

“I tell everyone to start off with a plan or strategy moving forward. There is the Cloud-First mandate issued by the government. But you shouldn’t do cloud for cloud’s sake,” Kronimus said. “A lot of times we have seen clients move to the cloud and it costs them more than to keep them in their legacy datacenter because they did not plan properly. With the planned strategy, they must ask what systems are they moving to the cloud? Why are they moving? And what do they hope to gain? It is not always about cost. More often, the move is about scalability and delivering better services to their customers as well as having better visibility into how much they are spending on server and data storage usage.”

Do a Full Assessment of Your IT/Datacenter Environment: The need to move away from dated, aging infrastructure is driving the Small Business Administration’s move to the cloud, said Maria Roat, the agency’s CIO.

“One of things I was not going to do was a lift and shift to the cloud. I wanted to understand what we owned, what we were operating, and what things would take advantage of the cloud and its capabilities,” Roat said. “That led to a full assessment of the applications and systems running in SBA’s datacenter. Anything that was old was upgraded. Software was upgraded to current platforms.”

This set up SBA to transition to the cloud, so Roat’s team developed a cloud architecture. SBA already had a license for Microsoft’s Azure cloud as part of the agency’s enterprise licensing. The next step was to lay out a migration plan. SBA is now doing a full court press to get out of and shut down its primary data center.

Train Staff for the Transition: Training for staff is a big deal, Roat notes. The SBA IT staff didn’t know about cloud environments as they embarked upon the transition. So, staff had to be trained on migration issues, monitoring and managing systems in the cloud, and how to spin up virtual machines. Plus, the information security personnel had to be trained on the Federal Risk and Authorization Management Program (FedRAMP), which accredits all cloud services to ensure they are complying with the required security controls.

Kronimus noted that the move to the cloud needs major sponsorship from senior management because there is always going to be resistance to change. People are worried about losing their jobs. However, just because applications are moving from the datacenter into the cloud doesn’t mean the apps won’t need to be monitored and managed. They will still need to be managed, but from a different interface, Kronimus added. Agencies should start small, looking for low-hanging fruit to move to the cloud such as customer management software or using a software-as-a-service platform, such as Salesforce.com.

Integrate Security Through All Phases: Security is threaded through all of SBA’s cloud transitioning, from assessment to migration to operations. Roat noted that the agency went through the FedRAMP process, but in addition, “we had to overlay applications we were migrating to make sure we had updated accreditation packages.” And SBA managers had to understand what levels of security the agency was responsible for and what security the cloud provider is responsible to maintain.Additionally, agencies transitioning to the cloud should develop a zero-trust environment, said Bill Rowan, vice president of Federal Sales with VMware.

“In an on-premise world, if a user had log on credentials that person was trusted on all various applications,” Rowan said. “In a cloud environment, there is a need to micro-segment a network, so every single app has its own individual set of firewalls, provisioning, and rules, and the need to authenticate every time a user needs to get into an application.”

“So, we ensure that when it is moving around the environment, those credentials are going with it,” Rowan added. “Irrespective of where the application is, unless a person has the right credentials or workgroup or business unit, they are not going to get into the application.”

“The base of any enterprise has to be security, but in government there also needs to be a disciplined approach to compliance,” said Wayne Lewandowski, SVP and General Manager of North American Public Sector with HyTrust. “As agencies consider a cloud or hybrid approach, automating FISMA, FedRamp, and NIST regulations becomes critical. But, compliance should never be confused with being secure. Maintaining the security of the workload and controlling privileged credentials needs to be in the hands of the Agency owner. Regardless of who is hosting the environment, the Agency must be vigilant in ensuring audit and access controls on the privileged users, as well as protecting the data that runs the organization.”

Refine the Way You Operate: Agencies must continue to refine their processes and procedures to reap the benefits of the transition to the cloud, Rowan notes. The cloud changes the way users request applications or seek support for those applications. If resources are not being used, they need to be turned off or shut down, whether users are using private or public clouds.

“If you are not shutting down the application when you are not using it, or logging out completely, you are still getting billed,” Rowan said. “In that, and many other ways, cloud infrastructures are forcing Federal agencies to refine the way they operate.”

So, while it’s more than three steps to the cloud, it’s less than a 12-step process for Federal agencies to beat their legacy system’s addiction–that’s something to sing about.

Read More About