Industry experts are expecting 2015 to be a significant year for federal cloud adoption as the space begins to mature. Getting to that maturity level poses some challenges, however, few of which are related to the technology itself.
The cultural and managerial challenges of the cloud are most pronounced when it comes to Infrastructure-as-a-Service, particularly in regard to giving up control, shifts in responsibilities and the nuances of incremental procurements.
When compared to other cloud services — like Platform-as-a-Service, Software-as-a-Service or Email-as-a-Service — federal agencies aren't generally as knowledgeable about IaaS, according to Lee Tamassia, director of business development for government markets at QTS.
"They're certainly as aware of it but perhaps not as knowledgeable about how to leverage it," he said.
Infrastructure — housing servers and guaranteeing uptime — is "expensive and it takes a lot of upfront capital to buy the necessary hardware and all the software and the associated infrastructure to stand up systems," Tamassia said. "And behind that you have to hire people to run and manage it … Whereas as you go to the cloud you're essentially taking that large upfront expense and transitioning it to more of an incremental, operational expense, so it's much easier on the budget."
While IaaS is usually more cost effective, "Change always involves some challenges," Mark Ryland, chief solutions architect for AWS Public Sector, said.
And when it comes to infrastructure, those roadblocks are rarely an IT issue.
"The challenges we have aren't technology," said Bud Michels, senior director for cloud solutions at General Dynamics IT. "The major challenges are the ability for the business owners to let go and let their data be somewhere else."
For many federal agencies, getting past the idea of giving over ownership of their IT systems is a major culture shift.
"There is still — and understandably so, particularly in federal — a mindset behind being able to touch and manage the actual underlying infrastructure," Tamassia said.
Risk managers, in particular, often "have adverse reactions to just giving up control of their data to any cloud provider," Michels said. "Their job is to protect information. They don't want to be in front of congress — and you can't blame them."
To quell those fears, "Companies have to form a trusting relationship and make sure [agencies] understand we have processes in place to protect their information," he said.
Those relationships should be solidified during contract negotiations, according to Matt Sexton, chief information security officer at CCSi.
"You are relinquishing quite a lot of control if you're using their hardware, their solutions. But the workaround there is to work with the CSPs upfront … so you can monitor what's going on, so you know that everything from the hypervisor down is secure," he said.
While the feeling of ownership is an important factor, it really boils down to security concerns.
"Talk to anybody in the cloud market and they'll say the No. 1 hesitation people have about the cloud is security," Tamassia said.
He credited the FedRAMP program for creating a framework that gives agencies confidence that data held by cloud providers will be secure. However, he believes that concern should be "flipped on its head."
"Cloud systems are run by service providers where this is all they do every day," Tamassia said. "Their attention is 100 percent on security," whereas IT managers are often focused on the next project, not maintaining infrastructure. "Going to a cloud provider can actually provide a better sense of security, rather than a do-it-yourself approach."
Changes to workflow
As agencies move away from managing their own infrastructure, staffing needs will change and organizational structures might be altered.
However, CCSi Senior VP for Emerging Programs and Services Sue Palermo cautioned against simply getting rid of the IT department.
"The people that were taking care of the infrastructure, you don't need them to do that, however you may need to maintain some of those skills and expertise," she said. "You want somebody who really understands that, who can talk with the cloud service provider about what they're providing for you and how they meet performance metrics."
As agencies employ more service-based systems, the roles within the IT department will change and likely require some measure of retraining.
"We have customers where the backup guy used to do a physical job and now he sits at a computer and does the same basic work — more efficiently because of leveraging the tools — but skills training was part of the transition," Ryland said.
Budgeting for as-a-service
The security officers and IT managers won't be the only ones adapting to change in the as-a-service environment. Contracting and acquisition managers will have to adjust to a new style of procurement, as well.
"One of the nice things about cloud is that it's very, very scalable," Tamassia said. "If you need more compute power or more storage … you can generally go into a provisioning portal and spin up additional resources in the cloud."
While this is the major strength of IaaS, it also creates a unique challenge to budgeting.
Agencies have to consider "How does that fit within a federal budgeting process where you have 'x' amount of dollars to spend every year? How do you ensure that you don't blow the budget?" Tamassia said.
In IT, "People are used to doing capital-based procurements," Ryland said. "There might be people in the procurement shop that say, 'I don't know how to buy something by the drink; I don't know how to deal with variable costing.' In that same agency there might be procurement people who do that all the time — when they buy professional services, when they buy power, when they buy telecom — but that's not the IT peoples' strength."
Ryland suggested offering specific training to those procurement officials in order to get the full cost benefits of IaaS.