This blog post is an excerpt from our GovLoop guide, Mapping Your Path to the Cloud, which explores tips for deciding if your agency is ready for the cloud, which deployment model to use and how to develop a thorough migration strategy.
There’s no shortage of cloud services and options for how to manage and host them, whether in-house or in a third-party facility.
But even before that’s decided, agencies have to consider which applications can and will move to the cloud.
“It really is about the importance of the system, but that can be hard to determine,”Rob Davies, Executive Vice President of Operations at ViON, an IT Enterprise Solutions Provider.
Here’s why: If you were to solicit employees at any organization and ask about the importance of various applications, everyone will say their application is important. But in reality, there are tiers of importance. For example, let’s say you’re the head of a fee-for-service agency. You have a major mission application that does all your transaction processing of different charges. And you use this system to collect revenues.
That’s probably not the system you’re going to put in the cloud first. That may be the last thing you put in the cloud, or you may not put it in the cloud at all. But then there are other systems and applications, such as public websites, that customers use to interface with your agency and pay their fees.
There are elements of that application you may put in the cloud, but the backend system and user data may be stored on-premise. The key questions cloud buyers should answer when deciding what type of cloud best meets their needs are:
What do you need to manage?
Similar to the earlier example, there are some applications in government that will never move to a cloud environment because they are inherently governmental functions that cannot be performed by a contractor, or agencies aren’t willing to accept the risk associated with moving a particular data set or application to the cloud. Security requirements often dictate the type of cloud that agencies use. For risk-averse agencies, a viable option may be a private cloud, where the cloud infrastructure is provisioned for exclusive use by a single organization. The cloud may also be owned, managed and operated by that organization. Either way, security must be addressed.
What can someone else manage?
If a third-party vendor or another government agency can manage the service, then that creates more options. Rather than only considering a private cloud, there may be an opportunity to explore the other models as well, including a public cloud, hybrid cloud or a community cloud. But the type of end user and the sensitivity of the data being stored in the cloud will influence this decision.
Who is the end user?
Are the people using the service employees at your agency or are they employees at another agency who are sharing the service? Maybe citizens are the end users. Understanding who will use the service also affects cloud selection. For example, a public website or portal may be a great candidate for a public cloud, but maybe the actual system that stores any personally identifiable information citizens share is hosted in a private cloud or not in the cloud at all. For groups of users with a shared mission and common interests, such as the intelligence community and research institutions, community cloud is proving to be a viable option.
What type of data would be in the cloud?
The sensitivity level of the data will play a major role in selecting a cloud deployment model. For example, the Defense Department uses “impact levels” to classify the sensitivity of its data and determine which cloud environments are most appropriate to meet its security standards. The impact levels are defined by the sensitivity or confidentiality level of information (whether it’s public, private, classified, etc.) that will be stored and processed in the cloud and the potential impact of an event that results in the loss of confidentiality, integrity or availability of that information.
This is where programs like FedRAMP play a major role in determining how certain data should be secured in the cloud. FedRAMP standards also help agencies determine if a particular cloud deployment model is appropriate to host different types of data.
Agencies must keep in mind that these questions should not be considered independent of one another. They all play a collective role in assessing what type of cloud can best meet their needs.
“When deciding what applications to move to the cloud and what type of cloud model to use, consider what the application does,” Davies said.
That helps you understand the applications that are most important to your business and the applications that are furthest away from it. Applications that are not central to your mission and can be easily migrated to the cloud are good candidates to test in the cloud.
To help ease the load of adopting and implementing cloud services, some agencies have turned to cloud brokers. These organizations serve as intermediaries between cloud buyers and cloud sellers and provide added value in various areas, such as cloud procurement and negotiation as well as implementation. Cloud brokers can be private companies or government agencies.
“There are a lot of cloud brokers out there now that can come in, take a quick look at your workload and help you decide where to go and what to do,” Davies said. “I don’t think there are a lack of resources for agencies to go to the cloud. Sometimes it’s a matter of selecting a service and starting the process.”