Government officials and industry experts at an Oct. 24 federal cloud lunch event expressed strong confidence that a majority of IT applications would eventually be moved to the cloud, but noted that specific characteristics of those applications would ultimately determine whether they would fit into that majority or be left on premises.
Rather than security concerns, experts said that applications would be least likely to be moved to the cloud if they were single use or didn’t have any scalability needs.
“One of the things that I’ve told folks is, if you have a very consistent usage of data, the data in your environment is constant or constantly growing, you’re not going to get a massive amount of benefit or cost savings from the cloud," said Craig Bowman, vice president of advanced solutions at Verizon.
“Because the way that cloud works is that you get the cost savings by … fluctuation of the usage, so the very first apps you should be looking at for the cloud are those with varying uses.”
According to Dan Kent, chief technology officer of Cisco Public Sector, over time approximately 75 percent of information will be in the cloud rather than an on premises solution. He recently upped that estimate from 50 percent as he saw cloud capabilities evolve.
But Kent said that cloud providers probably won’t put much effort into migrating government applications that are too specific to a single purpose.
“If there’s only one in the world, why would a cloud provider want to provide it that way? Now, if there’s commonality, we’ll try to make that one in the world not the one in the world anymore,” said Kent, adding that future applications the government wants to buy will, by and large, have to be cloud based.
“You’re not going to find many application developers not creating to the cloud, so all your applications that you can buy as a consumer will be delivered in the cloud whether you like it or not.”
The consideration of which application traits are most cloud appropriate is also in line with the Trump administration’s new Cloud Smart initiative, an update on the Obama-era Cloud First program.
“Cloud First is probably not reality, it’s probably more of a hybrid world that comes out,” said Larry Payne, senior vice president for Cisco Public Sector. “I think what Cloud Smart is basically saying is choose the right solution.”
Traditionally, agencies have prioritized what is appropriate for cloud migration based on its criticality, placing the security of the data at the top of cloud concerns.
But experts at the event said that security isn’t necessarily dictated by what is on premises versus offsite in a commercial cloud.
“I think control is an illusion. In government — I came from the government — we believed that if everything was inside those four walls we had control. But the walls don’t define control. Architecture defines control; security is no different if it’s outside your walls or if it’s inside your walls,” said Bowman.
“I think we’ve got to separate hybrid IT from hybrid security, because security is a whole different ball of wax we can talk about moving into a hybrid environment, and I don’t think you can combine the two, because you have to look at the strategy very differently.”
Agencies may also inadvertently have a hybrid-like situation without intentionally moving data to the cloud, because of the way employees or citizens access that data.
“I’m sort of less interested in where something is versus what something is. And so if the data is on-premise in the data center but I access it in my phone, is that now hybrid cloud? Right? I don’t know if we really know. We talk a lot about a protective layer on the data, but we end up with lots of copies of it,” said Jay Huie, secure cloud portfolio director at the General Services Administration’s Technology Transformation Service.
“There are interesting demarcations of when things cross over in that hybrid world.”
According to Claudio Belloli, FedRAMP program manager for cybersecurity at GSA, the introduction of more comprehensive security validations, such as the Federal Risk Authorization Management Program’s High certification, can address many agencies’ security fears.
“It opens up the ability to move more to the cloud,” said Belloli.
Bowman added that security is often better in the cloud. Providers have expectations of updating and patching vulnerabilities on a daily basis that government agencies have a history of being behind schedule implementing.
“It’s not that the cloud is inherently better at security, it’s because the way that we’re doing IT we don’t have all the mistakes," said Bowman.
“There will be mistakes made in the cloud, but when you have a very complicated IT infrastructure, especially with the transient nature of the way people come in and out of especially government, how do you get a knowledge base that knows what’s going on in an environment, keep it moving in the same direction? Versus going with a company that provides this service as their livelihood.”