Federal agencies are under presidential order to consider cloud-first policies when developing IT projects, however the type of cloud environment they use is left up to the discretion of agency officials.

During a cloud panel hosted by Red Hat on Feb. 12, several agency CIOs debated the virtues of public and private clouds, with one suggesting private clouds don't really fit the as-a-service model.

"The private cloud concept is a little bit of a transitional concept between where we were and where we need to be," GSA CIO Sonny Hashmi said. "Are we at the point in the industry where full public cloud can meet all of our challenges in terms of security, control, compliance, auditability? No … So we've kind of invented this intermediate model that we call private cloud."

However, in Hashmi's assessment, private environments miss the key factors that make cloud migration attractive.

The private cloud model "gives us some of the ability, some of the benefits, but it's really not cloud," he argued. "The idea of the cloud isn't to have virtual machines and spin up servers faster. The idea of the cloud is the economics of the cloud — the ability to scale computing and storage and leverage that benefit and being able to pay by the consumption."

Private cloud infrastructure operates in much the same way as public clouds, however a private setup is restricted to a set number of dedicated servers. While this makes the network more secure, it doesn't allow for the near-infinite scalability offered by hybrid and public clouds.

"The right long-term direction for the industry and government is to make the public cloud providers that have scale that none of us can ever match become secure enough that they can actually meet our expectations," Hashmi said.

He admitted his position is on the extreme side of conventional wisdom but believes that is where the market is headed.

Commerce Department CIO Steve Cooper agreed all government IT should operate on an as-a-service model but said there are times when a private cloud environment is still needed.

"Because of the sensitivity of our data … it will likely be a government community cloud and in the case of the Census Bureau — because we're bound by law to protect that data — might be a private cloud," he said.

Cooper noted the harsh penalties associated with compromised sensitive data, particularly with regard to Census.

"If you are responsible in any way, shape or form for a breach of Census data: 10 years in jail, $250,000 fine," he said. "I've got news for you: I'm not signing off on anything other than a private cloud" when it comes to Census.

The only reason private clouds are in use in government today is due to fear, according to Shishu Gupta, deputy CIO for the National Geospatial-Intelligence Agency.

US Secretary of Defense Ashton Carter speaks during a joint press conference at Camp David March 23, 2015 in Maryland. AFP PHOTO/JIM WATSON (Photo credit should read JIM WATSON/AFP/Getty Images)
US Secretary of Defense Ashton Carter speaks during a joint press conference at Camp David March 23, 2015 in Maryland. AFP PHOTO/JIM WATSON (Photo credit should read JIM WATSON/AFP/Getty Images)

"This notion of public versus private should be a temporary thing," Gupta said. "The reason we have a private cloud in the first place really comes down to fear. Some people call that defense-in-depth but I think it's really just fear. You don't trust that the security systems in the public clouds are secure enough or are going to keep up with the advanced persistent threat."

Gupta suggested treating cloud security in a similar fashion as open source code by bringing the communal baseline up to the level of government requirements.

"If we all embrace in the public domain IT security that's as good as what the Intelligence Community needs, we all want that," he said. "When we get to the point where we can trust that in the public environment, then private advocates can back off."

That trust needs to be developed between public cloud offerors and the agencies that would employ their services.

Frank Konieczny, CTO for the Air Force's Office of Information Dominance, said those choices should be made on a case-by-case basis. He set DISA's new security guidelines for the cloud as the standard that really matters.

"We're open to almost any cloud provider as long as they meet the requirements for the data impact levels," he said.