mapping government's journey to the cloud: 8 success stories
DESCRIPTION
In this guide, we'll review eight case studies that highlight key aspects of the cloud journeyTRANSCRIPT
Mapping Government’s journey to the cloud 1
Mapping Government’s
Journey to the Cloud:
8 Success Stories
2 A GovLoop Guide
Mapping Government’s journey to the cloud 1
Executive Summary 3
Cloud Spending in Government 4
Mapping Your Journey to the Cloud 5
Peace Corps: Identifying Agency Needs 6
Why Digital Cloud Platforms Are Vital for Government 9
Department of the Navy: Developing Requirements 10
Delaware: Procuring Cloud Services 12
Making the Most of Cloud 15
State Department: Addressing Security Standards 16
Q&A with FedRAMP Agency Evangelist Ashley Mahan 18
are you ready to embrace clouD? 21
Miami-Dade County: Implementing Services 22
Colorado: Changing User Experience with cloud 24
A complete approach to cloud computing 27
Hawaii: Planning for Version 2.0 28
Cloud Computing Glossary 30
About & Acknowledgments 32
Contents
2 A GovLoop Guide
The road to change isn’t easy, especially when it involves people and processes.
Mapping Government’s journey to the cloud 3
Executive SummaryJust think about the last time your agency rolled out a new departmentwide system or changed a work process that affected nearly every employee. There was plenty of office chatter about what was happening, why it was happening and how it would affect everyone, right?
We know from experience that navigating these changes can be exciting, con-fusing and scary all at once. But the payoffs are huge.
Let’s use cloud computing as an example: All of the above can be used to describe the government’s journey to adopt this innovative information tech-nology model. For those agencies that have embraced cloud computing, the ability to buy access to software and hardware as a service has and continues to transform the way government operates.
But as the U.S. General Services Administration has noted, “the customer jour-ney down the path [to cloud] can be fraught with lack of information, and there are a multitude of places where even the most experienced IT manager can make mistakes.”
With that in mind, how do agencies successfully move from considering cloud to actually buying cloud services? How do agencies implement those systems and ensure they are secure? Addressing these issues is often easier said than done, especially when critical applications are involved. But finding the best way forward and executing that plan isn’t impossible.
There are numerous success stories about agencies moving human resources, financial management and other systems to a cloud environment — some of which you’ll read about in this GovLoop guide.
To help you map your path to the cloud and beyond, this guide includes eight case studies that highlight key aspects of the cloud journey and how agencies addressed the following:
® Identifying agency needs
® Developing requirements
® Procurement
® Securing the system
® Implementing the system
® Using the service
® Planning for version 2.0
Make sure to check out the “Tips for Success” section included with each case study. These useful insights will help you proactively address some of the common pitfalls that plague government cloud projects.
Cloud Spending IN GovernmentThe federal government spends about $89 billion annually on IT, according to the president’s fiscal 2017 budget.
More than half of that funding, however, is tied up in sustaining legacy technol-ogy, or what is commonly referred to as operations and maintenance costs. Only about 20 percent of the overall IT budget funds new development, modernization projects and IT enhancements.
U.S. Chief Information Officer Tony Scott blames the huge disparity in spending between new and older systems on tight budgets and the impact of automatic budget cuts known as sequestration.
Scott explained it this way: You can ask CIOs to save money, and they will — but they’ll also stop spending on
refreshing infrastructure, application development and other things that are easy to cut.
“This is not a case where you can save your way to success,” Scott said. “We need to invest a little to get the out-comes that we want.”
The good news is a small but growing portion of government IT investments are funding cloud projects. Collectively, agencies currently spend more than 8 percent of the federal IT budget on provisioned services, such as cloud. According to the White House, this level of spending is on par with leading private-sector companies.
On the right is a breakdown of federal IT spending, including cloud services.
Development Modernization Enhancement (DME)* These projects lead to new IT assets/systems and changes to existing IT assets. The purpose is to greatly improve capability or performance, implement legislative or regulatory requirements, or meet an agency lead-ership request.
Operations & Maintenance (O&M)* O&M assets produce the same product or provide a repetitive service, also known as steady state.
Provisioned IT Services These are shared or cloud IT services that are owned, managed and operated by the organization, a third party or a combination of the two. The service may exist on- or off- premises, and the agency consumes it on an as-needed basis.
*Note: DME and O&M services can be delivered via the cloud. Those services fall under the Provisioned IT Services category. Source: Federal IT Dashboard
Federal IT Spending(Millions of Dollars)
Development, Maintenance & Services Spending
The chart below shows the percentage of federal IT funding spent on Development Mod-ernization Enhancement, Operations and Maintenance and Provisioned IT Services (which includes cloud).
2015 2016 2017 (PROPOSED)
36,727 37,987 38,551
49,965 50,726 51,300
86,692 88,713 89,851
Department of Defense*
Non-Defense
Total
+
=
*Note: Defense IT spending includes estimates for IT investments for which details are classified and not reflected on the IT dashboard. All spending estimates reflect data available as of Jan. 19, 2016. Source: The President’s Budget for Fiscal 2017
8.5% $6.9b
22.9% $18.7b
68.6% $55.9b
DME O&M Provisioned
4 A GovLoop Guide
Mapping Government’s journey to the cloud 5
Mapping Your Journey to the cloudCloud computing is gaining traction in government, thanks in large part to state and federal policies that require agencies to consider cloud first when making new IT investments.
But the period between identifying a viable cloud service and actually implement-ing it for use can take months or even years. Planning for cloud investments within the confines of the government budget cycle has its challenges, and vetting the security of that service takes time — even with programs like the Federal Risk and Authorization Management Program (FedRAMP) in place to improve that process.
According to GSA, here are the key issues you can expect to work through when migrating to the cloud:
Next up, we’ll look at eight case studies that highlight each component of the cloud journey. You’ll hear from federal, state and local officials on how they addressed these issues, as well as tips for success.
Secure
ReqsDevo
Agency Need
End ofLifeImplement
Procure
Use
Identify Agency Needs As agencies begin their
journey to the cloud, they first must have a deter-
mined agency need, such as responding to a directive,
replacing a system or optimizing it.
Secure The agency has to secure
the system to ensure that it can appropriately safeguard
federal and citizen data.
Develop Requirements After a need is determined,
an agency must research the actual requirements for the
system, which can be a unique challenge because legacy
systems must be translated to cloud-based ones.
Implement Then an agency needs to
implement the system and make sure it’s functional and
able to integrate into any necessary backend systems
or requirements.
Procure Next up is the acquisition
process to find a solution that meets the agency’s needs,
including security.
Use Now, an agency finally gets
to use the service, but as with most cloud services, agencies must also address the need
for updates, new services and continued optimization.
End of life/Version 2.0 At some point, an agency will
need to retire the current system or move to a new one.
6 A GovLoop Guide
Agency Need SecureReqs
DevoEnd of
LifeImplementProcure Use
Peace Corps: identifying agency NeedsThe sweet spot for Heather Schwenk, the Peace Corps’ Volunteer Delivery System Expert, is when the agency’s business and technology teams align and mission needs drive tech adop-tion — not the other way around.
“Here, the tech team that we work with gets that 100 percent,” said Schwenk, a nearly 14-year veteran at the agency who oversees the entire business process, from the time people apply for volunteer assignments to the time they enter on duty.
“It’s like programming drives budget; bud-get doesn’t drive programming,” she said. “It’s the same exact model.”
These deeply rooted beliefs set the tone for a major cultural and technological shift in the way the Peace Corps does business, specifi-cally when it comes to volunteer recruitment.
It wasn’t until recently that the agency allowed applicants to apply to specific positions. For the first time, thousands of potential volunteers could decide what they wanted to do and where they wanted to go.
In the past, “people believed that you signed up for the Peace Corps, and it maybe wasn’t entirely about applying to the job,” Schwenk said. “That’s where there was this cultural shift,” she said of the agency’s move to make positions vis-ible to applicants. And with that shift came the adoption of new technology solutions to support the change.
For example, the application process used to take eight hours; now it’s roughly an hour long, thanks in part to a more user-friendly
interface. Internally, employees no longer have to circulate printed application forms for review. Instead, they can view applicant data directly in the agency’s system, which means more efficiency.
The focus for Schwenk and her colleagues has been aligning the Peace Corps’ busi-ness processes with the innovative capabil-ities that technologies like cloud can offer. In fall 2015, the Peace Corps awarded a contract for an upgrade to its cloud-based recruitment platform. The Software-as-a-Service (SaaS) solution will run in a hybrid cloud, on infrastructure that meets the gov-ernment’s FedRAMP requirements.
“It’s easy to build systems and processes that work best for us, but at the end of the day, we have to remember that the process works best to find the best vol-unteers,” Schwenk said. “Sometimes that means tight deadlines, sometimes that means being more transparent, getting more phone calls and questions, but that’s what we wanted to do. We wanted to be transparent and build the process to find the best volunteers.”
Today, applicants can filter for the job they want. But when they’re applying, they’re not truly applying to that particular job through the technology. For now, they’re grouped together in a general applicant pool when they apply. That will change in the upgraded cloud-based system.
The technology will also enable the agency to ask applicants job-specific questions. In the future, if someone applies for a for-ester position in Paraguay, for example,
Mapping Government’s journey to the cloud 7
the candidate will be asked if she has a degree in forestry and can speak Spanish.
Another benefit: The application process will be optimized for mobile users. Many applicants use mobile devices as their primary communication tool. To what extent people use their devices to apply for Peace Corps openings isn’t clear, “but we want to have it as mobile-friendly as possible, so people can make their own choices,” Schwenk said.
Her team is also weighing how the agency will use a Facebook-like feature in the sys-tem that allows communities of users and Peace Corps employees to communicate and share timely information about volun-teer assignments.
The guiding light for change was a drive to be more innovative and pinpoint how technology could support a more efficient application process that attracts the most qualified and passionate volunteers. For everyone involved in selecting and design-ing the new cloud-based recruitment sys-tem, having the agency’s vision in mind was key.
“Those were the people who we needed as champions,” Schwenk said. “That was who I was looking for. And so we created our team. It was very expansive. We defi-nitely needed them to be talking to their colleagues, making sure people were informed, advising us on the process but also moving forward. Champions are key, at all levels.”
“It’s easy to build systems and processes that work best for us, but
at the end of the day, we have to remember that the process works best to find the best volunteers”
Don’t focus on the exception to the rule or addressing problems that affect only a minority of users. Instead, adopt a solu-tion that meets the needs of the majority, and determine if internal processes need to be reworked.
Identify champions at all levels, from the top all the way to end users at their keyboards. These champions should be innovative and collaborative and have the agency’s vision in mind.
You can’t make change in an organization if you don’t have support at the top. Champions at the senior level should be well-versed in the issue and understand its impact. If you really want to see change, get your leaders to speak openly about the new way forward.
TIPS FOR SUCCESS
Heather Schwenk Volunteer Delivery System Expert,Peace Corps
8 A GovLoop Guide
ACQUIA PROVIDES THE LEADING CLOUD PLATFORM FOR BUILDING, DELIVERING, AND OPTIMIZING DIGITAL EXPERIENCES.Acquia is the enterprise platform behind Drupal, the leading open-source content management system, recognized as a Magic Quadrant Leader by Gartner two years in a row. Our platform enables agencies to foster greater digital engagement with citizens and securely deliver mission essential information and services with greater speed, agility, and resiliency.
The City of LA, State of New York, FEMA, Department of Homeland Security and many other government agencies rely on the Acquia platform to build websites and digital experiences that meet the needs of their citizens, internal users and IT teams while moving their missions forward.
acquia.com/government
State of GeorgiaCase Study
City of Los AngelesCase Study
FEMACase Study
Australian Govt.Case Study
Mapping Government’s journey to the cloud 9
The real value of cloud computing doesn’t come from agencies shifting their data from government data centers to a cloud vendor’s facility.
Where agencies get the most value for their money is in digital cloud platforms that enable them to offload operations, such as information security around the data, and shift the control burden from their IT teams to service providers, said Dan Katz, Technical Director for Acquia’s public sector business. This frees up agen-cies to focus on their missions and meet-ing their users’ needs.
Today, citizens have come to expect fast, efficient and accessible services from gov-ernment agencies. But to be successful, agencies must ensure that their digital strategies increase user engagement and address opportunities to save money.
Managed cloud platforms and open source software are enabling agencies to do both.
So what exactly is a managed cloud platform? A prime example is managed Platform-as-a-Service (PaaS), which is seen as the next evolution of digital experi-ence management. PaaS comes with the orchestration layer pre-built and provides organizations with a true end-to-end plat-form stack specifically designed to support digital experiences. This enables organi-zations to focus on the experience itself rather than the infrastructure behind it.
Modern digital experience management requires much more agility, and PaaS envi-ronments allow digital teams to focus on creating experiences that serve users and connect all the systems required to power those experiences.
A growing number of government agen-cies are also using open source software to support their digital operations. Today, Drupal powers about 40 percent of U.S. government websites. But the real power lies in agencies combining their cloud and open source approaches.
“For agencies to operate in the modern era on shoestring budgets, they need the managed PaaS in the cloud, and the flexibility and innovation of open source,” Katz said. “Agencies that are able to do so successfully are emerging as leaders and paving the way for others to follow.”
But there are a few things agencies should know as they look to combine their cloud and open source strategies.
Many large cloud-hosting providers serving government agencies advertise the ability to support mission-critical Drupal solutions, but more often than not these providers are focused on infrastructure and offer vir-tual machines in a data center with canned configurations and some level of managed support that is often very expensive.
“It’s true they may meet the require-ments on paper, but buyers beware,” Katz warned. “Moving your website from an internal data center to a managed cloud host is no different from moving a car from your own garage to a rented space down the street. In both cases, you’d need to provide expensive maintenance and care for the car, no matter where it is located.”
In contrast, a true digital cloud platform, such as Acquia Cloud, provides tools and application program interfaces for DevOps, monitoring and health checks designed for managers and non-technical users, application-level support and service-level
agreements, and deep integration between the application and the platform.
“In this instance, using the car analogy, you would not have to worry about keeping the car running or providing regular mainte-nance,” Katz said. “You would not need to provide a team to keep the car tuned up and ready to roll at any time. That would be a service provided for you.”
A great real-world example is the state of Georgia. When the state moved to Acquia’s Digital Cloud in 2012, it projected $4.7 mil-lion in cost savings based on the freedom the state would gain from using a true digi-tal platform with application-level support. Putting support in the hands of people whose full-time job is to support the cloud brought the state cost savings, expertise, scalability and better time management.
Nikhil Deshpande at the Georgia Technol-ogy Authority said, “Experts can monitor our platform and servers 24/7, providing recommendations to updates and changes if needed at a moment’s notice. We have had some issues with distributed deni-al-of-service attacks where Acquia was able to bring our websites back up and running in a fraction of the time compared to other state government websites that experi-enced the same attacks.”
That’s the power of a digital cloud platform.
“The key takeaway is that it’s not enough to host in the cloud,” Katz said. “Instead, your organization needs a digital cloud platform that significantly offloads the operations to a qualified provider and enables you to realign your resources toward innovation and improving citizen services.”
Why Digital Cloud Platforms are Vital For Government
An Interview with Dan Katz, Technical Director, Public Sector, Acquia
INDUSTRY SPOTLIGHT
10 A GovLoop Guide
Agency Need SecureReqs
DevoEnd of
LifeImplementProcure Use
Dept. of the Navy: Developing
RequirementsThe Defense Department has been slower than most government agen-cies to adopt cloud services. Address-ing security concerns in the cloud took some time, but that wasn’t the only holdup.
One of the criticisms early on was that all DoD cloud procurements had to go through the Defense Information Systems Agency, a combat support agency that provides IT and communications support for the depart-ment, including warfighters.
But restrictions on how DoD components buy commercial cloud changed in Decem-ber 2014, when department CIO Terry Halvorsen gave component agencies the green light to work directly with commer-cial vendors, rather than coordinating pro-curements with DISA.
“One of the things that we’re going to change, to give us more opportunities to move faster, is to let the military depart-ments do their own acquisitions of the cloud services and not have to funnel that through one agency — in this case, DISA,” Halvorsen said a few months before issu-ing the memo.
Since then, the military services have charted paths forward into the cloud while adhering to overarching DoD require-ments. But even before the memo’s release, the Department of the Navy (DoN) had already begun testing low-risk data in the cloud.
“This early pilot activity added to and informed the follow-on innovative engi-neering techniques and dedicated time spent working through complex secu-rity requirements to arrive at the current
Mapping Government’s journey to the cloud 11
approach to getting the job done,” said Susan Shuryn, a Technical Adviser and Cloud Lead for the DoN CIO.
The DoN, which is composed of both the Navy and Marine Corps, used those les-sons to launch a cloud store in March 2016 as the department’s official resource for buying cloud services. Vital to the store’s success is an understanding of internal customers’ requirements.
For now, the focus is on providing IaaS for two distinct user groups: “The first level is the application owners, who are respon-sible for the day-to-day operations and security of the application, as they would be in traditional hosting environments,” Shuryn said.
“The difference is that they are operating from within the commercial environment, are paying only for the amount of service they need, can turn the service off when they don’t need it and have access to per-formance and availability metrics as part of monitoring the service,” she said. “The second level is the end user of the appli-cation. For that user group, the biggest change is the broad internet access that is provided by the commercial offering.”
Application owners who are interested in moving apps to the cloud must first undergo an initial interview to determine if the appli-cation is a good candidate for the service being offered. The DoN’s current IaaS offering can host publicly releasable data, or Level 2 data, and Level 4 data, which is sensitive data that requires greater security.
There’s a Managed Service Organization that assists application owners through-out the process and also manages the
business side of the service for them once they’ve migrated to the commercial cloud environment, Shuryn said.
Her team also had to address security requirements. As required by DoD, the DoN had to build and accredit a cloud access point to the DoD Information Net-work for sensitive Level 4 data.
“The cloud access point is an interface, a set of security capabilities — both protec-tion devices and sensors — that allows DISA to monitor traffic and apply security policies,” said Dave Mihelcic, DISA’s Chief Technology Officer. “It is a DoD-controlled demarcation point between the DoDIN, which is under direct DoD control, and the commercially hosted component that is a shared responsibility between the system owner and the cloud provider.
“The idea is to make sure that if a vulnera-bility exists and is exploited on a commer-cially hosted site, it cannot be exploited to the point of endangering others on the DoDIN,” he said.
Shuryn and her team aren’t just concerned about meeting current requirements. They are also considering future security requirements. The plan is to incorporate more commercial cloud offerings in ver-sion 2.0 of the store, which is set to launch in early 2017.
“There is plenty of opportunity for contin-ued innovation in the engineering designs that will take us to the next level in lever-aging what the [cloud] providers have to offer,” she said.
“The difference is that they are operating from within the commercial environment, are paying only for the amount of service they need, can
turn the service off when they don’t need it and have access to performance and availability metrics as part of monitoring the service.”
Educate yourself and others about cloud computing service and deployment models and how the classification of data — whether sensitive or not — may affect implementation.
Develop roles and responsibil-ities for providers, integrators and government. Determine how these three entities will interact in deploying, securing and sustaining solutions.
Build security into the design process up front and involve your authorizing official (AO) early in the development. In government, the AO is respon-sible for operating an informa-tion system at an acceptable level of risk.
TIPS FOR SUCCESS
Susan Shuryn Technical Adviser & Cloud Leader for theDept. of Navy CIO
12 A GovLoop Guide
Agency Need SecureReqs
DevoEnd of
LifeImplementProcure Use
Delaware: Procuring Cloud ServicesWe’ve all been on the dreaded tech sup-port line — languishing in despair as the wait time increases and real help seems like a distant dream. There has to be a better way, right? If only the government could find one.
The Delaware Department of Technology found that solution. In 2013, the depart-ment implemented a cloud-based, soft-ware-as-a-service solution that allows employees to track IT assets and appli-cations. The most-used feature allows employees to process help tickets and work requests via the cloud. As soon as the ticket is submitted, it’s routed to the right people. Based on the severity level of the ticket, it is assigned a certain level of tracking and escalation.
Every agency in the state can submit tickets, making it a truly centralized solu-tion. For Delaware, this capability is transformative.
“There is no agency that is not heavily dependent upon technology,” said James Collins, Delaware’s CIO. “When that tech-nology is not functioning properly, it brings their ability to serve citizens to a halt. This new process is just a way for us to quickly be made aware of the issues, get the right classification and escalation, and monitor it through to resolution.”
The cloud allows the department and state employees to interact with the system whenever and wherever they are. Histor-ically this access hasn’t been available to users. “We’ve had these systems that were behind our firewall, and you had to VPN
[virtual private network] in with two-fac-tor authentication and all these different things to actually access the system,” Col-lins said. Until the new solution rolled out, “there wasn’t a lot of proactive communi-cations going out.”
But despite the successful cloud imple-mentation, Collins warned that the pro-cess of procuring cloud solutions is still difficult for governments.
“We have more than 175 different cloud applications and each one of those con-tracts is slightly different,” said Collins. “I have a lot of challenges to overcome when it comes to making sure the right cloud solution is implemented.”
To help ease the procurement process, Collins and his team created a terms and conditions document.
“Potential vendors have to agree to our terms and conditions in order for state information to be hosted in their environ-ment,” he said.
Those terms and conditions act as a road-map for agencies considering moving their programs to the cloud. Featured prom-inently in the document are sections on security and data ownership.
“Per our state laws, data that is classified as non-public is required to be encrypted at rest and in transit,” Collins said. “Addition-ally, data is required to be housed in the continental U.S. If a vendor can’t agree to those terms, we can’t contract with them.”
Mapping Government’s journey to the cloud 13
“On the ownership side, we specify in our contracts who owns the data,” Collins said. “It is very explicit in our terms and condi-tions that the data belongs to the state.”
Safeguarding a solution that processes help-desk tickets may not seem like a big issue, but it contains sensitive data about the state’s IT systems. And any system that contains personally identifiable informa-tion (PII) must be secured.
“We really put vendors through the paces when there’s going to be PII of citizens, or employees or pensioners of the state as well,” Collins said.
He isn’t worried only about current con-tracts, either. In the terms and conditions, the state included clauses that ensure it can exit the contract.
“One of the biggest risks related to mov-ing to a cloud environment is the ability to leave the contract,” Collins said. “Realisti-cally, what happens when you move to a cloud environment is that you don’t have an on-premise infrastructure to host this application. In some instances, the con-tract specifies that you need to move to a proprietary platform, so that even if you decide to leave that vendor, the applica-tion, that language is proprietary to that vendor. So while the data is still yours, you don’t have a system to use that data in.”
To address this issue, Collins recommends that agencies ensure a true exit strategy is in place before signing a contract.
“On the ownership side, we specify in our contracts who owns
the data. It is very explicit in our terms and conditions that the data
belongs to the state.”
Take a risk-based stance during the procurement process. Create a terms and conditions document ahead of time so that vendors are clear about who owns the data, where it is stored and how it is secured.
Do your homework. It is imper-ative to have a real assessment of a cloud provider’s infrastruc-ture policies and practices. For example, see if the provider is FedRAMP-certified or has other similar qualifications.
Look to the future. Understand the ongoing cost commitment in the out years, and try to control that as much as you possibly can. Create price caps; that way even if adoption goes up, costs stay relatively flat over that time period.
TIPS FOR SUCCESS
James Collins Chief Information OFficer, Delaware
14 A GovLoop Guide
C
M
Y
CM
MY
CY
CMY
K
AWS-SciLogic-Ad-Design.pdf 1 4/22/16 2:31 PM
Mapping Government’s journey to the cloud 15
It seems everyone in government is talking about cloud computing. But even so, it can still be a difficult path to navigate alone.
That’s why DLT Solutions is working closely with agencies to make their journey to the cloud seamless and cost-efficient. As a pub-lic-sector IT reseller and managed services provider, DLT partners with cloud vendors such as Amazon Web Services (AWS) and ScienceLogic to help agencies adopt solu-tions that best support their missions.
David Blankenhorn, Chief Technology Offi-cer at DLT, spoke with GovLoop about how the company works with agencies to implement cloud services and manage complex hybrid IT infrastructures, saving them money and increasing productivity.
In the past five years, Blankenhorn has seen a major shift in the conversation about cloud. In the beginning, custom-ers wanted to know what cloud was and how it could be used. Two years later, the conversation shifted to how they could securely use cloud. Within the past year, he has noticed a new shift: “People are saying, ‘I get what cloud computing is, and I understand how it can be used securely, now how do I budget and acquire it?’”
That’s where DLT comes in. As a premier consulting partner for AWS, DLT helps make the path to cloud seamless and cost -efficient for agencies by offering lifecycle engineering and services a la carte, allow-ing agencies greater flexibility.
“We do everything from helping customers size their cloud accounts and making sure they have the right resources to helping them deploy, all while providing 24/7 U.S.-citizen-on-U.S.-soil-based support,” Blan-kenhorn said. DLT’s partnership with Sci-enceLogic is especially helpful, as agencies
can use ScienceLogic’s AWS monitoring and dashboard services to track and man-age their cloud platforms.
The persistence of cloud conversations is due in part to the federal Cloud First pol-icy, which started the conversation and directed agencies to consider cloud ser-vices. This opened the door to a greater understanding of how cloud could play an important role in achieving mission success.
“In many cases, there’s a shortage of money for new products and services,” Blankenhorn said. “Using cloud technol-ogy allows agencies to leverage limited funds to try new things out.”
Blankenhorn attributes cloud’s success to its elastic nature. “One of the most com-pelling value propositions of the cloud is the ability to scale up and scale down and change the amount of resources con-sumed based on workload,” he said.
That capability drives two key initiatives: accelerated time to market and pub-lic-sector innovation.
Elasticity has meant that agencies can more rapidly deploy new services by reducing the amount of extraneous work and resources poured into a project. In terms of innovation, “there are a lot of great ideas out there, but organizations are often hobbled by a lack of resources, whether it’s computing power, storage or networking,” Blankenhorn said.
Cloud enables organizations to test things quickly and inexpensively. If the ideas work, they can be scaled up and sent to production. If they do not, agencies can go back to the drawing board without incur-ring a great loss.
As organizations migrate to cloud, they face the challenge of managing complex, hybrid IT infrastructures that include on-premise data centers as well as cloud services. This hybrid environment creates unique management challenges, as agen-cies need to leverage both their cloud capabilities and their on-premise invest-ments. Ideally, agencies should be able to use a common set of tools to manage both the on-premise and cloud resources.
Blankenhorn recommended that IT man-agement tools handle three distinctive views all at once. First, the tools should monitor an agency’s traditional IT, such as servers, software and other assets the agency has in its data center. Second, the tools should be able to monitor and man-age resources that are deployed in the cloud, such as virtual machines, elastic compute cloud resources, operating sys-tems and applications. Third, tools should be able to look at the cloud platform itself and determine the health of the infra-structure, analyze tech performance and provide security monitoring.
Adopting the right cloud solution and having the proper tools to manage hybrid infrastructure require proper planning up front and dialogue between agencies and vendors during the acquisition phase. Doing so ensures that there is maximum flexibility in the contract for agencies to use the cloud platform in a manner that best meets their needs.
“Cloud is a different way of consuming information technology, and there’s defi-nitely a learning curve to it,” Blankenhorn said. “We spend a lot of time working hand in hand with contracting officers and acquisition specialists to help them understand what the right models are and how to properly manage and monitor the acquisition of cloud services.”
Making the Most of CloudAn interview with David Blankenhorn, Chief Technology Officer at DLT Solutions
INDUSTRY SPOTLIGHT
16 A GovLoop Guide
Agency Need SecureReqs
DevoEnd of
LifeImplementProcure Use
State Department: Addressing Security StandardsIt’s well known that becoming a Foreign Service officer for the State Depart-ment can take a person on the journey of a lifetime. From serving in Nigeria to Thailand to Colombia and beyond, For-eign Service officers work to promote peace, support prosperity and protect American citizens while advancing U.S. interests abroad.
But there’s a different kind of journey that the State Department has been on, and it’s equally important — the journey of successfully adopting and deploying cloud computing technology departmentwide, and doing so securely.
Cloud computing plays a major role at the State Department when it comes to enabling and empowering frontline diplomats to carry out their roles and responsibilities.
Minh-Hai Tran-Lam, Acting Deputy CIO for Business Management and Planning, at the department, knows this well. She recently helped update State’s cloud com-puting policy and stand up a Cloud Com-puting Governance Board.
The goal of the board is to streamline cloud adoption across the department by instituting a single authority for evaluating cloud services.
Putting together a board and a guidance policy on cloud computing for the depart-ment that provides transparent communi-cation, methodologies and assistance on how to adopt cloud and meet all of the federal cloud requirements, in addition to addressing what the users need on the
Mapping Government’s journey to the cloud 17
front end, hasn’t been an easy journey. But it’s been an important one.
“Our goal is to actually provide a one-stop shop to give guidance for anyone in the department who’s interested in using the cloud,” Tran-Lam said. “We want to help them go through the process, so that they’re not being left alone when they say, ‘Hey I want to go to the cloud. What do I do?’ It’s all set up from a procurement standpoint, from a user-friendly security standpoint and a business requirement standpoint.”
The Cloud Computing Governance Board was created toward the end of 2015, and the department is now working on putting the right people in place to run it — and making sure they’re not just folks from the IT department.
“We’re making sure to have a mix of peo-ple on the board,” Tran-Lam said. “We’ve got the business partners we have in the department, our cybersecurity partners, our procurement partners, our secretary’s office. There are also our public diplomacy counterparts and the regional bureaus. We’re looking at cloud use in the State Department from a holistic standpoint, not just an IT perspective.”
That said, Tran-Lam said the board often gets questions about security and the cloud.
“The requests may differ between a very simple request just asking about the pro-cess, or it may be a more robust one where the person in question doesn’t really know what the security requirements are. And so the requests actually span from the
most simple request to the most complex request about security,” she said.
Another common question for the board comes around FedRAMP — the govern-mentwide program that provides a stan-dardized approach to security assessment and authorization for cloud products.
“We often get asked about FedRAMP,” Tran-Lam said. “This is a shared responsi-bility between the cloud service provider and the customer. Just because a service is FedRAMP-certified, that does not mean the entire security responsibility resides with the service provider.”
There is a collaborative parternship among the Information Assurance Direc-torate, Bureau of Diplomatic Security and Privacy Office to help customers facilitate the process.
Tran-Lam admits that although worthwhile, supporting and running the Cloud Comput-ing Governance Board can be difficult.
“You’re going to get all sorts of different questions,” she said. “But we do have the IT expertise, and the understanding of all different aspects of cloud, from a security standpoint to a technological standpoint. We have to share the knowledge.
“If you’re committed and you over-com-municate and you help the customer get what they need, I think everyone will be more likely to adopt cloud computing ser-vices,” Tran-Lam said.
“[fedramp] is a shared responsibility between the cloud service provider
and the customer. Just because a ser-vice is fedramp certified, that does not mean the entire security responsibility
resides with the provider.”
Engage partners early. It’s critical to ensure that you have all the proper stakeholders engaged early on, and you must work to understand what their needs are from ther perspectives of pro-curement, security, operations and business.
Understand the business need first. If you want to go to the cloud, decide first what issue or problem going to the cloud will solve.
Communicate, communicate, communicate. Being proactive in communication and answer-ing a question will take your cloud adoption a long way, Tran-Lam advised. “There are no small questions, and it’s import-ant to be a really good partner to your customers.”
TIPS FOR SUCCESS
Minh-Hai Tran-Lam Acting Deputy CIO, Business Management & Planning, State Department
In the federal government, you can’t talk cloud security with-out mentioning FedRAMP. It’s short for the Federal Risk and Authorization Management Program, but you’ll rarely hear
people rattle off the entire name.
The governmentwide program was designed to speed secure cloud adoption across federal agencies by establishing stan-
dard security requirements for cloud vendors. In March 2016, the FedRAMP program office announced plans for getting
vendors through that process quicker.
Both industry and government have been working through the growing pains of speeding the process and addressing
lingering security concerns often associated with cloud com-puting. To better understand agencies’ needs and support
their cloud journey, the program brought on Ashley Mahan, its first Agency Evangelist. Her goal is to help agencies embrace
FedRAMP and ultimately adopt secure cloud services.
GovLoop spoke with Mahan about her new role and the cloud computing issues she’s seeing across government.
6 Questions for FedRAMP Agency
Evangelist Ashley Mahan
GOVLOOP: What does a typical day/week look like for you? What types of people are you meeting with and what do you discuss?
MAHAN: Each day and week looks dif-ferent. I do regularly meet with agencies, cloud service providers (CSPs), 3PAOs [Third Party Assessment Organizations], the Joint Authorization Board and the FedRAMP Program Management Office team. While each conversation is different, I always focus on: How can FedRAMP facil-itate more cloud adoption by the federal government by using FedRAMP-compliant cloud services?
GOVLOOP: What are you seeing at the agency level in terms of cloud adoption and the types of capabilities agencies are looking for in the cloud?
MAHAN: Recently, one of the trending con-versations I have with agencies is in regards to innovative SaaS offerings that are not yet FedRAMP-compliant. Agencies are very interested in learning more about the spe-cific capabilities FedRAMP-compliant and in-process cloud services offer. In addition to solving their practical challenges, agen-cies are expressing their desire to learn from one another and ask for my assis-tance to help. It is a very exciting time as the FedRAMP Agency Evangelist!
GOVLOOP: What have you seen as the pain points and concerns agencies face when it comes to security in the cloud? What advice/tips are you sharing with those agencies?
MAHAN: Agencies are primarily con-cerned with effectively managing risk, and secure cloud products are pivotal to their risk-management strategies. We are noticing that agencies have a couple of concerns when it comes to cloud security: The cloud is “newer” and less tangible than legacy IT solutions that agencies are used to, and with that comes a discomfort in adopting a new way of doing business via the cloud.
Individual agencies can accept their own level of risk associated with a cloud service when authorizing that cloud service (as allowed by the Federal Information Secu-rity Management Act), [but] one agency may be hesitant to “re-use” another agen-cy’s authorized cloud solution because it may not trust the risk tolerance associated with that authorized cloud solution.
18 A GovLoop Guide
Mapping Government’s journey to the cloud 19
To help ease these concerns, FedRAMP is supporting agencies to: 1) Provide high-level education about the cloud, security and the FedRAMP program. 2) Standardize the documentation and review process. FedRAMP encourages agencies to perform their due diligence in reviewing all security documentation that is located within the FedRAMP secure repository prior to issuing an authorization. 3) Clarify the risks that the authorizing agency accepted.
FedRAMP is applying safeguards to ensure agencies are well informed prior to reusing an agency-sponsored Authority to Operate (ATO). The FedRAMP team reviews each sponsored agency standard ATO package and provides a summary report (three to four pages) outlining the system risk to ensure each agency makes an informed review and decision. FedRAMP retains a copy of all authorized CSP security docu-mentation, and we assist agencies to per-form their due diligence in reviewing all security documentation.
GOVLOOP: What specific challenges do agencies face when it comes to fully embracing FedRAMP? What advice/tips are you sharing with those agencies?
MAHAN: Some agencies are still trying to understand how FedRAMP will help them, and we offer more services than just the “authorization.” As stakeholders better understand the services we can provide, they will know that they can come to us for more support.
We are strengthening communication chan-nels among agencies and between agencies and the FedRAMP PMO by establishing a FedRAMP Agency Point of Contact at each of the 24 CFO Act agencies. An agency’s FedRAMP liaison will coordinate and facili-tate increased collaboration among agency partners and cloud adoption.
GOVLOOP: How do you measure success in your role, and what does that mean for the agencies you serve? What gap do you see yourself filling?
MAHAN: FedRAMP has done a lot of great work over the last few years. And, as we have evolved, we have made it a priority to help agencies adopt the secure cloud. We have already seen success — as can be measured by an increase in the num-ber of agency ATOs and an increase in
the number of conversations I am having with agencies regarding their cloud needs and solutions. Of course, FedRAMP is not solely responsible for agency cloud adop-tion, but we are doing what we can to help.
GOVLOOP: What three takeaways about cloud and security do you want our gov-ernment readers to know?
MAHAN: Cloud technologies provide cost-effective solutions to business and mission needs. Agencies need cloud capabilities to improve their core agency functions to meet their mission and cost-effectively optimize business func-tions. FedRAMP exists to help provide a unified framework for federal agencies to securely adopt cloud technologies; we are proactively working with agencies to pro-mote collaboration and share information. I am here to help — if you are an agency or a CSP working with an agency in obtain-ing an authorization and need FedRAMP assistance, please contact me at [email protected] or @FedRAMPAshley.
#FeedBackFridayWe want to hear from you! On Fridays, I pay special attention to the ques-tions you post, so I can respond with what FedRAMP is doing and how we can help. We want to bring the FedRAMP community closer together; it’s a true partnership.
#oneteamonedreamWe are all on one team. FedRAMP is a program for the American public, and we have one overarching goal: to provide secure and compliant cloud tech-nologies to the federal government.
#AgencyroadshowThis is my agency listening tour. I am actively engaged with all 24 CFO Act agencies and meeting with a diverse set of stakeholders. I use this hashtag to inform the public of which agencies I am meeting with and when.
#WheresashleyI enjoy meeting a lot of people, including cloud service providers, 3PAOs and the public. This hashtag communicates where I am and with whom I am meeting. Also, it ties into my agency road show, which reflects the agencies that I meet with.
Look out for these @FedRAMPAshley hashtags
“FedRAMP exists to help provide a unified framework for federal agencies to securely adopt cloud technologies; we are proactively working with agencies to promote collaboration and share information.”
20 A GovLoop Guide
Whether your agency is looking for a private, hybrid or public cloud solution, ViON will help you prepare the applications and services you need to migrate to the cloud and create a pathway toward success.
ViON will work with your team to leverage the flexibility, innovation and cost savings of cloud at every stage of the journey. ViON possess over a decade of cloud delivery and management experience, providing you with absolute security and the highest performance levels.
Learn more about the benefits of cloud at ViON.com/cloud
use ViON to deploy and manage a secure enterprise-class private cloud. ViON can help you embrace the cloud.
Mapping Government’s journey to the cloud 21
Are you ready for cloud? For agencies that want to get out of the business of owning IT resources, the short answer to that question is likely a resounding yes.
“I think everybody in the government can benefit from a cloud model because every agency could use greater predictability in their budgets, an ability to meet a surge in capacity, the ability to have a consistent and reliable disaster-recovery strategy and modernization in their organizations,” Davies said.
It’s not so much a question of whether you should move certain applications to the cloud, but when and more importantly, how.
But Davies also noted that cloud readiness is about much more than a desire or need to adopt cloud services. The real question is: How do agencies know which applica-tions are ready and what workloads are the right ones to move to the cloud?
Some of the greatest barriers to cloud read-iness don’t involve the technology. Often, the issues are misunderstanding, fear and anxiety. To help ease any fears and inform potential cloud buyers, Davies offered these five tips to prepare for the cloud:
Start small. Use a development environ-ment to better understand how an appli-cation is supported before moving it to a cloud environment. If you haven’t done an analysis of that workload or application, you don’t know what interdependencies exist between applications and whether moving them out of your enterprise will affect how they perform.
Focus on non-critical applications first. Ideally, you don’t want to do a technology refresh for a large system and then opt to
move it to the cloud. Consider starting with a system that isn’t critical to performing your agency’s mission and then evaluate more critical systems. Again, a development envi-ronment can help you better understand how the app performs in the cloud.
Consider virtualization. Legacy applica-tions in a mainframe environment aren’t the best candidates to port directly to the cloud because they are older systems that are not modernized to function well. On the other hand, if you have a virtualized environment running VMware or another hypervisor, you could be on the road to cloud readiness for that system. However, you still need to do an assessment of your operational environment and determine if it’s a likely candidate for cloud.
Ensure cloud vendors talk specifics. When you’re talking to vendors about cloud readiness, require that they talk spe-cifics. For example, have them walk you through a checklist of the types of require-ments that you want met when workloads move to the cloud.
Do a thorough assessment of your operational environment. This should be done across all applications to determine the characteristics of all apps, their workload performance, what types of software and what versions those applications are using, as well as the platform they’re running on.
“Our definition of cloud readiness is about being ready for use, and we help agencies through this process,” Davies said. “That means you’ve migrated, you’re up, you’re ready to go and you can turn that over to your user base, wherever they are.”
Choosing the right service model is also part of the journey to adopting cloud solutions. There’s no shortage of cloud
services and options for how to manage and host them, whether in-house or in a third-party facility.
But even before that’s decided, agencies have to consider which applications can and will move to the cloud.
For example, let’s say you’re the head of a fee-for-service agency. You have a major mission application that does all your transaction processing of different charges. And you use this system to col-lect revenues.
That’s probably not the system you’re going to put in the cloud first. That may be the last thing you put in the cloud, or you may not put it in the cloud at all. But then there are other systems and applications, such as public websites, that customers use to interface with your agency and pay their fees.
There are elements of that application you may put in the cloud, but the back-end system and user data may be stored on-premise. The key questions cloud buy-ers should answer when deciding what type of cloud best meets their needs are:
® What do you need to manage?
® What can someone else manage?
® Who is the end user?
® What type of data would be in the cloud?
Agencies must keep in mind that these questions should not be considered inde-pendent of one another. They all play a collective role in assessing what type of cloud can best meet their needs.
Are you ready to embrace cloud?An Interview with Rob Davies, Executive Vice President of Operations at Vion
INDUSTRY SPOTLIGHT
22 A GovLoop Guide
Agency Need SecureReqs
DevoEnd of
LifeImplementProcure Use
Miami-Dade County: Implementing ServicesThere’s no denying that cloud comput-ing has saved government agencies a lot of money and made IT operations more efficient. But too often conversa-tions about the tangible benefits over-shadow the work required to ensure that those benefits become reality.
Sure, agencies can easily purchase some cloud infrastructure services online with a credit card, but other solutions require more legwork to roll out. Often, agencies work closely with contractors to implement the cloud system, make sure it’s functional and ensure that employees can use the service and integrate it into any necessary backend systems.
Gary Lee, Systems Support Manager for Miami-Dade County’s IT Department, has firsthand knowledge of this process. But unlike many of his government counter-parts, Lee and his technical staff don’t rely on outside expertise to implement cloud solutions. Everything is done in-house.
“We’ve found that one of the big draw-backs of having consultants come in and install applications or hardware is that when they leave, they take away the tech-nical expertise,” Lee said. “And you’re left with just enough knowledge to barely manage infrastructure. With us, we pro-cure, install and manage the infrastruc-ture and do all the equipment refreshes, and all that is done in-house.”
His staff is actively involved in the cloud journey, including the procurement pro-cess and equipment replacements and
upgrades later on. “They’ve been through the whole cycle,” Lee said.
One of the county’s most recent projects involved implementing software to back up its entire virtual cloud environment and replicating data offsite to ensure it is accessible in the event of a disaster or incident. This automated process hap-pens in the background without users even knowing, but it’s vital to the work they do.
“It’s part of the whole cloud deployment,” Lee said of the county’s private cloud environment. “Not only are we deploy-ing the physical infrastructure to provide [departments] computing resources, but we’re also protecting that infrastructure by doing data backups every day, and replicating it offsite.”
In the past, when it came time to recover data from those backup systems, it would take several hours before employ-ees could use their systems again. The department would first have to reinstall operating systems and applications and recover any data lost on the server.
The newer backup technology that the county uses today ensures that everything is saved as a full image, including the oper-ating system, applications and any configu-rations on the server, before it goes down. This change has helped cut recovery time by more than 50 percent, Lee said. The new software has allowed the county to distrib-ute the load of data recovery among differ-ent pieces of software, rather than relying on just one product to do all the work.
Mapping Government’s journey to the cloud 23
Faster recovery times mean the agencies that depend on the county’s virtual cloud environment can get back to fulfilling their missions sooner if there is a disruption.
But having the right technology in place is just part of the equation. Governments need skilled employees who understand how the solutions work and integrate with other systems.
“We actually provision and manage 99 percent of all our infrastructure in-house,” Lee said. “We seldom get a vendor to come in and offer consulting services. It just so happens that our staff are trained and are experienced with managing almost the entire environment.”
Unfortunately, that’s not the norm for most government IT departments. One reason is staff are stuck maintaining legacy systems and they don’t get the opportunity to build their skills. Even those who have the tech-nical expertise may find themselves ham-pered by budgets.
“The success of what you do within IT is really dependent on the level of exper-tise of the technical staff,” Lee said. “And that is what Miami-Dade has. The level of expertise is fantastic, and that has really made the difference.”
“We’ve found that one of the big drawbacks of having consultants come in and install applications or hardware is that when they leave, they take away
the technical expertise.”
Develop your staff’s technical skills through training and new opportunities. Employees should hone their skills and be prepared to compete in any environment, whether it’s work-ing for the county or not.
Keep in mind that it’s about the entire team working together, including the technical staff and managers. Although the techni-cal staff may have great ideas, they must work closely with managers to implement them.
If your IT department provides cloud services, consider using a chargeback model. One of the major problems in IT depart-ments is finding the funds to upgrade technology. But under the chargeback model, the department collects funds from its agency customers and uses that money to maintain and update technology.
TIPS FOR SUCCESS
Gary Lee systems Support Manager, Miami-Dade County’s It Department
24 A GovLoop Guide
Agency Need SecureReqs
DevoEnd of
LifeImplementProcure Use
Colorado: changing User Experience
With CloudColorado CTO David McCurdy isn’t alone in his quest to make the state a leader in delivering cloud services. But McCurdy doesn’t want that desig-nation just for the sake of it.
“We want to be driving better customer out-comes and better citizen outcomes,” he said. “Colorado takes pride that we’re bringing the best in cloud business to our citizens.”
To achieve that goal, McCurdy focused the state’s cloud strategy around a spe-cific understanding of the five core prin-ciples of cloud services. For a service to be cloud technology, it must enable on-demand self-service; have broad network access, meaning you can access it across the network from any location on a variety of devices; provide resource pooling to serve multiple con-sumers; enable rapid elasticity, or the ability to quickly or even automatically adjust capabilities to meet increasing or decreasing user demands; and it must be a measured service, the transpar-ent monitoring of resource usage and directly tying that to payment.
By using this specific language in requests for proposals, the state ensures that the vendors it uses provide the outcomes its agencies want and need. Cloud must empower them to better serve citizens.
Colorado’s Benefits Management System is an award-winning example of how cloud services is improving the citizen experi-ence. The system’s cloud-based customer portal, Program Eligibility and Application Kit (PEAK), allows citizens to determine their state benefits eligibility. Previously, the process entailed corresponding with
Mapping Government’s journey to the cloud 25
individual state agencies and could take more than 45 days. Now, citizens can use the cloud-based portal to see if they are eligible for a service such as Medicaid within 45 minutes.
“We created a platform that the citizens could interact with directly,” said William Chumley, the state’s Chief Customer Offi-cer. “They’re able to walk through this process without a back and forth that was happening before, either through corre-spondence, or through going into local offices or making phone calls.”
There are more drop-down menus for users to easily enter information.
“It allows them to get directly to the point much quicker, and because we capture the information once and apply it multiple times, now the citizen doesn’t have to re-enter that data over and over and over to apply for additional benefits,” Chumley said.
The front-end portal that citizens use is hosted in the cloud, and some of the data is as well, McCurdy said. But the state is looking to migrate the backend system to the cloud because his internal customers want the benefits of a flexible IT architec-ture that supports innovative solutions and measured services.
Another PEAK feature is the universal application. Citizens who apply for Medic-aid are often eligible for other state ser-vices, especially early childhood services. When people apply for Medicaid, they can find out immediately if they qualify for early childhood benefits, such as daycare. Through this service, the portal promotes greater awareness of state programs and an easier application process.
Hosting PEAK in the cloud offers other benefits. For example, if citizens find that they are not eligible for Medicaid, the por-tal connects them to the state’s health exchange. In addition, the scalability of cloud services allows PEAK to handle mas-sive workloads. With the implementation of real-time eligibility, counties handled 60,000 applications, twice their usual load, without a staff increase.
Chumley noted that PEAK is also unique in Colorado for its use of the agile devel-opment process. The user experience was placed at the front end of the planning process, and implementation included more than 50,000 hours of testing to ensure that the product was usable. The partnership between the Office of Infor-mation Technology (OIT) and the agency customers helped create a more effective and user-friendly product that continues to evolve.
OIT’s tagline is “Serving people, serving Colorado.” Chumley connected OIT’s work with the citizen experience, noting, “We, as a government, are trying to be more effi-cient and offer more elegant solutions for agencies to achieve those five cloud out-comes. Ultimately, that saves the citizen money and delivers a better service to the citizen. That’s really how the whole thing goes together.”
“We want to be driving better cus-tomer outcomes and better citizen
outcomes. Colorado takes pride that we’re bringing the best in cloud
business to our citizens.”
Relate the five core outcomes of cloud computing to user needs. You need to know what ben-efit the end user will actually receive from a shift to the cloud.
Understand your data. You should know exactly what will move to the cloud, and whether it will comply with security standards. This will help you find a vendor that can enable you to provide the best user experience.
You should go into any cloud negotiations with a clear idea of the outcomes you want for your user. Make sure you’re actually entering into a cloud agreement on terms you want. There are vendors that use old platforms behind a new front-facing interface, and they can create challenges, such as lack of scalability and agility, as well as fixed pricing.
David McCurdy Chief Technology Officer, Colorado
TIPS FOR SUCCESS
26 A GovLoop Guide Copyright © 2016, Oracle and/or its affiliates. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates.
oracle.com/governmentor call 1.800.633.0584
Public Sector
Leaders 20 of the 20 Top Global Governments
15 of the 15 Federal Cabinet Departments
50 of the 50 States
20 of the 20 Top Counties
20 of the 20 Top Cities
Get Better Results
Mapping Government’s journey to the cloud 27
The early years of cloud adoption in gov-ernment were marked by curiosity and skepticism about delivering secure IT-as-a-Service, but time has proved that cloud has enormous potential to improve gov-ernment service delivery. Agencies are dis-covering they can simplify their IT, improve back-office business functions, such as procurement and HR, and often reduce costs. The first step to starting your cloud journey is to ask three questions:
® Why do we want to move to the cloud?
® What functions do we want to move?
® How do we make the change?
Why Cloud?Many assume cost savings is the main driver, but the biggest benefit of cloud is the pace of innovation, says Sarah Jackson, Group Vice President, Sales Consulting, Public Sector Applications at Oracle. “We are rolling out enhancements every six to 12 months. The demands of our govern-ment customers are changing and increas-ing more rapidly than ever. Intuitive design, social collaboration, policy automation and mobile capabilities are no longer nice to have. They are fundamental for agile, mod-ern and effective service delivery.”
The cost savings with cloud services is really how much the cloud service pro-vider (CSP) does in ongoing operations, so this makes Software-as-a-Service (SaaS) much more valuable than Infrastruc-ture-as-a-Service (IaaS). Jackson notes that organizations already spend a lot of time maintaining major applications —partic-ularly those that run core government operations like HCM, financials, and citi-zen relationship apps. For these functions, moving to a SaaS model can offer dra-matic savings.
Likewise, Platform-as-a-Service (PaaS) is more valuable than IaaS because it trans-fers more maintenance costs to the CSP, but the advantages of PaaS and IaaS can
transcend pure cost, says Mark Johnson, Director of Modern Platform for Govern-ment at Oracle. He notes that the flex-ibility of being able to create new virtual machine environments at any time and nearly any scale is powerful — almost as powerful as deleting those environments when no longer needed to save money. PaaS and IaaS can also be part of an over-all agency strategy to reduce IT adminis-tration by outsourcing data center and hardware operations.
Which Cloud?Agencies will easily recognize the allure of most SaaS applications. SaaS allows them to stay current on software with-out hefty upgrades and leverage modern technologies for agile program execution. Employees and citizens win with intuitive, mobile interfaces while agencies deliver secure, scalable applications. Adopting a cloud mindset is critical for agencies to be successful in this transition. They must embrace industry best practices delivered by the service, eliminating existing cus-tomizations while receiving two to three software updates each year.
For functions that can’t move to SaaS, an agency should look to PaaS next and see what functions it can leverage from the CSP. Specific advantages of PaaS include helping developers spend less time on maintenance and more time adding value to the organization.
Another decision to be considered is whether to use a public cloud (owned by the CSP and offering limited services) or a private cloud, which may be owned by either the CSP or the agency, but offers complete control to your agency. Efficient private clouds not only beat public cloud economics after two to three years, but they also provide many intangible bene-fits, including allowing you to decide what security to implement, how to deploy services, when to patch and more. If you
need to save money in a tight budget year, then you can defer a hardware refresh in a private cloud, but not in a public cloud.
The Road to CloudAs you create a cloud roadmap, consider both incremental and longer-term transi-tions. Not every application has to move at the same time, but while you are in transition, it’s important to consider how to integrate applications and data across this hybrid environment. Choosing cloud technologies that use open standards for integration and even the same underlying technologies will simplify many integration challenges, Jackson notes. The ability to personalize and extend SaaS applications is also a critical consideration for govern-ments moving to the cloud.
For sensitive data in the cloud there are certification programs, such as HIPAA, CJIS and FedRAMP — but not every system or environment moving to the cloud needs these certifications, Johnson notes. For training or basic development, you shouldn’t use sensitive data, so why pay a premium for a certified cloud? Use the lowest-cost cloud for development or trials of new services, and then migrate the solution to another (secure) location for final test and production.
A Complete Approach to the CloudThe cloud offers governments an unprece-dented opportunity to modernize services and execute more effectively and effi-ciently on their mission. The best approach to when and how to transition to the cloud varies for each organization, which is why Oracle allows customers to personalize their roadmap. Only Oracle offers Public Sector customers the breadth of software, platform and infrastructure cloud services based on nearly 40 years of experience committed to serving the public sector community.
A Complete Approach to Cloud Computing
An interview with Oracle’s Sarah Jackson, Group Vice President, Sales Consulting, Public Sector Applications & Mark Johnson, Oracle Director of Modern Platform for Government
INDUSTRY SPOTLIGHT
28 A GovLoop Guide
Agency Need SecureReqs
DevoEnd of
LifeImplementProcure Use
Hawaii: Planning for Version 2.0Can you imagine living in a world devoid of paper cuts or desks overflow-ing with messy, displaced documents? In Hawaii, state employees are moving in that direction.
“Our governor wants Hawaii to be a paper-less government,” said Hawaii CIO Todd Nacapuy. “In order to be a paperless govern-ment, we need to enable digital workflows.”
But for Nacapuy, the push to paperless has less to do with saving the environment or desk space and more about building a truly efficient government.
“If we can cut down on the amount of time it takes for a document to be processed, we not only save the government time, but money,” he said.
To enable the governor’s goal of going paperless, Hawaii invested in a SaaS E-Sig-nature platform. The reason: You can’t be paperless without a digital workflow. To enable a digital workflow, you must first enable digital signatures.
It sounds a bit complicated. But think of it this way: All employees in Hawaii must sign a time and attendance form known as a G-1 when they want to take a vacation or leave for any reason. They used to manually fill out the document, which needed to be signed first by employees, then managers and then sent to human resources.
“It was really silly how manual that process was,” Nacapuy said. “We’ve just enabled digital signature and digital routing for the G-1 form. Now, anytime someone wants to
take a leave of absence, instead of taking 15 to 20 minutes, it takes two minutes.”
Hawaii’s goal is to have more than 100,000 documents digitally signed in the first six months. And it’s well on its way. In just two months, the state had already filed more than 10,000 digital signatures.
The Aloha State isn’t just focused on the current digital signatures implementa-tion. Officials are also thinking of future implementations — the next round of paperless.
“When we rolled out this program, we brought all the stakeholders in the room,” Nacapuy said. “Our partners needed to understand the state’s business needs, not just for digital signatures but future ones too. If there needs to be a tweak or change to a product, we’re in there with them. We work with them to create a change to the future product.”
In fact, due to the nature of Hawaii’s decen-tralized approach to IT (each agency has its own IT department), the state’s Office of Enterprise Technology Services was in charge of “selling” the cloud technologies to the various departments in an enter-prise-style approach. Hawaii used inter-nal solution delivery managers (SDMs) to market the E-Sign service offerings to the different departments.
“It’s the SDMs’ job to understand the departments’ business needs, their requirements and implement the solution for them,” Nacapuy said.
Mapping Government’s journey to the cloud 29
The SDMs’ sales were made easier for two reasons: First, the CIO’s office was able to get deep discounts from buying the technology at a larger scale. Second, the state’s IT employees were more willing to work with SDMs because they “didn’t feel they were shoving new technologies down their throat,” Nacapuy said. “The process of using SDMs has a very different conno-tation and it helps with adoption in state agencies because it’s not a consultant coming in and telling them how to do their jobs. The SDMs are asking them, ‘How can we help you be more efficient?’”
The process is beneficial to the contractor, too.
“The partner doesn’t have to do the sales stuff, [and] they don’t have to push the product,” Nacapuy said.
But for that partnership to work, there needs to be a lot of trust between the con-tractor and the government.
In Hawaii, officials focus on finding what Nacapuy calls a true partner.
“We are heavily involved with the partner’s design process, and the next rollout of their software. We have direct input into our contractor’s product team on what changes needed to be made to the soft-ware to help our business,” he said. “We’re partnered directly with [the] project team and program team, so the next rollout of their software, they will incorporate specific business needs for the state of Hawaii.”
“Our partners needed to understand the state’s business needs, not just
for digital signatures but future ones too. If there needs to be a tweak
or change to a product, we’re in there with them. We work with them
to create a change to the future product.”
Agencies and contractors alike have to understand the current and future business needs for the government’s use of the technology.
Find a provider that wants to have a true partnership with you. All of those expectations of what you want from a vendor need to be laid out. It’s really about delivering value.
Get leadership buy-in. In Hawaii, the digital signatures launched first with the governor. The governor pushed a mandate that states he’d give priority to sign-ing things that are sent digitally.
TIPS FOR SUCCESS
Todd Nacapuy Chief Information officer, Hawaii
Cloud Computing GlossaryThe National Institute of Standards and Technology set the record straight on what constitutes cloud computing: It’s a model for providing widespread, convenient, on-demand network access to a shared pool of resources, whether it’s servers, stor-age or software applications. But to help you better understand what the cloud has to offer, here are a few key terms:
Cloud Deployment Models Community cloud: A community cloud is used by organizations with shared concerns, which may be a mission, security requirements or compliance considerations. Like the private cloud, it can be hosted by one or more organizations in the community or by a third party and can also be on- or off-premise. Source 1 | Source 2
Hybrid cloud: A hybrid cloud is a mix of two or more cloud types. The individual types remain unique entities, but they are tied together by standardized and propri-etary technology that allows for data and applica-tions to easily transfer from one cloud service to another. Hybrid clouds allow for greater flexibility and more data deployment options. Source 1 | Source 2
Private cloud: Private clouds are designated for a single organiza-tion’s use, though that may include multiple con-sumers. These clouds may be hosted by an organi-zation in its data center or by a third-party company in an off-premise center. Source 1 | Source 2
Public cloud (off-premise): Public clouds are hosted by businesses, academic institutions or government organizations, and they are available for open use by the public. The cloud provider hosts them onsite. Source 1 | Source 2
Cloud Service Models Infrastructure-as-a-Service ( IaaS):IaaS is one of the three cloud service models. In IaaS models, the provider manages the underlying cloud infrastructure, while the user controls the operating system, storage, applications and select networking components, such as firewalls. IaaS platforms are highly scalable and are well suited for temporary and variable workloads. Source 1 | Source 2
Platform-as-a-Service (PaaS): PaaS is one of three cloud service models. In PaaS models, the provider manages the infrastructure, including the network, servers, operating systems and storage. The user manages the hosted appli-cations and user-defined configurations for the application-hosting environment. PaaS lets users develop and run new applications without having to install in-house hardware and software. Source 1 | Source 2
Software as a Service (SaaS): SaaS is one of the three cloud service models. In SaaS models, the user can access the provider’s applications that run on a cloud infrastructure. The user does not manage any part of the infrastruc-ture except for limited user-specific application set-tings. Benefits of SaaS include easy administration, compatibility and global accessibility. Source 1 | Source 2
30 A GovLoop Guide
Cloud service provider (CSP): A cloud provider or cloud service is a company that provides users with cloud computing technology, typically in the SaaS, PaaS or IaaS models. Providers differ in the level of cloud access and control, and users should determine what their cloud needs are before choosing a provider. Source 1 | Source 2
FedRAMP: The Federal Risk and Authorization Manage-ment Program is the government’s standardized approach for securing and authorizing the use of cloud products and services. The program is housed within GSA. FedRAMP uses a “do once, use many times” framework for vetting the security of cloud services. This saves the government time and money. Source
NIST 800-53 (revisions): NIST 800-53 is a special publication on security and privacy controls for federal information systems and organizations. The publication includes rules and con-trols for access, incident response, business continu-ity, disaster recoverability and more. A fourth revision was released in 2015 and addressed the increasing sophistication of cyberattacks and included new con-trols for areas such as mobile and cloud computing, applications security, and insider threats. Source
On-demand self-service: On-demand self-service is one of the five essen-tial characteristics of cloud computing, as defined byNIST. This characteristic means that a customer can use cloud computing capabilities, such as server time and network storage, when they need it with-out requiring human interaction with the CSP. Source
Pay-as-you-go (PAYG): Pay-as-you-go cloud computing functions like utility bills. Customers are charged only for the resources they use. The flexibility allows customers to use the cloud service without any wasted resources. Source
Service-level agreement (SLA): The service-level agreement is part of a cloud service contract. The SLA describes different levels of service with regard to attributes such as cloud availability, serviceability or performance for the user. The SLA also contains specific thresholds for those attributes and lists financial penalties that the provider will incur if the thresholds are not met. Source 1 | Source 2
Vendor lock-in: Vendor lock-in is a challenge customers face when they cannot easily move from one CSP to a compet-itor. This can be caused by proprietary CSP technol-ogy that is incompatible with the competitors’ prod-ucts, inefficient processes or contract constraints, in addition to other issues. This often serves as a barrier to cloud service adoption. Source
Mapping Government’s journey to the cloud 31
About & AcknowledgmentsABout GovLoopGovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowl-edge network for government. GovLoop connects more than 250,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquar-tered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government. For more information about this report, please reach out to [email protected]. www.govloop.com | @GovLoop
Thank YouThank you to Acquia, Amazon Web Services, DLT, Hitatchi Data Systems Federal, Ora-cle & ViON for their support of this valuable resource for public-sector professionals.
Authors Nicole Blake Johnson, Technology WriterEmily Jarvis, Senior Online & Events EditorCatherine Andews, Director of ContentSonia Chakrabarty, Editorial Fellow
Designer Kaitlyn Baker, Graphic Designer
Photo CreditAll photos licensed for use under Creative Commons 2.0.Nan Palermo, Steven Bratman, U.S. Navy, U.S. Peace Corps
32 A GovLoop Guide
Mapping Government’s journey to the cloud 33
34 A GovLoop Guide
1152 15th St. NW, Suite 800Washington, DC 20005
Phone: (202) 407-7421 | Fax: (202) 407-7501
www.govloop.com@GovLoop