Cloud deployments by federal agencies have been accelerating, albeit slowly. IDC Government Insights forecasts that US agencies will spend approximately $3 billion on cloud projects in FY2014, a healthy $800 million jump from what had been predicted in 2013.

There are several reasons that agencies are turning to cloud deployments, including improved agility, reduced IT complexity and IT spend, and greater collaboration. Yet it is increasingly clear that obstacles are capping broader adoption of cloud services. federal budget officials predict federal cloud spending for FY2015 will come in at $2.9 billion, indicating that cloud migrations will continue to move forward, but that agencies are gently pumping the brakes as opposed to gunning the engine.

A 2014 MeriTalk survey of 153 federal IT executives closely involved in their agencies' cloud deployments delved into cloud adoption obstacles front-of-mind for decision makers. The survey found that agencies want to double their cloud use, but 89 percentof IT pros feel some apprehension about migrating IT services/apps to the cloud. This article examines four key obstacles slowing federal agency cloud adoption, and strategies for agency decision makers to overcome them.

First obstacle: Lack of clarity on cloud migration path

The benefits of a cloud infrastructure – hybrid cloud environments in particular – are becoming increasingly clear to agencies. However, the management challenges around data storage and portability can prove daunting. Wrapping one's hands around a migration path to the hybrid cloud requires addressing questions tied to five key migration phases.

Phase I – Assess existing systems

In this phase, agencies should determine how to best port data to the Cloud, how long migration will take, identifying key stakeholders, determining if there will be a disruption of service for the migration to occur, whether it makes sense to migrate in multiple steps or all at once, and developing a strategy for storage backup and recovery.

Phase II – Determine a methodology for migration

Determine the application portfolios that are currently being used, the performance requirements of these applications, what high-performance applications exist that will need special processing capabilities, security requirements, and if any steps can be automated going forward.

Phase III – Determine which cloud service provider is best for your agency

Agencies should analyze each provider's service offerings, what each provider's pricing scheme looks like, how performance and SLAs are structured, ensuring the selected provider will achieve maximum cost savings given your specific architecture, the ability to avoid vendor lock-in, and what level of interoperability the provider can deliver.

Phase IV – Port your data to hybrid cloud environment

For this phase, determine what kind of replication software makes most sense given your particular applications, whether your hybrid cloud provider offers assistance with this step – especially with the transfer from private to public or vice versa – and if it makes sense for you to invest in a private storage solution to seamlessly and transparently transfer data across your new hybrid cloud.

Phase V – Measure and report the impact

Finally, the agency should track the benefits from the switch to hybrid, specific cloud metrics being used to assess the effectiveness of your systems, how to best track and quantify total program cost savings, determining unforeseen benefits and issues that arose out of the switch to hybrid cloud, and when the time is right to brief agency senior leadership on the total impact of making the switch to hybrid.

Second obstacle: Data stewardship and data governance

Federal agencies are moving beyond utilizing a single cloud infrastructure, and are as likely today to employ a portfolio of public, private and hybrid clouds based on their specific needs. Historically, moving data across/within/from multiple clouds has not been a practical reality, because data has mass and isn't easy to move. This makes data stewardship and governance one of the toughest aspects of the cloud, more so than networking or bandwidth.

The MeriTalk survey underscores this fact, indicating that agencies still manage 71 percent of data stewardship themselves, turning the rest over to cloud vendors. Until agencies have the confidence to entrust data stewardship to cloud vendors, the benefits of cloud adoption will remain restricted. The good news is that 56 percent of federal IT pros surveyed say their agency is implementing data stewardship or a more formal data governance program for their cloud services and vendors; this is important, as those actively improving their data governance programs are more likelyto say they are comfortable turning their IT services over to cloud vendors.

For agencies, improving data stewardship will require letting some of it go. Agencies seeking a balance between scalability and security will gravitate towards public computing and the use of public networks and servers – a hybrid cloud arrangement that allows agencies to maintain control of their data while fully maximizing cloud-computing economics. Cloud providers are increasingly delivering solutions that provide agencies with the ability to build logical separate and secured multi-tenant domains into their cloud-computing infrastructure. As a result, agencies can maintain stewardship of their data while safely and cost effectively consuming cloud services – making hybrid clouds an increasingly attractive option for agencies.

Third obstacle: Information security

Data in motion presents security hesitations for agencies. Data is not only moving from on-premise to off-premise, but increasingly between different cloud environments. While information can be secured via encryption services, cross-cloud user authentication, access management and key management become problematic as multiple services are consumed.

According to the MeriTalk survey, only one in five IT pros is fully confident in their cloud vendor's security. That said, agencies and cloud vendors are taking concrete, coordinated steps to better secure data in the cloud. Of those sharing security responsibilities with their cloud vendors, the MeriTalk survey found it was being done for the following security functions:

  • Encrypt data in transit (33 percent)
  • Manage access to cloud-based applications (31 percent)
  • Support intrusion detection (31 percent)
  • Force regular password changes (27 percent)
  • Force data to be saved in managed locations only (26 percent)
  • Ensure monitored use of USB flash drives, SD media, etc. (26 percent)
  • Ensure 24-hour room monitoring for data center (25 percent)
  • Implement daily hardware/software patch release monitoring (24 percent)
  • Implement Virtual Private Network (VPN) (23 percent)
  • Provide annual information security training (22 percent)

Security remains one of the greatest obstacles to accelerating agency cloud adoption, and there is no magic bullet to allaying these concerns. Addressing this challenge is not easy, but leveraging solutions that can, for example, secure data at rest and create data fabrics that can be used to control and protect the flow of information across multiple cloud service providers represent significant steps in the right direction.

Fourth obstacle: Risk Management

Agencies struggling with striking the right on-premise/off-premise balance must develop processes for determining tolerances for risks associated with loss of data or availability. A strong case exists for certain services to remain on-premise – first and foremost those with real-time performance and latency specifications. There are other use cases where proximity to source or the volume of data prevents its movement. For these environments, network bandwidth is either cost prohibitive or unachievable because of the physical limits of the transport.

The final use case is sensitive or classified information processing that must be protected with the highest confidence and in accordance with national security protection profiles. Military agencies, for example, might be shifting email to the Cloud, but may want to keep it housed internally to retain ownership and operation.

These risk obstacles vary greatly based on agency mission and application, but ultimately they must be addressed to overcome internal or systematic fears of losing control of key data.

Improving risk management can be achieved by developing data governance processes. While technology advances will improve cloud service offerings, a strong risk management framework that outlines the risks, tolerance profile and incident response for data security leads to successful cloud adoption.

Kirk Kern is CTO, Cloud Technologies, NetApp U.S. Public Sector