Service agencies conjure their own clouds
GSA, DISA and the National Business Center offer cloud services, but uncertainties about security, software licenses linger
Like many government managers, Doug Bourgeois sees cloud computing as a novel idea. But as director of the Interior Department's National Business Center, an office already in the business of service delivery, cloud computing is not as foreign to him as it might be to others. In fact, the NBC is getting into the game.
The department is ramping up a set of information technology infrastructure services that it plans to offer other federal agencies as part of its new cloud initiative. NBC plans to put the service into testing in a month.
For Bourgeois, the idea of offering infrastructure services, such as virtual servers, is the next logical step in service delivery. The agency already offers human resources, accounting and other services to other agencies on a fee-per-use basis. Adding cloud computing seems perfectly natural, even inevitable. "The business models upon which we deliver our services will change fundamentally in three to five years," Bourgeois said.
NBC is not the only service agency offering cloud services to fellow federal agencies. During the past month, the Defense Information Systems Agency expanded its Rapid Access Computing Environment (RACE) to include cloud computing, and the General Services Administration opened a government storefront, Apps.gov, that will allow federal managers with purchasing privileges to obtain collaboration and other forms of commercially available cloud-based software packages.
As most agency IT managers start to test cloud offerings, government IT service providers, such as NBC, DISA and GSA — agencies whose place in the government landscape is selling services to other agencies — are jumping in, offering their own government-focused cloud services.
"It makes sense," Bourgeois said. They are already used to the service model and are comfortable with multitenancy, or hosting multiple users within a set of servers.
"It boils down to economies of scale,” he said. “We already have large scale, so we didn't implement a bunch of new infrastructure to support the cloud. We simply migrated our existing infrastructure over to a virtualized environment, which we were going to do anyway."
Meanwhile, cloud computing is a hot topic among federal IT managers.
"There is a tremendous amount of hype and not much of a consistent understanding of what cloud can accomplish. Government has a long way to go before cloud computing is an integral component in the federal IT landscape, " said Tim Young, senior manager at Deloitte Consulting and former deputy administrator of the Office of Management and Budget's Office of E-Government and Information Technology. Deloitte helped NBC study the feasibility of offering cloud services.
For government agencies, the idea of moving some operations to a cloud seems appealing. However, it won’t be simple. Concerns over security, data privacy, the acquisition process, standards and service-level agreements are among the chief issues that officials grapple with when thinking about cloud deployment, said Peter Tseronis, deputy associate chief information officer at the Energy Department and chairman of the Federal Cloud Computing Advisory Council. Tseronis spoke as part of a cloud computing panel at the Virtualization, Cloud Computing and Green IT Summit, held recently by the 1105 Government Information Group, which publishes GCN.
When the council was formed earlier this year, one of its first tasks was to get feedback from agency IT chiefs on the questions and concerns they had about cloud computing, Tseronis said. With those issues in mind, the council is establishing working groups to deal with each problem.
In many ways, government cloud providers are already ahead of the curve. They understand the market and have done much of the work related to building cloud services in the process of strengthening their own data centers. They could be the natural choice to introduce cloud computing to agencies at an operational level.
NBC already had about 80 percent of what it needed to build a cloud offering, Bourgeois said. Many of the services it already offers, such as payroll, finance and human resources services, rely on business applications that users can access via a network. "A core portion of those business services is driven by the applications we use to deliver those services," Bourgeois said.
To support its own systems, the agency also developed robust business process management capabilities, virtualization and backup capabilities for its two data centers in Denver and Herndon, Va. So it would be a natural step forward to make its business services — and even the underlying infrastructure — available as a cloud offering.
The remaining technical steps should be fairly simple, Bourgeois said. The agency is in the process of developing a customer portal, somewhat like Apps.gov, and establishing account management support, automatic provisioning, metering and billing.
NBC plans to offer a full range of cloud services, from individual business software programs tweaked to meet government standards to full hosted environments that would allow agencies to host their own software without the hassle of procuring servers and supporting hardware. NBC will use x86 and IBM Z-Series mainframes that run Linux.
Overall, the basic infrastructure-as-a-service offering will be ready for testing in a month. Initially, clients can access those resources via dedicated network connections, although NBC eventually will offer the services by virtual private network via the Internet. Unlike many commercial providers, NBC will have the infrastructure in place for high-transaction applications, Bourgeois said. "Everything we do is transaction-based, so we're comfortable with offering that."
At first, payment will be based on a reservation model, with clients reserving virtual servers on a month-by-month basis. Pricing will be based on CPU and memory usage. At present, the standard termination clause is 60 days, although that will be shortened to days or even hours. Getting up-to-speed on a service can happen in as little as four days.
Both of NBC's data centers are compliant with the Federal Information Security Management Act, and the agency is implementing security zones for its cloud service. "We physically and virtually separate production standard traffic from production high-security traffic,” Bourgeois said. “They are separate from the network coming in. They are separate from the virtual network. They are separate from within the devices and they are separate in the logical partitions within our virtual environment. The traffic cannot mingle."
In addition to the separation, high-security traffic will get a much higher level of vulnerability scanning, and the data will be encrypted in transit and at rest. The service will be based on Security Enhanced Linux.
The agency is aiming to offer the basic infrastructure as a service for low-security development testing within a month. The platform as a service, which will have development tools on top of the infrastructure service, is expected to be available later this year. Production-ready and high-security versions of those services will be coming in early 2010.
Infrastructure on demand
Like NBC, DISA 's mission is to act as a service provider for other government bodies. In DISA's case, the customers are other branches of the military. And like NBC, DISA is expanding its existing services into a cloud offering. This month, DISA began offering infrastructure as a service through RACE for other military agencies to use. Instead of waiting six months to get a fully-provisioned server, a military unit can get a virtual one within four days.
DISA launched RACE a year ago as a self-service environment for defense developers to provision virtual servers and test new applications in a safe environment. The agency has expanded the offering as a production platform. The applications that are best served by that environment are lighter ones that could easily run in a standard Microsoft Windows or Linux environment. Convoy control systems, satellite controls or smaller command-and-control systems would work well.
"It would almost be the same sort of applications that you would [deploy] within a commercial hosting company," said Henry Sienkiewicz, technical program director of DISA's computing services.
The service offers Windows Server and standard Linux, Apache, MySQL and PHP stacks. The basic service runs $1,200 per month per server. Users can provision as much as 1T of storage. The provisioned servers will be accessible via the Unclassified but Sensitive IP Router Network and, beginning in the second quarter of fiscal 2010, the Secret IP Router Network.
Although DISA is using virtualization to maximize server use, users do not need expertise in virtualization management. To them, the service appears as a preloaded, preconfigured server, Sienkiewicz said. Once commissioned, virtual servers can be operational in 72 hours, and agency officials hope to shorten that time to less than 24 hours.
One advantage DISA offers over commercial hosting companies is its familiarity with meeting Defense Department security standards. In the new environment, accreditation for production systems takes about 40 days, or about half the time it typically takes to get a new system audited and accredited for military use, Sienkiewicz said.
"Applications developed in the RACE testing environment inherit all the information assurance controls in the production environment, and that streamlines a great deal of human intervention," which shortens accreditation time, he said.
Like NBC and DISA, GSA thrives by offering services, in this case acquisition services, to other federal agencies in more economical ways than the agencies could arrange for themselves.
Not surprisingly, its own, newly introduced cloud services offering, Apps.gov, was assembled from existing contractual vehicles established with vendors.
"The underlying procurement vehicle for Apps.gov is the GSA Schedule 70," said Casey Coleman, GSA’s chief information officer. Agencies will be able to acquire services quickly because GSA has already prenegotiated the contracts with vendors. Like NBC, Apps.gov offers most services on a month-to-month basis with relatively static pricing. As more tools are developed to measure closer usage statistics, the pricing model will become more dynamic, Coleman said.
Tseronis noted that the first round of services available at Apps.gov has been commercial software packages from vendors such as Salesforce.com. But by the end of the year, infrastructure as a service will likely be offered by the cloud storefront. Infrastructure as a service will be the foundation of the cloud-based service offerings on the site, he added.
Ways to go
Despite the groundwork that government cloud providers have done on government-based services, managers for all the programs say there are still problems in areas such as security, procurement rules and software licensing.
One of the chief security impediments has been government accreditation. Systems must comply with rules set forth in FISMA, a 2002 law that prescribes a number of steps an agency must take to reduce security risks in IT systems.
"There is no question that aspects of FISMA must be modified to support the cloud model," Bourgeois said. "The FISMA structure assumes that you can draw an entire box around the application and infrastructure."
Software as a service can fit comfortably within this definition, as long as the software provider is willing to be audited — not always a given in commercial environments. In its own software services, NBC can maintain the accreditation itself. But with other offerings, such as infrastructure as a service, the responsibility of complying with FISMA is split between NBC and the client. How to document that shared responsibility remains unclear.
In another session at the summit, Coleman advised that the software services offered on Apps.gov have not been accredited for secure government use — agencies still must qualify the software. Even so, the cloud model might provide benefits. One approach to keep in mind is that cost of accreditation could be shared across different agencies, especially if the service is fairly commoditized.
Another key issue is the task of renegotiating licensing deals from commercial software providers. Much of the software NBC needs to supply infrastructure as a service — server software, databases and such — can only be procured via old-fashioned enterprise licenses.
"The traditional enterprise license agreement that software providers want to bring to the table requires the service provider to outlay the money upfront for the entire enterprise license, and then you have the ability to provision those licenses as clients accessing your system," Bourgeois said. "That just doesn't work in a cloud model. The service providers are taking all the risk and paying upfront" for services that might not be used.
Bourgeois said that is especially problematic because the projected use of NBC's cloud services can vary wildly. And because much of the cost savings is based on a shared-usage model, charging full price for each copy of a program that might be used or for every customer that might use that program would cut into the savings that cloud computing is supposed to generate.
Hardware vendors seem to have come to terms with the pay-as-you-go route. For its cloud services, DISA hammered out an agreement with Hewlett-Packard and Sun Microsystems in which each company would outfit DISA with fleets of servers in the agency's data centers but only charge for the servers that DISA used. NBC struck a similar deal with its vendors.
However, short-term challenges don't seem to be stopping federal service agencies from charging ahead. As a result, all agencies could have the option of using cloud-based services. "In the long-run, cloud computing will enable agencies to move away from physical computing infrastructure and toward applications that will exist in highly scalable environment," Young said.