Instead, I think the biggest organizational cloud computing challenge is a larger one than those on this list, one that supersedes all of these and more. That issue is change readiness, the ability of the organization to culturally and operationally adapt to new paradigms for IT management, provisioning, accounting, and trust.

Cloud computing fundamentally is about enabling agility. Cost savings are nice, but of secondary value to an organization (the limit of savings is the IT budget, while the potential top-line gain from increased organizational agility is boundless). Agility results from trusting and enabling users -- IT's constituents -- to self-serve their own changing needs, to dynamically dial up and down and transmute the nature of their consumption, and to enjoy real-time feedback on the cost and value of IT. Agility comes from disintermediation of traditional IT management and stripping stultifying process from between users and the IT services they consume (and increasingly want to directly control).

To deliver agility, IT management (the CIO and his organization) needs to embrace a different role. Disintermediation does not mean they can simply abdicate their ultimate responsibility for the safety and security, capacity and performance, and compliance and accountability of all IT services required by the constituent organization. Instead, they need to provide an IT environment that enables users to manage their own services while ensuring all the above responsibilities are met behind the curtains. This means IT must employ invisible actors to enact policy-constrained processes in real-time, using technologies like dynamic optimizing automation, self-service portals, and catalogs of customizable template services.

IT's new role is a move to higher-level management. The compound cloud in our future will be managed by policy, not by rote process, and new skills and organization structures will be required before we're through. Change can be frightening, even when it is a promotion. Are you ready? Your users are.

Many commercial cloud technology offerings only deal with one narrow slice of the combinatory complexity of applications, platforms, and infrastructure. Though the cloud is still in its infancy, robust heterogeneous cloud management solutions are emerging. Check out www.ca.com/cloud for more.

For further information, please contact Steve Oberlin at: steven.oberlin@ca.com

Posted: January 12, 2010

Further, the IAAS services they acquire should be integrated with a suite of security features that preserves the integrity of the Government's data. This must go beyond simple firewalls and intrusion detection/prevention utilities to more comprehensive capabilities, beginning with the physical security of the site where the Cloud services originate and moving through multi-factor authentication to sophisticated forensics capabilities, including memory forensics, network analysis, end user analytics, and Certification and Accreditation support.

Finally, the performance of the virtual systems created on Cloud resources for Federal missions must be excellent – Federal leaders should ensure that they have access to dedicated resources, rather than sharing resources in an over-subscription service model, while also retaining the ability to surge as needed on a pay-as-you-go basis. Enterprise class, federal dedicated clouds hold the promise of economy, agility, and most important of all, elasticity, at not just the system level, but right down at the individual server's ability to expand and contract according to real-time need. Commercial service providers should be held accountable by informed, inquiring Federal leaders for delivering on that promise.

For further information, please contact Bruce W. Hart at: bhart@terremark.com

Posted: January 15, 2010

Many opportunities in the cloud come from liberating latent value of current IT systems to deliver accurate, actionable information in a secure and reliable manner to points where that information can best be used.

All responsible parties demand assurance of the availability of cloud-based systems. Cloud availability is often superior to that of on-premise systems: the scheduled maintenance alone of many on-premise systems exceeds the total non-availability, from all causes, of an enterprise-grade cloud service. Providers such as salesforce.com and Amazon Web Services operate public Web dashboards reporting all departures from normal operation, however slight, with performance monitoring beyond what's available to most in-house operations.

Cloud security and governability are routinely assumed to be less stringent than that of local systems, but this can not be generalized. There are consumer cloud services designed for easy sharing, and there are enterprise cloud services designed for precise and granular privilege assignment with robust and auditable management.

Security is not a technology, but a combination of culture and process. Actual data loss or security breach in federal systems, as reported each year by the GAO (ref. 2009 report at gao.gov/new.items/d09546.pdf), is most often the result of accidental or deliberate misuse of privileges intentionally assigned to systems' users. Enterprise-grade cloud services offer rigorous separation of duties; world-class security teams, tools and practices; and superior ability to monitor and report the actual time and manner of users' and administrators' actions.

With these issues candidly addressed, IT leaders in federal agencies should proceed with cloud adoption bearing three strong guidelines in mind:

• What works well now should be measured against cloud alternatives, and should be complemented rather than replaced unless the cloud is measurably better.
• What doesn't work well now should never be merely relocated to the cloud, but should rather be re-envisioned in a way that takes maximum advantage of cloud connection capabilities and proven cloud services.
• Detailed analysis, not facile generalization, should be applied to all questions of security, availability and capability. In many cases, cloud offerings are already superior in these respects, and rapidly improving as well -- but in all cases, the solution should be chosen based on the specific need.

For further information, please contact Peter Coffee at: pcoffee@salesforce.com

Posted: January 15, 2010

We at IBM have had significant interest from our clients in deploying fully integrated, easy to deploy, self-service, test and development environments into their organizations. Software test and development is an application area which is typically decentralized. With this, they are attempting to gain first-hand insight into the benefits of cloud computing, and a better understanding of its impact to their organization without making large monetary investment, or a giant leap of faith with a public cloud provider.

For further information, please contact Steven Lebowitz at: lebowits@us.ibm.com

Posted: January 19, 2010

Fortunately, moving to the cloud isn't really starting from scratch. Hosted services, Service Oriented Architectures (SOA) and Web applications have been around for a while, offering us a good foundation for best practices that we can carry into the discussion on cloud security. The same holds true from a standards perspective. We believe that over time standards will emerge based on industry and customer demand - which has often been the case throughout the history of IT. Establishing standards will be a joint-effort between industry and government. We live in a mixed/hybrid IT world and government customers need the freedom to choose the best solutions and locations for their data. Interoperability avoids vendor lock-in and ensures choice and competition.

We should note, too, that datacenters are a key foundation of any organization's approach to cloud computing, and should be built in compliance with the best security and privacy standards that exist today. These standards include International Organization for Standardization (ISO) 27001, FISMA, ITAR, Health Insurance Portability and Accountability Act (HIPAA), Sarbanes Oxley Act of 2002 and SAS 70 Type 1 and Type II. All are examples of widely accepted US and International standards today.

The cloud will evolve and mature over time, but we can't stop the innovation while we wait. A good analogy is one from the car industry. There are a lot of important federal safety compliance standards for manufacturers, but there are a lot of "extra" safety measures (ie. additional airbags) that appeal to some consumers at a price. Cloud options will be similar. There will be baselines and there will be extra assurances. Forcing everyone to buy the most feature rich IT system would be cost-restrictive. We need mandatory standards and self-regulation. Brad Smith, Microsoft's General Counsel recently spoke at the Brookings Institution on this very topic, and urged congress to move forward with a "Cloud Computing Advancement Act" to foster innovation, protect consumers and establish rules and regulations around data privacy and security.

For further information, please contact Teresa Carlson via: FutureFed

Posted: January 28, 2010

Furthermore, there's no need for compromising control. Advances in cloud computing platform technology afford IT managers similar control in the cloud to what they have in their own data centers. As IT managers evaluate potential providers and projects they should look specifically provisions for their control not just of provisioning a virtual machine, but of storage, networking, security and critical infrastructure. Cloud computing needs to be more than just a way to save money, it needs to be a better way to run your service.

Posted: February 4, 2010

Federal leadership teams are familiar with actively managing risks to ensure program success. Risk management techniques suggest that for each risk, mitigations and courses of action can be developed and put in place to improve the outcomes for a program. As noted in the contributors' examples above, the marketplace of commercial and Government cloud service offerings is evolving to address commonly perceived risks to make cloud computing capabilities a viable alternative for many Government IT needs. Consequently, the Government decision maker has a group of options that range from wholly commercial cloud services, and Government-run community clouds, to the creation of internal private clouds. Characteristics such as the expected costs, agility, scalability, and an organization's data and system requirements will suggest which path is most appropriate for individual Government programs. MITRE is currently developing a whitepaper to address this decision process in greater depth.

The MITRE cloud blog is a new forum, started in January 2010, to provide a mechanism to effectively connect industry and Government. Each month we ask thought-leaders and market leaders to offer their ideas on cloud topics important to Government decision makers. As a reader of this blog, if you have comments on future questions, or on the answers above, please feel free to email us through the link provided below.

Next month we focus on what Government can do to facilitate the adoption of cloud computing to more effectively provide IT services. Please bookmark us and check back with this site, or subscribe to our MITRE RSS feed above to stay informed on new cloud computing postings.

For further information, please contact Geoff Raines via: cloudbloggers-list@lists.mitre.org

Posted: January 29, 2010