The Cloud Imperativei.dell.com/.../solutions/slg/en/Documents/cloud-imperative-slg.pdf · The Cloud...

Prepared by TechAmerica Foundation’s State & Local Government Cloud Commission (SLG-CC)

FebruAry 2012

The Cloud Imperative Better Collaboration

Better Service Better Cost

A Comprehensive Guide for Best Practices in Cloud Computing for State and Local GovernmentsTechAmerica Foundation 601 Pennsylvania Avenue, NW North Building Suite 600 Washington, DC 20004

The Cloud Imperative: Better Collaboration, Better Service, Better Cost

Acknowledgements

TechAmerica Foundation gratefully acknowledges the contributions of the dedicated professionals who made possible this report, specifically the Commissioners, Deputy Commissioners, and Government Advisors. Each generously shared their deep knowledge and long experience with state and local government technology issues and implementations. Through their leadership and broad participation, we realized the mission of this Commission.

Leadership

Chair

Tarkan ManerWyse Technology, Inc.

Vice-Chair

Daniel KentCisco Systems, Inc.

Vice-Chair

David L. CohnIBM

Commissioners

Andrew Walker42six Solutions

Kim Niederman8x8, Inc.

Tom DaviesACS, A Xerox Company

John StuhrenbergAT&T

PG MenonBrocade

William F. ClarkCA Technologies

Sean rhodyCapgemini Gov’t Solutions

Aldona ValicentiCGI

Gareth PattersonCognizant Technology Solutions

Kevin Hanes Dell

Paul Clemmons Deloitte Consulting LLP

bethann PepoliEMC Corporation

Scott McIntyreGoogle

Steven PerkinsGrant Thornton LLP

Jim SweeneyGTSI

W. Wyatt StarnesHarris Corporation

bob OtterbergHP

JP balakrishnanInfosys Public Services

rick HerrmannIntel

Michael L. MooreKPMG LLP

richard JohnsonLockheed Martin IS&GS

Stuart McKeeMicrosoft

Winston DamarilloMorphlabs

Jim AcquavivanCircle

Kevin PaschuckOracle Corporation

bill birniePanasonic Systems Networks

Jack O’ConnorSAIC

Jacqueline VanacekSAP AG

Ned MillerSymantec Corporation

Ashok balasubramanianSyntel

robert GeigerTransLattice, Inc.

David AspreyTrend Micro

Steven PeacockUnisys Corporation

John ConsidineVerizon

Sean JenningsVirtustream

State & Local Government Cloud Commission Staff

Carol HentonTechAmerica Foundation

Michael KerrTechAmerica Foundation

TechAmerica Foundation I SLG Cloud Commission

Executive Summary and Foreword

Just as political, social and economic structures change and transform society, Information and Communication Technology (ICT) has rapidly evolved to better address consumer and organizational needs. ICT’s most recent redefinition has taken shape faster than ever because technology innovation cycles are shrinking. Toward the end of the last decade, a substantial innovation cycle began with three major simultaneous paradigm shifts: wide-spread use of social media, ubiquitous mobility and pervasive big data.

Now add a fourth sweeping trend to the disruptive technology mix: cloud computing.

While some initially saw the cloud excitement as mere hyperbole, those who have used cloud to solve real-world problems have proven otherwise. Many organizations are realizing important benefits through improved service driven by improved collaboration and integration — all while enjoying the benefit of lower cost. Through shared platforms capable of delivering ICT applications and services, state and local government organizations can do the same.

The timing is fortuitous. Political, social and economic realities are driving federal, state and local governments both to improve services and to save money. Cloud can do both.

Sensing the convergence of these business and technology trends, in September 2011 the TechAmerica Foundation formed a group of experts to develop guidance for helping state and local governments evaluate, adopt and implement cloud computing. This State and Local Government Cloud Commission (SLG-CC) initiative follows the Foundation’s earlier release of a blueprint for the U.S. federal government’s adoption of cloud computing, which supported the Obama Administration’s cloud-first strategy for government technology and for driving U.S. commercial leadership and innovation.

Tarkan Maner, President and CEO of Wyse Technology, leads the Commission. David L. Cohn, Ph.D., Program Director, Smarter Cloud, T.J. Watson Research Center, IBM; and Cisco’s Public Sector CTO, Daniel Kent, co-chair the Commission. Numerous experts drawn from business, government and industry serve as SLG-CC Commissioners and Deputy Commissioners (A list of Commissioners and Deputy Commissioners is available at the back of this report and on the Commission’s website: SLG-CC Community Portal).

The Cloud Imperative: Better Collaboration, Better Service, Better Cost

This paper is a distillation of the SLG Cloud Commission’s efforts. It addresses cloud access and deployment challenges that are unique to states and localities — including procurement practices — and provides recommendations for surmounting barriers. In producing its recommendations, the Commission considered delivery of critical services to the public, such as healthcare, human services, and education, and discussed ways that large, complex programs can best leverage the cloud.

While the paper addresses technical subjects, it also covers business and policy issues for a broad audience. A document targeting only technologists would do little to move the adoption of cloud computing forward or speed the delivery of enhanced government services to constituents. Building on its knowledge of technology innovation and business process re-engineering, the Commission seeks to establish a widely shared communication process that draws all state and local stakeholders into a common cloud computing vision: better collaboration within and between government agencies; better service to government employees, to the public and to citizens; and all delivered at a better cost to taxpayers.

This paper and the related web portal will not answer all of the questions or address all of the issues around cloud

computing for state and local governments. Rather, they will create a knowledge framework for cloud computing. From the start, the Commission has collaborated with leading state and local government policy makers, ICT executives and vendors to build a basis for further collaboration and idea exchange. The Commission believes cloud computing and its surrounding technologies will continue to evolve rapidly. As needs and requirements change, technologies and processes will respond. The Commission is dedicated to further develop this paper and the web platform for future needs.

A final thought: This report and its companion web platform are called: “The Cloud Imperative: Better Collaboration, Better Service, Better Cost.” The Commission encourages state and local governments to engage on cloud and, quite frankly, to join the cloud revolution. While not the last word on this important subject, this white paper does mark the start of an on-going public/private dialogue, describing the business impact of cloud computing, providing best practices and allowing government employees to leverage what others have done.

So welcome to the cloud…and to the transformation of ICT-based services in state and local government.

Big Data/Intelligence

SocialMedia

Mobility andConsumerization

of IT

Secure CloudComputingFrameworks

Improved Collaboration

ImprovedService

Lower Total Cost of Ownership

Secure CloudComputingFrameworks

Global IT Mega Trends for Mega Business Benefits

Tarkan Maner

President, CEO and ChiefCustomer Advocate

Wyse Technology, Inc.

David L. Cohn

Program Director, Smarter Cloud

T.J. Watson Research Center IBM

Daniel Kent

Director, Public Sector Solutions & Federal CTO

Cisco Systems, Inc.

Jennifer Kerber

President

TechAmerica Foundation


Table of ContentsIntroduction: Cloud for State & Local Government . . . . . . . . . . . . . . . . . . . . . . . . . 1

Understanding Cloud Technology . . . . . . . . . . . . . . 7

Picking the Right Cloud Solution Physical Layer Considerations Abstraction Layer Considerations Service Models Service Layer

Key Technology Issues Portability Security and Privacy Data Protection Identity Management Security Incident Response Vulnerability and Risk Management

Takeaways and Recommendations

Implementing the Cloud . . . . . . . . . . . . . . . . . . . . 13

Cloud Readiness Assessment

Risk Management and Governance

Implementation Best Practices Preparing and Planning Implementation and Deployment Program and Project Management Managing Culture Change Managing Process Transformation Operations


Acquiring the Cloud . . . . . . . . . . . . . . . . . . . . . . . 21

Selecting Procurement Vehicles

Deployment Model Considerations

Architecture Design Considerations

Key Contractual Terms

Funding Streams


Final Summary and Conclusions . . . . . . . . . . . . . . 29

Appendix I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31State and Local Government Cloud Examples

Appendix II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Follow Up Links and Resources

TechAmerica Foundation I SLG Cloud Commission 1

Cloud for State & Local Government

The Commonwealth of Virginia migrated its procurement

process for 171 organizations to a cloud solution, saving $30M

annually. Its “eVA” has become a benchmark for other states in

their cloud strategy and initiatives.

Despite today’s budget constraints, some state and local governments have won “good government” awards and industry recognition for delivering more services more efficiently to more citizens at lower cost.

How have they earned such distinction in today’s economic climate?

They have been moving to the cloud.

For education, health and human services, public safety and even email — moving ICT to the cloud can transform a discouraging budget shortfall into a world-class result.

This report shows how state and local governments can use cloud computing. It explains what cloud is and how it can transform government. It identifies successful uses of cloud and sources of advice on how to better serve citizens — and annually save up to tens of millions of dollars. It shows that cloud’s support for enhanced collaboration and improved services make it an imperative for state and local governments.

Background

Governments, like other organizational users of information technology, have traditionally purchased and operated their own hardware and software. With the new cloud computing approach, a provider entity offers some or all of these ICT resources as a service, reducing what the government must do for itself. The provider supports a group of cloud consumers, reducing cost, increasing flexibility and promising improved operations. Like all new technologies, cloud raises important questions and poses novel concerns, but it also offers compelling opportunities. This report draws on industry experts and early adopter experience to help state and local governments answer questions and resolve concerns so they can benefit from opportunities.

2 The Cloud Imperative: Better Collaboration, Better Service, Better Cost

TechAmerica Foundation’s Cloud Commission for State and Local Government examined five key aspects of cloud:

Issues for State and Local Government — Key concerns and benefits of cloud computing for governments.

Technology for Cloud Computing — Key technical issues to consider when moving to cloud computing.

Implementing the Cloud — A four-stage management structure for transition to cloud.

Acquiring the Cloud — Procurement vehicles, business models, funding streams and contractual terms for cloud.

Case Studies & Success Stories — Examples of how state and local governments are acquiring and using cloud.

In addition to this paper, the Commission is creating the SLG-CC Community Portal (www.cloud4slg.org), an on-line repository of real-world experiences of state and local government with cloud. It will add case studies and resources and cultivate a community of interest spanning governments and technology providers.

Defining the Cloud

Many forms of cloud are available today. There are clouds to host start-ups’ new web sites, clouds to store individuals’ photographs, clouds to deliver software applications, even clouds that host entire enterprise and government infrastructure. In each case, cloud provides attractive economies of scale, giving consumers what they want when they want it at reduced cost. Cloud solutions will also provide significant value to state and local governments. Of course, neither cloud technologies nor governmental operations are simple, and the transition from traditional information technology to cloud must be handled with care and concern.

Some simplified figures will illustrate various ways cloud can deliver services and indicate the responsibility of providers and consumers. Figure 1 shows the traditional approach to information technology where states and localities (in different

colors) each handle their own hardware and software (shown in the consumers’ colors).

With cloud computing, some or all of these resources are provided as services in one of three cloud service models. For example, a cloud provider could handle just the basic hardware and operating system (OS) layers, offering Infrastructure as a Service (IaaS) as shown Figure 2. The figure uses white for the hardware layer since there is not a separate, physical hardware box for each consumer. Rather, a special software layer creates multiple virtual hardware and operating system images on a single computer. This process of virtualization is critical to giving cloud its key features. With IaaS, the consumer manages the middleware and applications, but leaves the hardware and (usually) the operating system to the provider. This is important for those consumers (like start-ups creating web sites) that want specific middleware or need to scale ICT resources automatically to meet varying demand.

Figure 1 Classic Computing without Cloud

Figure 2 Public Cloud for Infrastructure as a Service

Figure 3 Public Cloud for Platform as a Service

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

Customers who can use standard runtime platforms may choose a Platform as a Service (PaaS) cloud like that in Figure 3. The provider offers a standard middleware platform (shown in grey) on which applications can be run. Consumers focus on the application software and leave platform management to the provider.


INTRODUCTION

Increasingly, software developers are delivering their applications as services, allowing consumers to dispense with on-site computing resources. Figure 4 shows such a Software as a Service (SaaS) cloud (where everything is grey). Its applications often support new capabilities like multi-tenancy that allows multiple consumers to safely share single application instances at lower cost.

A community cloud is a compromise between the public and private deployment models. It restricts availability only to a selected set of consumers with shared concerns (like agencies of a state government or municipalities in a region), and hosts only approved applications. Figure 6 uses a green fi eld to indicate the community of consumers that can access this Software as a Service community cloud.

Figure 4 Public Cloud for Software as a Service

Figure 5 Private Cloud for a Single Consumer

Figure 6 Community Cloud for Sofware as a Service

1 Darrell M. West, “Saving Money Through Cloud Computing,” Brookings Institution (April 7, 2010). www.brookings.edu/~/media/Files/rc/papers/2010/0407_cloud_computing_west/0407_cloud_computing_west.pdf

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

APP APP

Middleware

Hardware & OS

A cloud can be available in one of four deployment models which determine who can use its services. A broadly available public cloud (like those above) is open for use by the general public. A large organization, like a major commercial enterprise, may want its own private cloud where all users are part of that organization. As shown in Figure 5, a private cloud tightens the trust scope, but reduces economies of scale and leaves data center ownership, maintenance, housing and operations in the hands of the consumer.

The state of Michigan built its award-winning MiCloud Automated Hosting Service to deliver Infrastructure as a Service to state agencies in a shared services community cloud. Their next steps include building a hybrid model to extend IT capacity even further to support ongoing agency transformation projects.

As cloud becomes more common, multiple clouds will likely be combined in a hybrid cloud deployment model to further seamlessly and transparently extend ICT capacity.

Benefi ts for State and Local Governments

These are diffi cult times for state and local governments. Budgets are down and needs are up — creating pressure to do more with less. Cloud computing can help with budgets, starting from day one.

Reduced operating expenses — Most state CIOs agree that “controlling IT costs” is key. Cloud computing leverages economies of scale and uses consolidated, centralized computing resources to minimize ICT cost. A Brookings Institution study pegs these cloud-specifi c public agency savings at 25–50%.1

Governments are essentially information-driven businesses, but they’ve generally been ineffective users of information. In fact, when the 9/11 Commission wanted to help governments improve terrorism defenses, they said:


“The culture of agencies feeling they own the information they gathered at taxpayer expense must be replaced by a culture in which the agencies instead feel a duty to the information — to repay the taxpayer’s investment by making that information available.”2

Today, cloud is helping government improve public safety. For example, the Lake Havasu, Arizona police department migrated its email and other applications to the cloud so that law enforcement could access information anytime, anywhere from their vehicles or smart phones to better “protect and serve.”

And Castle Rock, Colorado is accessing sister city Aurora’s COPLINK software in the cloud to improve crime-fi ghting with comprehensive information sharing and collaboration among all levels of state and national law enforcement and public safety agencies.

Cloud computing won’t directly change government culture, but it will provide a platform that eases culture change.

Improved information use — Cloud replaces stand-alone business processes and data systems with centralized resources, including information. This will improve access to data, help employees do their jobs and enhance constituent interaction with government.

Sharing information is a beginning, but cloud can do more. As the National Association of State CIOs (NASCIO) wrote:

“Cloud computing is a technology strategy that enables more than simply optimizing computing utilities. It enables strategies for optimizing government business services, and achieving new levels of orchestration of government services across a state, a region and even nationally.”3

This will take time and effort, but it should be a goal of any cloud implementation.

Increased government effectiveness — Cloud supports resource sharing between and among units while preserving their independence and data integrity. It simplifi es collaboration within and across governments and helps identify and implement best practices. Globally, governments are using cloud computing to better protect their citizens and make their cities more resilient.

Issues for State and Local Government

Some cloud computing issues are particularly important for state and local governments. Governments want effi cient and effective operations, but they also are committed to the welfare of their communities. Thus, even though cloud computing can shift or reduce workload in some areas, it can foster innovation and create even more jobs in others. With proper planning, the transition to cloud can include provisions for staff involvement and skills enhancement to produce a substantial contribution to economic development.

The City and County of San Francisco has invested in implementing cloud certifi cation training tracks for IT support personnel as part of its “Cloud First” policy. Helping staff learn new, updated skills to better position themselves for future cloud initiatives is a critical element of the overall success of “Cloud First.”

Additionally, when the Texas Workforce Commission migrated its email to a SaaS service, not only did they not incur any new project costs, but they also lost no jobs while achieving a clear and measurable annual cost savings.

State and local laws often dictate how governments buy things, sometimes complicating the acquisition of cloud computing. By acting together, governments and industry can develop contractual and services standards to ease this process. Procurement models like those developed for the Western States Contracting Alliance (WSCA) have worked well for other types of ICT purchases, and can be replicated for cloud.

One of cloud’s great strengths for governments is to be a catalyst for collaboration. Today, many governments are “siloed,” with limited information sharing between, and even within, departments and agencies. Mayors and governors have repeatedly said they want cloud to integrate information across their cities and states. A regional group of governments could create a community cloud for sharing services and for improved, information-based cooperation.

All organizations want the information they place in a cloud to be secure, but governments have particularly tough security and privacy requirements. They may need to keep sensitive information inside geographic limits or even within designated buildings. Some information, like public safety data, educational histories and healthcare records, needs tight privacy protection, and cloud computing can provide it. Given the sensitivity of government offi cials to public opinion, these privacy and security issues must be fully, clearly and openly addressed.

2 The 9/11 Commission Report, p. 417. www.911commission.gov/report/911Report.pdf

3 Eric Sweden, “Capitals in the Clouds, Part III, Recommendations for Mitigating Risks: Jurisdictional, Contracting and Services Levels,” NASCIO (2011). www.nascio.org/publications/documents/NASCIO_CloudComputing_PartIII.pdf


INTRODUCTION

Technology for Cloud Computing

Cloud consumers don’t deal directly with technical details. The cloud provider manages the facilities, selects and maintains the hardware and delivery software, handles communication with vendors and owns the service delivery elements. These matters are reflected in the service levels that the provider guarantees for the consumer. These are somewhat technical and include considerations like system responsiveness, expected “up time,” communication speed and service reliability.

There are, however, technical aspects of a government’s cloud decisions that need to be understood even by policy makers. For example, the selection of the appropriate cloud service model depends, in part, on the technical responsibility a consumer can accept. With IaaS, the consumer doesn’t operate a full computing center but does need to install and manage some system software, middleware and applications. A PaaS cloud can be used to develop and run custom applications, and only requires managing applications. With SaaS, the consumer can focus on the operational aspects of using the applications.

Regardless of which service model is used, cloud consumers must understand how their provider supports these functions:

Portability — The cost and complexity for the consumer to change providers.

Service Management — Service acquisition and monitoring and user identification.

Security — Consumer and provider roles in assuring an acceptable level of protection.

Privacy — The collection, communication, use and disposition of personal information.

Implementing the Cloud

Transitioning to cloud pays increasing dividends as more processes are migrated. With foresight and planning, the initial steps will provide savings to help fund follow-on activities. The four-phase management framework in Figure 7 can assure successful cloud deployment.

Assess Cloud Readiness — Identify business goals, ICT imperatives and level of current cloud maturity, and plan transition to desired ICT process maturity.

Assess Risk and Plan Governance — Early focus can eliminate undue risk and help meet target standards and requirements.

Located in a hurricane zone, New Hanover County, North Carolina moved email

and collaboration apps into the cloud to ensure that critical communication

infrastructure was “always on” to respond and mobilize in emergencies.

Implement the Solution — Help technical work proceed according to plan using proven practice and accepted standards.

Operate Cloud Solution — Meet objectives by carefully transforming culture and business processes.

Acquiring the Cloud

Buying cloud solutions can be complex for state and local governments. However, alignment between government and industry on definitions, approaches and purchasing mechanisms will allow broader acceptance, adoption and utilization of cloud. Eventually, buyer’s guides and standardized service definitions can identify vetted cloud providers for the more common services.

Classic government procurement vehicles for ICT are generally ill-suited to cloud computing. They’ve been used, but can be slow and must add conditions on portability, security, privacy and service levels. Cloud-specific procurement vehicles have also been developed, typically for services shared by multiple departments. Cross-government consortia and the federal government are beginning to help states and localities more easily purchase cloud solutions through new procurement vehicles.

Since cloud consumers must trust their data to the cloud provider, data governance is key to any cloud purchase. This broad and evolving discipline ensures that only the right

Figure 7 Cloud Implementation Lifecycle

OperateCloud

Solution

AssessCloud

ReadinessAssess

Risk andPlan

GovernanceImplement

theSolution


users have the right access to the right data. Private clouds minimize data governance concerns, but still must assure proper access control. Community clouds that follow a common data governance structure mitigate data security and multi-tenancy issues. Public clouds are less controlled, and governments tend to use them only for non-sensitive data.

All cloud consumers must consider the pricing model and required service levels, and purchase agreements should also include terms of disengagement and provisions for sensitive data. Governments may want to specify cloud location and ownership as part of their purchase, explicitly require data and asset segregation policies, and stipulate background checks for support personnel. For instance, privacy laws are very different in the U.S. versus the European Union versus China. Knowing where one’s data sits in the cloud as part of the contracting process is a necessary step to ensure data privacy.

There is significant value in collaboration within and among governments on cloud acquisition. Joint efforts have addressed the concerns of risk-averse officials about portability, security and records management. Together governments are realizing the benefits of cloud, saving taxpayer dollars and delivering better and broader services.

Analysts are predicting the broad emergence of regional cloud hubs where one government agency provides cloud-based computing services to others within its home state and across state lines.4

4 Best Practices: Regional Community Cloud Hubs — The New “Trickle Down” Effect That’s Boosting State and Local Computing, IDC Government Insights, Document #G1232470.

© Copyright 2012 Google. All rights reserved. Google and the Google logo are registered trademarks of Google Inc.

Google provides innovative technologies that help government agencies organize information and make it accessible and useful to citizens

and to authorized government employees.

Google’s solutions for search, geospatial data, communication, and collaboration are easy to use, quick to deploy, fast, and scalable.

Learn more at www.google.com/apps/government.


Understanding Cloud Technology

In considering the right cloud computing option, the services must enable

the customer to port solutions and change cloud providers as necessary;

to manage, monitor and meter demand; to assure an acceptable level of

security; and to safeguard the handling of personal information.

Cloud providers make cloud services available to users, including state and local government employees and the people who depend on state and local government services. Cloud providers represent, therefore, the technology backplane on which cloud services are built and delivered. Service deployment can take the shape of public, private, community or hybrid clouds.

The most common cloud models are:

1. Public Cloud — A public cloud is one based on the standard cloud computing model in which a service provider makes resources, such as applications and storage, available to the general public over the Internet. Public cloud services may be free or offered on a pay-per-usage model.

2. Community Cloud — Community cloud shares infrastructure between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-party and hosted internally or externally. The costs are spread over fewer users than a public cloud (but more than a private cloud), so only some of the benefits of cloud computing are realized.

3. Private Cloud — Private cloud is infrastructure operated solely for a single organization, whether managed internally or by a third-party and hosted internally or externally

4. Hybrid Cloud — Hybrid cloud is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together, offering the benefits of multiple deployment models. It can also be defined as multiple cloud systems that are connected in a way that allows programs and data to be moved easily from one deployment system to another.


Using these service definitions, a state and local government agency — recognizing that it will ultimately maintain an active role in planning, overseeing, monitoring and assessing cloud performance — begins to determine the type of cloud service configuration that most closely matches its requirements.

Picking the Right Cloud Solution

Service Orchestration and Service Management

Physical Layer Considerations

The determination process begins by considering the physical information technology resources like computers, storage and networks and facility resources like HVAC units. Critical considerations are the ability of the cloud provider to manage performance, to provision and de-provision physical resources on demand and to handle diverse workloads. A cloud provider’s performance management technologies should be sufficient, for instance, to assure resource isolation and Wide Area Network (WAN) optimization.

Abstraction Layer Considerations

Software is used to simulate and manage physical resources. The cloud provider uses software to access and control the physical environment. Software “abstractions” like hypervisors, virtual machines and virtual data storage enable the one-to-many scale up of infrastructure that lies at the heart of cloud computing. Virtualization technologies impact utilization and performance, virtual machine portability, virtual machine management, scalability, interoperability, supportability and cost.

Service Models

There are three cloud service models:

1. Infrastructure as a Service (IaaS) — cloud providers deliver compute infrastructure, storage and networking as a service. Rather than purchasing servers, software, data-center space or network equipment, clients instead buy those resources as a fully outsourced service. Suppliers typically bill such services on a utility computing basis; the amount of resources consumed (and therefore the cost) will typically reflect the level of activity. IaaS is ideal for customers who want to retain control over their applications and data.

2. Platform as a Service (PaaS) — cloud providers deliver a computing platform and/or solution stack as a service. PaaS is ideal for customers who want to focus on development and deployment of applications and want to eliminate the cost and complexity of buying and managing the underlying hardware and software layers.

3. Software as a Service (SaaS) — cloud providers deliver software as a service over the Internet. SaaS is ideal for customers looking to utilize software and only worry about data. Examples of SaaS include Email as a Service (EaaS) and Data as a Service (DaaS).

Service Layer

Interfaces allow cloud users to access the cloud services. Under SaaS the cloud user enjoys network access to a variety of off-the-shelf and custom-built applications. Thus users need technologies that enable web access, central management, automated upgrades and patches, and application program interfaces for enterprise integration.

In the PaaS service layer, cloud users have access to the tools and execution resources required to develop, test, deploy and manage the applications hosted in a cloud environment. For platform management and configuration technology, using virtual machines as the basic building block but customizable through templates should be the primary focus.


UNDERSTANDING

Users of IaaS services have access to virtual computers, network-accessible storage, network infrastructure components, and other fundamental computing resources on which they can deploy and run systems and software. Agencies utilizing IaaS environments should be most concerned with technologies for provisioning, monitoring, metering and migration of compute, storage and network capabilities.

In considering the right cloud computing option, the services must enable the customer to port solutions and change cloud providers as necessary; to manage, monitor and meter demand; to assure an acceptable level of security; and to safeguard the handling of personal information.

Key Technology Issues

Portability

Migrating to and from cloud computing environments is, first and foremost, the responsibility of the customer. The customer must evaluate the best solutions and their ramifications.

IaaS and Portability

With the cloud user controlling the database, middleware and software in the IaaS service model, portability concerns might appear to be minimal. But the reality is that the desired portability objective in the IaaS service model is a layer lower than these resources, concerning the ability to move virtual machines to and between different cloud platforms and providers and thereby avoid lock-in. Most enterprise application solutions require tightly coupled multi-tiered server models that are supported by virtual networks. All such relationships and controls must also ‘port’ with the machine images for a successful re-deployment.

PaaS and Portability

In the PaaS service model the cloud user no longer controls the platform (database, middleware, development environment, and related resources). In the PaaS service model, the user seeks the ability to migrate an application and

associated data from one PaaS environment to another. Here, proprietary development environments and middleware may lock-in cloud users or force them to re-write code and retrain programmers in order to move to a new platform. Exacerbating this situation is the fact that service providers may choose to differentiate themselves by offering a wide array of “platform services” — most of which are likely to be proprietary features which can quickly result in service provider dependency and lock-in. Users should consider open source solutions and platforms that support industry standards like Open Stack to avoid vendor lock-in.

SaaS and Portability

Cloud users at the SaaS level lose additional control because commercial off-the-shelf (COTS) software can be configured but not customized. The user cannot control the actual software application or the data structures used. Portability in the SaaS service model is the ability to migrate data (since applications are not owned) to another service provider’s SaaS environment — perhaps running the same core COTS application, or one that provides similar functionality (e.g. CRM application) — without a loss of data or end-user functionality.

Security and Privacy

While security and privacy issues like authentication and authorization are not new, they require new perspectives in the cloud environment. For instance, the opportunities for central authority implicit to cloud computing increase options for coordination, standards adoption and allow enhanced security certification.

Like other users, state and local governments need to be aware of the security questions and issues associated with the cloud, regardless of the deployment model, and what technologies are available and deployed to overcome these challenges. Straight talk, supported by plenty of case studies, can help reduce security and privacy concerns.

Thus, cloud users needs a clear security policy. This policy should cover all security relevant aspects of information security, including personnel, information, facilities, hardware and software. The user cannot simply sign away organizational

When Larimer County, Colorado built its PaaS solution to centralize

constituent data sharing between non-profit agencies to streamline

authorization and distribution of food, clothing and housing assistance to

needy families, data security was key. The PaaS model allowed IT staff

to tailor different levels of secure data access by type, agency and use,

while still enjoying the “IT mass customization” benefits of the cloud

deployment model. This was critical since some sensitive data could only

be made available to select agencies on a case-by-case basis.


responsibility for information security. Best practice requires that the user retain a role in governance, defining an overall security program and policy covering all lifecycle activities. Policies must be visible throughout the organization, carry the weight of management, and assign responsibilities. Policies should be updated as needed, and they should be supplemented by the use of standards, procedures, and related guidelines that enable implementation of policy. To the extent that the cloud service provider performs a security function or activity, the user must be able to point to the relevant service provider policy or service level agreement (SLA) and monitor changes.

Because security will likely be a shared responsibility, the user organization should select a cloud service provider based in part on the provider’s attention to security and how it compares to current practices, including the ability to leverage security capabilities built into cloud access devices. The provider should make key security practices reasonably transparent to the user, including information about risk assessment, control, practice and incident response.

Top issues impacting security and privacy in the cloud include:

• Data Protection

• Identity Management

• Security Incident Response

• Vulnerability and Risk Management

The following sections address some of the security issues for each of these topics and the technology implementations that help address them.

Data Protection

Data protection is a common security concern when moving data and applications to the cloud. Whether data resides in a dedicated private cloud environment or a shared multi-tenant environment, cloud users must ensure that their data are properly stored and located, consistent with state and local legal requirements; protected and isolated while residing in the cloud; that records get legitimately deleted when no longer needed; and, that the storage space is properly sanitized once the data are removed from the cloud.

Identity Management

When organizations utilize cloud services, authenticating users in a trustworthy and manageable manner is a vital requirement. Organizations must address authentication-related challenges such as credential management, strong authentication, delegated authentication, and managing trust across all types of cloud services. Managing identities and leveraging directory services to provide access control is essential for effective cloud security. State and local government agencies should verify that their cloud environment (whether private or public) supports at least one of the prominent standards (SAML — Security Assertion Markup Language, WS-Federation, or OAUTH) for identity management.

Security Incident Response

Proper and adequate incident detection, response, notification, and remediation are required when migrating workloads to cloud computing. State and local governments must understand and negotiate adequate contract provisions and procedures for incident response. At the same time, cloud providers must have a transparent response process and mechanisms to share information with their subscribers during and after the incident. Still, many incident response considerations are directly related to the technologies employed in the cloud environment.

Incident response in cloud environments requires sound infrastructure management coupled with robust monitoring and alerting. For internal clouds, organizations need to have

Disruptive/dis•rup•tive/ adjective

1. characterized by unrest or disorder, as in Disruptive IT trends on the horizon

Syn: cloud computing, mobile devices, social computing, IT appliances, IT consumerization, cybersecurity

Learn more at:http://www.disruptiveittrends.com/trends/cloud


UNDERSTANDING

strong management capabilities and visibility into their systems. Virtualization tools enable organizations to run their infrastructures and setup their own monitoring. Some of these tools include virtualization-specific log management and intrusion detection, data leakage protection, security event management, anti-malware and quarantine capabilities (including Network Access Control, or NAC).

Vulnerability Assessment and Risk Management

One of the keys to ensuring that a cloud service is protected from vulnerabilities is employing a continuous monitoring approach. Continuous monitoring refers to the ongoing observation of an organization’s networks, information, and systems. It allows for responses that accept, transfer, or mitigate risk as situations change.

Continuous monitoring helps manage risk by allowing agencies to prevent data loss, respond rapidly to attacks, and predict future threats. While continuous monitoring alone does not provide a comprehensive, enterprise-wide security solution, it is a key component in the SLG cloud risk management strategy. Continuous monitoring is essential for protecting all elements of a cloud environment. Continuous monitoring should be employed at a minimum for change management and vulnerability assessments.

Almost all security issues can be detected and mitigated by simply detecting change in an environment. Changes in firmware and software can open holes in a security implementation that, if undetected, can open up vulnerabilities in a cloud environment and leave it subject to attack.

Continuously monitoring and validating changes using automation within the cloud environment is essential for maintaining a secure cloud. Automation methodologies like Security Content Automation Protocol (SCAP) provide excellent methods for automating and controlling continuous monitoring deployments. Change validation is a key element of an effective cloud security implementation. Validating cloud environments against known good references allow cloud users to gauge their security profiles and effectively manage risk.

Looking Ahead

Cloud computing is continuing to evolve, providing new ways to serve consumers. It will, for example, change to accommodate the paradigm shifts to ubiquitous mobility and pervasive big data. As users become mobile, they interact with the cloud from different contexts (hardware capability, connectivity, security level), and soon cloud will be able to support context aware applications. The dramatically increasing volume of data stored in the cloud will enable increasingly sophisticated analytics that will help consumers improve and manage their operations.

Key Takeaways

• Deployment models take the form of public, private, community or hybrid clouds;

• Service models take the form of IaaS, PaaS, and SaaS;

• Hardware standardization is important but not always available. Easily replaceable, commodity hardware and solutions that support open standards are a must in cloud environments;

• The virtualization software used to access and control hardware is a primary cloud evaluation consideration;

• Migration and portability from one cloud environment to another is the responsibility of the customer. Each cloud service level represents its own special portability challenges;

• Cloud computing increases the need for due diligence with respect to security coordination, standards adoption and certification. Cloud users should create clear security and identity management policies and insist on the same from providers;

• For data protection in the cloud, data retention records need to be maintained and data should be isolated, encrypted and sanitized and removed when necessary.

Recommendations Recap

• Picking the right deployment and service models should be a primary consideration;

• Authentication must be managed across all cloud environments; cloud environments should include identity management and related user protection capabilities;

• Encourage cloud providers to limit the use of proprietary tools and storage platforms;

• Understand the issues behind portability to avoid service provider lock-in;

• Security incident response must be clearly addressed in contracts and procedures in place. Providers should have a transparent response process;

• Employ continuous monitoring for risk and vulnerability management.

_experience the commitmentTMwww.cgi.com/cloud

We’ve asked our clients this same question in an informal poll, with nearly 3,600 responses so far. We invite youto add your vote at cgi.com/cloudsurvey. And, we commend TechAmerica’s State and Local Cloud Commission(SLG-CC) for its valuable suggestions to address these issues.

❑ Security risksMany studies show security as the #1 concern for cloud adoption, and the same has been true in our poll todate, with nearly 2,000 respondents (56%) citing “security risks” as their top issue. The SLG-CC report pointsto the need for technologies that comply with the tough security and privacy requirements of government.

❑ Sorting reality from hypeThis was the next biggest concern in our poll, with more than 1,000 votes (29%). The SLG-CC report helpsdemystify cloud deployment and models, and shares best practices for their evaluation and implementation.

❑ Lack of governance15% of respondents in our poll cite lack of governance as their key concern. The SLG-CC report offers astraight-forward game plan for risk management and governance.

In addition, the SLG-CC report raises portability and procurement models, as well as change and transition management, as key issues for states and localities. Would you rank one of these as your top concern?

❑ Portability

❑ Procurement

❑ Change management

❑ Transition management

Take our survey at cgi.com/cloudsurvey and see these results evolve.

Why CGI? We know the terrain. With more than 35 years of providing IT infrastructure and managed services to government and business, CGI delivers enterprise cloud solutions with superior savings, accountability and controls. We are the first certified provider to deliver secure cloud services under the General Services Administration’s Blanket Purchase Agreement for Infrastructure as a Service.

Heading tothe cloud?What’s your biggest concern?


Implementing the Cloud Data center consolidation. Virtualization of critical applications and resources. Emerging technologies. Continuous change will be the order of the day for state and local government IT (SLG IT) services agencies for the next ten years. So an ounce of preparation will be worth a pound of cure. Four key stages are fundamental to cloud computing success: business case and readiness assessment, risk assessment, implementation, and operation of the new environment (Figure 8).

Figure 8 Cloud Implementation Lifecycle

Operations

CloudReadiness

RiskAssessment

Implementation

These four phases should be part of any cloud planning process and be included in any major initiatives regarding applications and infrastructure.

Cloud adoption, taking place over multiple years and

incorporating multiple projects, requires a clear understanding

of risk — and firm governance models.


Cloud Readiness Assessment

What’s the best way to leverage cloud computing? What business needs will be addressed by cloud adoption? Am I ready for a cloud solution? How do I build a long term roadmap? To answer these questions, state and local government offi cials need to generate a plan based on a pragmatic framework. A cloud readiness assessment is the place to start. The assessment should take into consideration strategic business goals and ICT imperatives. It should also objectively compare the current state ICT process maturity against the planned state ICT processes maturity. Such an approach enables the organization to plan effectively for implementation and ensure that the cloud adoption and implementation are strongly aligned with the business vision. The assessment will help the organization to minimize risks, disruptions, project delays, and budget over-runs during implementation and operational phases. Since adoption of cloud computing on a broad scale is likely a series of projects deployed in a sequential manner over many years, a cloud readiness assessment process should be considered a “living document” which can be updated based upon new objectives or initiatives. Whether done internally or with help from a partner, a readiness assessment is a best practice for starting any cloud initiative within the agency. Finally, implementation of any products and services provided by a vendor should include an assessment of that vendor’s capabilities and compliance to a contract or SLA. Vendor

assessment should be performed after the cloud readiness assessment in order to minimize vendor lock-in and maintain an objective approach.

In the absence of an Executive or Legislative mandate to consolidate more than fi fty (50) email systems across many disparate agencies, the state of Oregon had to develop an extremely compelling business case to build sponsorship and drive adoption of an email consolidation roadmap that included the use of a SaaS-based email solution. Over the past year, use of the SaaS-based solution has tripled from fi ve to fourteen agencies and one local government. As a result, Oregon has achieved impressive IT savings. The state’s methodical approach offers an excellent example of how a powerful business case and collaboratively developed consolidation roadmap can be applied to drive change in a challenging environment. This Oregon case study and other documents can be found in the SLG-CC Community Portal at www.cloud4slg.org.

Figure 9 provides a graphical depiction of the assessment project structure.

Risk Management and Governance

Cloud adoption, taking place over multiple years and incorporating multiple projects, requires a clear understanding of risk and fi rm governance models. Information can be leveraged to make decisions about the appropriate cloud models for an agency’s applications based on data classifi cation and associated risk. Luckily, several standards, guidance documents, and risk models already exist. Implementing a risk framework and governance model and institutionalizing these tools into the agency’s operating environments are highly recommended for safe cloud adoption.

Here’s a general game plan for making it happen:

Understand the application assessment — An application assessment should be carefully planned and executed for every application moved to the cloud. From a technology and operational perspective, the target cloud environment must provide similar performance and service capabilities as the current environment. This means reviewing current operations, procedures, costs, technology and service levels to make sure the new cloud is a match for the organization’s applications needs. Start with an application inventory and application profi le. Use the information to create a data classifi cation policy in order to measure compliance and enable governance. The policy will ensure that the appropriate availability, integrity and confi dentiality are provided at the necessary levels for all identifi ed assets and controls implemented where most needed.

The key deliverables of an assessment should include the following:

• Cloud Computing Business Case and ROI

• Cloud Vision, Strategy and Customer Benefi ts

• Application Assessment (inventory and target application profi le)

• Operational Impact Analysis (processes and organization)

• Technical Impact Analysis (infrastructure, applications, people skills)

• Current and Future State Architectures (high level plan)

• Governance and Risk Impact Analysis

• Security Impact Analysis

• Financial Analysis (benefi ts to all agency stakeholders)

• Roadmap and Resource Planning to build or buy cloud services


IMPLEMENTING

The State of Ohio has established a data classifi cation policy which clearly describes both criticality and confi dentiality attributes to be considered when implementing a cloud infrastructure.5

The State of Colorado has a similar policy. They provide the following description which sums up the importance of collaboration between the business and IT…

“Data classifi cation is not just the act of designating or labeling data as ‘confi dential’ or ‘critical.’ It involves close collaboration between business units and IT organizations to work through issues that go well beyond IT. The classifi cation of data is truly a business function, not an IT function, based on business rules and federal and state regulations.”6

Map applications to the data classifi cation policy — Leverage this opportunity to improve communications and collaboration with business owners in understanding the data which resides in the application and the applications with which data are shared. Medicaid applications may have the highest criticality and confi dentiality, which will determine the cloud model that is right for the business owners and ICT. GIS applications may have a lower risk profi le.

Figure 9 Cloud Readiness Assessment Project Structure

Application Assessment Work Stream

Operations and Governance Assessment Work Stream

Technical and Arhictecture Assessment Work Stream

Financial Analysis Work Stream

ProjectKickoff

Cloud StrategyWork Stream

ProjectWrap-up

Experts in data management and open data access can be found in the state of Oregon, who leveraged their expertise in Geospatial Data Management to implement the nation’s fi rst citizen social interactive state data portal as a SaaS cloud service located at Data.Oregon.gov. This breakthrough online system offers access to both state-specifi c as well as federal data (available via Data.gov), to provide a rich, no-cost public information service for decision makers, researchers, journalists, developers, residents, and other governments with a variety of information needs.

Utilize the data classifi cation policy and application mapping to make decisions — Cloud computing deployment should be based on acceptable risk levels, appropriate for each application and in consideration of other related applications or data connected to that application. If business and ICT leaders have a low risk tolerance, they may decide to leverage a private cloud model or approach where they have the most control given the sensitive nature of the application information. Similarly, for GIS data or other applications which contain information that is already publicly available, public or community cloud models may be implemented.

Identify architecture gaps and “to be” state for technology architecture — Keeping in mind the various cloud models, risk tolerance, and data classifi cation mapping, defi ne a “To be” architecture. Again, multiple cloud models should be considered based on levels of risk. Combining or integrating various cloud models can enable fl exibility, control and security options necessary.

5 State of Ohio IT Policy, Investment and Governance Division, March 19, 2008.

6 State of Colorado Information Asset Classifi cation Policy, October 8, 2010.


Recognize the importance of governance and risk mitigation model — Together, these steps form a long-term framework to reduce risk and maintain security. Figure 10 represents an example of a governance framework where local ICT and business leaders collaborate to write policy and make decisions on risk tolerance for implementing cloud technologies, and how Federal ICT leaders interact at local levels to establish Federal policies and standards. For a “deeper dive” into data governance issues, visit the SLG-CC Community Portal.

The City and County of San Francisco (CCSF) IT management took such a “people/process/technology/policy” approach when developing their Cloud Computing strategy. For example, they fi rst sought ratifi cation of a “Cloud First” policy to secure ongoing sponsorship for broad cloud adoption. They then encouraged cloud certifi cation training for designated IT personnel to re-skill their staff to support the cloud computing model. And fi nally, in their email migration to the cloud, they selected a solution that could offer an on-premise/off-premise SaaS solution for maximum fl exibility, with the ability to bring the infrastructure in-house later if their business or IT needs changed.

Because cloud computing is an emerging business and technical market, implementation best practices can be diffi cult to defi ne. They also depend on the requirements, use cases and readiness assessment of the entity considering cloud migration. A basic series of recommended best practices follows:

Preparing and Planning for Implementation

Taxpayers expect more than to see their critical state and local government services “lost in the clouds,” so begin the implementation process by being inclusive, complete and candid. Spell out and agree on the mission, purpose, goals, objectives, and performance metrics of a cloud computing program right from the start.

• Create a core evaluation team comprised of ICT, business, legal and fi nance, and executive members. Leverage the help of vendor community professionals capable of demonstrating a comprehensive implementation framework and tools aligned with industry standards and proven success in cloud transformation initiatives;

• Determine “proof of concept” strategies for those who may otherwise be risk averse;

• Defi ne clear business cases and performance goals for adoption of cloud services based on industry proven use-cases. Establish which process indicators will measure the business value of cloud investment;

• Consider joint acquisition as an implementation step and encourage up-front planning for multi-tenant environments. Budgeting for the cloud is a considerable shift for both IT leadership and the owners or custodians of that service. The shift from a capital intensive, project-based budgeting model to an expense-based, shared model requires a signifi cant effort in fi nancial planning and communication;

• Identify agency services and or application candidates that will move to the cloud and how such movement will result

Figure 10 Cloud Governance and Policymaking Framework

State/Local CIO Federal CIO

FedRAMP or Other Cloud Standards

Bodies

Agency/Department

CIO

State/Local CISO

Finally, the data governance approach also needs to be sure of the legislative and policy framework within which it exists —and the impact of regulation, audit, inspection, administrative law (such as the Data Protection Act, the Freedom of Information Act, and Human Rights legislation), and the guidance on information sharing.

Implementation Best Practices

Adopting well-established ICT program and project management best practices are essential to cloud planning and implementation. Integrating cloud delivery resources into an organization’s infrastructure and moving applications into the cloud will be a sustained and long-term process. Following the principles of good ICT project management means seeing the big picture — and ensuring that technology, process, policy and people are considered and included in the change process. Agencies that rush to deploy technology alone could increase their risk of project failure, unnecessarily expose data and users to security threats, and slow the realization of benefi ts from the deployment of that technology.


IMPLEMENTING

in tangible usage benefits such as scalability, elasticity and interoperability as well as potential cost savings. In doing so, analyze the technical architecture trade-offs. Define evaluation criteria for objectively identifying candidates to be moved;

• Define a cloud services adoption strategy and roadmap in alignment with prioritized business cases and create a formal communications plan not only to inform but to promote adoption of the cloud;

• Define a detailed architecture design artifact aligning business and technology. Both service models (IaaS, PaaS, SaaS) and deployment models (Private Cloud, Public Cloud, Hybrid Cloud, Community Cloud) must be included. Quality of Service (QoS) requirements such as reliability, availability, serviceability, scalability, and security must be defined and approved by all enterprise stakeholders;

• Define the additional business and technical questions that must be addressed as a user and those that must be answered by cloud providers. For instance, if a customer wishes to move their workload away from a cloud provider, can that be done at low cost and minimal disruption? i.e., does the cloud provide portability? Can a customer concurrently employ multiple cloud providers to achieve a single goal at low cost? i.e., does the cloud provide interoperability? What support for security can cloud providers offer to allay concerns about how customer data are protected from unauthorized disclosure or modification; and what kinds of availability requirements can cloud providers satisfy? Government agency adopted use-cases with prescriptive guidance and case studies from sources such as NIST should be referenced;

• Analyze industry accepted standards, best practices, use cases and align with the agency’s cloud adoption strategy and roadmap from leading standards bodies such as NIST;

• Define compliance, security and recurring audit requirements compliant with agency requirements. Incorporate direction and guidance from government accepted sources;

• Define cloud provider vendor requirements that must be included in contractual agreements such as portability, back-up, data access/transfer, QoS requirements, key performance indicator reporting capabilities, threat detection/incident management, as well as regulatory compliance certifications;

• Verify the type and number of environments that are needed for the application/service being moved to the cloud (i.e. production, test, development).

Best Practices During Implementation and Deployment

Once a cloud computing engagement is underway, many “best practices” fall into the domain of the cloud service provider. Still, there are steps that can keep the process running efficiently and effectively:

• Plan and conduct pilot test for services requested;

• Verify QoS requirements and validate risk and mitigation plans;

• Use vendor-neutral “cloud middleware” wherever possible;

• Minimize the technical architectural complexity;

• Keep loosely coupled components and asynchronous message-based, parallel execution as a guiding principle;

• Peer review solution architecture requirements compliance;

• Consider a disaster recovery plan that involves an alternate provider, understand the capacities and capabilities of your providers to play a backup role should one provider have a catastrophic event.

Program and Project Management

Select a production proven, robust delivery framework and tools designed to help state and local government agencies achieve a phased approach to cloud adoption. Table 1 shows the elements state and local governments need to consider in such a framework.

Table 1 Sample Cloud Program Management Planning Framework

Business CaseGovernance, Risk, and Compliance

Adoption assessment approach

Integration and orchestration plan

Architectural impact review Privacy and security management

Organizational operating model

Training and staffing plans

Business process capability map

Quality assurance plans

Business model/strategy Communication plans

Cloud ecosystem summary Change management plans

Cloud adoption maturity model

Data management plans

Cloud vendor selection approach

Maintenance and support plans


Select a project management team with experience in program/project management principles, state or local government business and cloud computing. Such a team likely will be composed of both internal and external expertise and human resources. In evaluating vendors and suppliers, fi rst determine if a “cloud broker” is needed or a “cloud provider” is suffi cient. A cloud broker can help the agency mix and match from competing solution providers, but this may introduce short-term time and cost delays.

In selecting any solution, whether independently or through a broker, avoid specialized components, hardware and proprietary appliance usage (if proprietary solutions offering exceptional capabilities are selected, be sure that these include mechanisms that avoid vendor lock-in). Like managing any utility, understand the range of available billing and usage monitoring options. The depth and breadth of service support may also differ depending on cloud service provider. Understand the service support options and trade-offs, and have QoS requirements defi ned ahead of time. Pilot and test environments can help avoid costly problems, so having them available is a plus. And, of course, because every program and project plan is subject to change, have an exit strategy ready to go.

Managing Culture Change

The move to cloud computing is as much about people as it is about technology — the feelings, beliefs, attitudes, customs and norms of conducting work and transacting business. Cloud computing seeks economies of scale and service innovation. Economies of scale involve doing more with less, and spreading the benefi ts of more productive operations to the broadest group of stakeholders. Innovation involves leveraging on-demand elasticity, massive scalability, rapid prototyping and experimentation in imaginative ways not possible without the features provided by the cloud to create new and higher value services to citizens.

Larimer County, Colorado offers a stunning example of how the cloud computing approach can help governments deliver more with less. In developing its PaaS solution to centralize constituent data sharing between non-profi t agencies, an IT staff of one person working 35–40% FTE on the project was able to complete it in only 8 months. It was the ready availability of the low-cost PaaS model that permitted quick application development and deployment at very little cost. As a result, numerous non-profi t agencies are being added to the PaaS solution at only $5,000 each to get started, with a nominal monthly subscription fee for ongoing use. Only with a cloud computing deployment is it possible to achieve so much so quickly with so little investment up-front. The cloud truly does enable “doing more with less.”

When it comes to state and local government agency use of the cloud computing model, gaining the economies of scale and leveraging innovation means providing more and better government services at reduced cost to constituents. So the case for change and the vision of cloud computing should be clearly documented and governance defi ned. In particular, special effort may be needed to educate and gain the support of elected offi cials. The people impacts need to be understood and a workforce development plan created. Stakeholders include those creating, using, and supporting cloud-based solutions. Managing culture change successfully requires the continuous engagement of all stakeholders, particularly that of an executive champion to guide the process. End users need to be engaged early in the process and throughout the program or project lifecycle, with the expectations and success measures for the changeover clearly communicated.

Managing Process Transformation

Looking at the big picture, cloud computing allows state or local government agencies to spend less time and money on ICT design, development and maintenance and redirect those resources to focus on primary services to constituents in areas like education, healthcare, public safety, and transportation. Process transformation could involve reducing operating expenses, off-loading a data center, increasing agility to deploy new applications more quickly, improving business continuity, supporting seasonal scalability requirements, avoiding revenue losses, reducing liability or achieving other objectives. Process transformation could impact services, channels, business activities, even an organization’s change management procedures themselves.

Once people understand and accept why change is needed, emphasis switches to exactly how change will be achieved. Processes and methods, both business and technical, must be transformed and that transformation must be managed. Often, this means reallocation of staff and resources, a diffi cult and highly charged undertaking. Taking an objective focus to “core” versus “non-core” activities at least provides


IMPLEMENTING

a baseline to begin this process. Retraining and other skills enhancement initiatives can also mitigate the difficulties implicit in staff reassignments. And be sure to look for examples in government and industry where cloud computing has been adopted and new jobs have been created through technology innovation.

A business process re-engineering methodology and related procedures should be used in approaches to technology, demand and capacity planning, performance setting and SLA management. System development lifecycle activities may need adjustment to accommodate cloud services. A comprehensive strategy will incorporate any new approaches to change management as well as training. Where vendors are concerned, the watchword should be trust but verify.

Operations Best Practices

Even among early adopters, cloud computing operations are still in the very early stages of deployment. That fact notwithstanding, several lessons learned and best practices have emerged:

Standardize services and processes — Standardization allows automation to reduce cost and speed services delivery.

Adopt new application architectures — Much of the power of cloud computing comes from concepts like reuse and portability. Applications must be developed with an eye toward these capabilities.

Capacity monitoring and planning and budgeting — While economies of scale are a cloud computing given, appropriate and precise measurement of use and apportioning of cost must be as well.

Process automation — Process automation constitutes the most innovative and impactful change that an ICT organization can deploy. By leveraging pre-built automation routines, working with application developers to build or modify applications that are cloud ready, and standardizing repeatable processes, state and local government agencies will see substantial cost reductions in labor and resources.

People skills and Managed Services integration — Necessary skills and competencies will evolve as cloud computing programs advance. Track the trends and train accordingly.

Key Takeaways

• Business case and readiness assessment, risk assessment, implementation and operation are fundamental to cloud computing;

• The readiness assessment should consider both business and technical goals;

• Vendor assessments should follow readiness assessments to prevent lock-in;

• Cloud computing impacts register across a broad range of process and performance variables;

• Cloud deployment should be based on acceptable risk levels;

• Cloud implementation should see the bigger picture, taking into account technology, processes, policies and people;

• Less money spent to develop and deliver technology solutions can mean more money spent on government services to constituents;

• Standardization leads to reduced cost and expedited service delivery.


• Create a multiphase strategy for cloud computing adoption and deployment;

• Build an inventory of applications to be moved to the cloud;

• Analyze process and financial impacts, gaps, efficiencies;

• Determine how cloud computing will impact current technical operations and architecture considerations;

• Perform a cost-benefit analysis comparing cloud to in-house ICT investments and document the case for change;

• Create a data classification policy and rigorous data governance policies;

• Prepare and plan for implementation with a multidisciplinary evaluation team;

• Define objective evaluation criteria and an adoption strategy that aligns with business priorities;

• Decide what other business and technical questions need to be answered;

• Select a capable, experienced project management team;

• Understand the range of support services available, including those that measure use and apportion costs.

12-1892

SAIC uses proven engineering best practices to design, develop, implement, and manage ongoing operations in the cloud. We offer secure, precisely tailored solutions for government agencies of all sizes, and initial cloud-readiness assessment services for a low fi xed price.

Visit us at saic.com/managed-cloud

© SAIC. All rights reserved.

NATIONAL SECURITY • ENERGY & ENVIRONMENT • HEALTH • CYBERSECURITY N YSE: SAI

State and Local AgenciesManaged Cloud Services for

SAIC’s half page ad for State and Local Government Cloud Commission Final Report. Ad size: (8 in x 5.25 in). 1/20/2012


Acquiring the Cloud There is no doubt about it: cloud computing is a state and local government priority. In a recent survey of state and territorial CIOs, “Rationalizing/centralizing state IT services” (67%) and “Controlling IT costs” (55%) were identified as two of their top goals for 2012. NASCIO’s published list of CIO Priorities for 2012 has cloud computing ranked five of ten as a priority strategy and three of ten as a priority technology. However, before a state or local government agencies can integrate cloud solutions into their technology plans, three acquisition and contracting issues need to be properly addressed:

• Procurement Vehicles

• Key Contractual Terms

• Funding Streams

In this section, each of these issues is addressed from a cloud perspective, followed by a series of recommendations intended to facilitate the process. Underlying this entire discussion is the need for common definitions, approaches, and purchasing mechanisms, allowing for far easier acceptance, adoption and acceleration of cloud computing programs. Table 2 itemizes some of the most prominent business and design impacts and tradeoffs when selecting among cloud deployment and architectural models.

The state of Wisconsin is developing a “Cloud Computing Cookbook”

detailing the recipe for how a business can evaluate a cloud computing

opportunity, engage vendors and consume services from the cloud. The

Wisconsin Cookbook can be found on the SLG-CC Community Portal.


Table 2 Cloud Features & Business Impacts

DEpLoymEnT moDELS

private Cloud

• Dedicated Hardware

• Large Scale Resources Drive Cost Efficiencies

• Single or Multiple Customers

• Significant Capital Expense

• Significant Human Capital

• Supports Need for Data Center Consolidation

• Pay-per-use in Shared Service Model

• Managed Cloud Vendor Solutions Available

Community Cloud

• Designed for Exclusive Group Use (e.g. Law Enforcement)

• Assumes Common Policy Concerns

• Features Common Data Governance Requirements

• Financial Savings of Shared Environment

public Cloud

• Used by Any Subscriber

• User-centric, Commoditized Offerings

• Productivity and Collaboration Applications

• Development and Testing Environments

• Shared Multi-Tenant Resource

• Pay Per Use

• No Build Out Costs

Hybrid Cloud

• Combines Two or More Distinct Cloud Architectures

• Supports Private Cloud Need for Security and Control with Public Cloud Support of Bursty Applications, Test Environments and Storage

• Allows Flexible Choice for Housing Applications and Data

SERVICE moDELS

Infrastructure as a Service

Pay per use, flat rate or contracts in some cases

Pros

• Rapid deployment and cost efficiencies

• Replaces the dedicated hardware platform for applications and enables sharing of hardware resources that can be pooled across multiple applications to produce higher efficiencies and utilization — and lower costs

• Grow, shrink or move applications though duplication and live migrations of virtual machines

Cons

• Limited portal capabilities could limit usability

• Standardized and automated in support of rapid deployment limits customization options

Application Examples

• Data Storage

• High Availability and Disaster Recovery

• Development and Testing

• Spikes in Server Demands

platform as a Service

Pay per user or contracts in some cases

Pros

• Delivery of a powerful tool to develop and launch mobile or cloud applications that are on demand, pay-as-you-go service

• Enables developers to spend more time on enhancing the applications and less time on systems engineering tasks by leveraging a single development language and building reusable components

• Permits build, test, run of same application with cloning between parallel environments

• Developers can push code out to the cloud quickly and on a wide-scale basis

• No upfront capital investments

Cons

• Depending on the vendor, disadvantages can range from the inability to develop traditional enterprise applications to providing limited customization, workflows, and data policies

• Dependence on network, customize to ensure sound Business Continuity at a cost


• Taxes

• Health and Human Services

• Transportation

• Database

• Analytics


ACQUIRING

Table 2 continued

SoFTWARE AS A SERVICE

Pay per user per month

Pros

• Lower acquisition and support costs

• Transparency of pricing

• Operational budget vs. a capital budget

• Reduction in human capital

• Shared multi-tenant application and database

• Single application

• Network based service accessible via Public or Private Networks

• On-demand licensing

• Fully managed by partner

Cons

• Nascent SaaS applications lack domain specifi c workfl ows and business processing capabilities specifi c to state and local vertical

• Governance issues of application portfolio

• Longer-term TCO uncertainties

• Application may reside outside state or national boundaries

• Limited functionality and limited customization, depending on vendor’s platform


• Collaboration Tools

• Email

• eProcurement

• Survey Tools

• Social Media Applications

Other Business Model Factors

The business models for cloud services vary widely. However, the one constant across this spectrum is the increasing level of responsibility associated with each architectural platform. From IaaS to PaaS to SaaS, the government agency’s level of responsibility increases.

Providing service in the public sector is highly dependent on data. Data represent the lifeblood of state and local government operations — and must be governed accordingly. However, ICT organizations have additional concerns regarding data when it comes to cloud solutions. The concept of “lock-in” becomes more of a factor as organizations move across the gradient from private to public cloud deployment models--or from IaaS to PaaS to SaaS architectures. The solution to “lock-in” concerns is standards.

The following two standards are paving the way to data portability:

• DMTF’s Open Virtualization Format (OVF) is a packaging standard designed to address the portability and deployment of virtual appliances. OVF enables simplifi ed and error-free deployment of virtual appliances across multiple virtualization platforms (www.dmtf.org/standards/ovf).

• OpenStack is a global collaboration of developers and cloud computing technologists producing the ubiquitous open source cloud computing platform for public and private clouds. The project aims to deliver solutions for all types of clouds by being simple to implement, massively scalable, and feature rich (www.openstack.org).

The Commonwealth of Virginia implemented a statewide consolidated procurement SaaS solution, mentioned earlier, that would:

• Obtain visibility over all Commonwealth purchases to track and leverage buying power;

• Provide one Internet electronic portal for suppliers to process purchases electronically and access purchasing information and business opportunities to electronically conduct business with the Commonwealth;

• Include purchases of cloud services from the cloud service itself.

Annual savings is $30M per year, and the eVA solution was viewed as a benchmark for the WSCA exploration into their cloud-based procurement solution to be deployed in 2012.

A buyer’s guide can be developed to help create a centralized resource which, among other uses, identifi es vetted cloud providers. Several publications from the National Association of State CIOs, including an issue brief recently released, should also prove useful in this area.


Procurement Vehicles

State and local government organizations seeking to use contracted cloud services will need to execute a procurement vehicle through which to acquire those services, but few at this time have such vehicles specifi cally dedicated to cloud computing. Given this, governments have the following options when looking to secure an appropriate contracting vehicle:

1 Use an existing procurement vehicle not specifi cally designed for cloud services

The RFP process for many governments can take many months to issue and to award. This many-month cycle and attendant delay is incompatible with the immediate use and benefi ts of cloud services. Waiting multiple months could result in either needs changing or the capabilities cloud-based solutions having advanced even further. For many government organizations, leveraging an existing procurement vehicle might be the fastest and easiest way to procure cloud services.

While expedient, most traditional network, telecommunications, and software procurement vehicles lack a number of important terms and conditions necessary for cloud services to function effectively. In particular, SLAs, data privacy, and data portability requirements are often not adequately addressed.

Existing procurement vehicles can be effectively leveraged for the procurement of cloud services provided that care is taken in structuring the procurement. For example, the State of California has used several existing procurement vehicles to solicit cloud-based network services, Web services, Web hosting, and SaaS. No signifi cant issues were encountered in using these vehicles, mainly because the state added special terms and conditions to topics such as service up time and data portability to supplement standard terms and conditions in the base contracts (which in many cases weren’t very applicable to a cloud services contract).

2 Create a specifi c vehicle for the cloud services procurement

Some governments have opted to create new contract vehicles specifi cally designed for the procurement of cloud services. These vehicles may be tightly or fl exibly scoped, and may offer customers access to a wide variety of cloud services. One state, for example, has created a procurement vehicle designed specifi cally for the provision of cloud services in a secure cloud environment that offers email and legal eDiscovery services and collaboration tools for mobile users. While the initial contract is for email services, the contract is fl exible enough that other types of cloud services can be added later. Where data center consolidation or other major

shifts in personnel are contemplated, be sure to include a staff training and retraining provision in the RFP.

3 Leverage cloud services procurement vehicles established through multi-government consortia

A number of government organizations are joining together to create multi-jurisdictional cloud procurement vehicles. These may involve multiple “peer” government entities (e.g., a group of states counties) or may involve multiple levels of government (e.g., a state that allows counties or other local governments to procure to their procurement vehicles). WSCA is a good example of such a consortium. WSCA members Utah, Oregon, Montana, Colorado are collaborating on a multi-state RFP issued for cloud-based GIS services. The RFP is also fl exible enough to be used for general cloud server and storage hosting.

4 Select cloud service procurement vehicles established by the Federal government

The Federal General Services Administration (GSA) provides an array of offerings for cloud computing, available via Schedule 70 contracts and accessible by other government entities. These include infrastructure, software, and PaaS offerings. GSA has also awarded a Blanket Purchase Agreement (BPA) for cloud-based IaaS offerings to be available in three unique lots: cloud storage, virtual machines, and web hosting.

Prior to making IaaS products available through Apps.gov, vendors will have to complete a GSA administered Federal Information Security Management Act (FISMA) assessment and authorization process. Once granted authority to operate, products will be made available for purchase by government entities through the Apps.gov storefront.

The GSA has recently implemented its own cloud-based email solution, for which the case study can be found on the Federal Cloud First Buyers Guide. GSA will soon offer a BPA program for Email as a Service (EaaS) to benefi t state and local governments as well.

The Offi ce of Management and Budget (OMB) is also facilitating the Federal Risk and Authorization Management Program (FedRAMP), which is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP has been in development over the last 18 months in close collaboration with cybersecurity and cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, the Federal CIO Council and its working groups as well as private industry and academia. The FedRAMP program is designed to solve the security authorization problems highlighted by cloud


ACQUIRING

computing. Through this government-wide approach, FedRAMP is intended to enable agencies to either use or leverage authorizations with an:

• Interagency vetted approach using common security requirements;

• Consistent application of Federal security requirements;

• Consolidated risk management; and

• Increased ability to gain effectiveness and management cost savings.

Recommendations and Lessons Learned on Cloud Procurement Vehicles

State and local governments that have implemented procurement vehicles for the acquisition of cloud services offer the following recommendations and lessons learned:

1 If an existing procurement vehicle is leveraged to procure cloud services, add special terms and conditions to any RFPs that are designed specifically to address unique needs of cloud services.

2 Regardless of the type of procurement vehicle used, ensure that terms and conditions are established for the most critical elements of the contract. These include:

• Data portability. Since many of the vendors are creating integrated, proprietary solutions, understanding how the government client would get their data off the vendor’s solution at the appropriate time is critical;

• Records management safeguards;

• Security and privacy of data; and

• Financially backed, enforceable and measurable SLAs.

3 IaaS procurement vehicles will be easier than a vehicle that attempts to incorporate both IaaS and PaaS services. SaaS procurements should be done one application at a time.

4 For procurement vehicles that span multiple jurisdictions to gather requirements, aggregate demand and obtain better quantity discounts, address governance issues early. Highlight methods for agencies to insert their specific requirements.

5 Develop and execute a data classification strategy as a guide to what services should be externally provided through a public cloud solution, versus what services should be provided internally.

6 Consider creating a buyers’ guide which helps centralize the list of available providers that have been vetted and prequalified.

7 Include contract management staff in the procurement development process to build knowledge of post-award assessment and monitoring requirements.

8 Gain visibility into lower value and less formal procurement options available to government users. Cloud services can often be purchased as an operating expense on a “p-card.” The government ICT organization will need to monitor and oversee all procurement purchases in order to manage the government ICT spend more comprehensively.

9 Promote a “ramp up” process whereby local staff gain the expertise needed to support vendor selection and oversight.

Key Contractual Terms

There are five basic areas relative to cloud service purchase terms and conditions. They are:

1 Asset Location and Ownership

State and local government agencies normally require their physical assets and the people supporting those assets to be located within the United States. In many locales the restriction goes even further to require data and employees to be located within the locale (State, County, or City). This must be clearly identified as a requirement in the contract for bidders to provide a responsive bid. Additionally, the ownership of assets during the term of the agreement and at the end of the term is often a discussion point with the entity. The recent trend in government is to have the external service provider own the hardware, software, tools and other assets during the term, but for the government to have the option of buying the assets at the end of the term at either Fair Market Value or at Net Book Value. These provisions must also be depicted in the sourcing requirements document.

Email is a popular first step “into the cloud” for every jurisdiction,

from the city of Carlsbad, California to Multnomah County, Oregon

to the states of Wyoming and Florida. All of these case studies

and more are available on the SLG-CC Community Portal.


2 Access to the Data

The single largest concern with moving to the cloud is fear of who will have access to the data and what controls will be in place for ensuring protection of data. There are a number of requirements that speak to access in terms of public or private Internet but there are also control issues within the provider’s spaces. Terms and conditions would include physical security (fenced off areas) to logical security (access rights management).

3 Terms of Disentanglement

Disentanglement is the event that ends the agreement to buy services. It can include termination for convenience (change of heart/strategy), termination for cause (breach or performance issues), or end of term. It is imperative to have contractual provisions that cover how those separation activities will be handled. These provisions would include everything from what happens to the intellectual property that was used in performing the services to how much support would be required in transitioning the services back in house or to another vendor. This section of the contract is where the ability to maintain continuous cloud services is ensured.

4 Data and Asset Segregation

This area has to do with whether the entity is willing to have its assets shared with other entities. In some cases state and local government agencies want to have dedicated hardware for some portion of their environment (data base servers) and some portion on shared assets (web servers). The specifi cs of the segregation of assets will affect the pricing.

5 Pricing Model

In most cases entities are moving to the cloud to get a more scalable capacity and are expecting the pricing to be “pay as you go” versus a fi xed investment based on capital investments. There are a number of pricing models available, and the specifi c requirements need to be included in the contract provisions.

The SLG-CC Community Portal offers many tools and resources for pricing, business case justifi cations, technical white papers and more to educate and advise on how to best leverage the cloud for state and local government needs.

Other Contract Considerations

Beyond these fi ve major areas, there are a number of specifi c areas where the contract language must be specifi c and will determine the outcome of the solution. These areas include SLAs, (along with the monitoring and enforcement of same), default triggers, security event handling, and a series of governance and communications related contract language provisions. It is important to recognize that a cloud solution’s success will be tied very closely to the language and terms and conditions of the contract that delivers the service. It requires a mental paradigm shift from managing people to managing outcomes.

Funding Streams

Despite a challenging economic environment, state government ICT budgets are beginning to trend upwards, still down approximately 9% from pre-economic downturn numbers in 2011.

If adoption of the cloud is to be cost-effective, state and local governments need to think less about long-term budget cycles and more about near-term savings. This process requires identifying existing applications that could be migrated to cloud-based solutions. Potentially, the savings from adopting cloud solutions could be reinvested into other areas of mission critical need for the state and its residents.

In its research, which included interviews with state CIO’s and local government ICT managers, the SLG Cloud Commission found various methods of how state governments are funding cloud projects. Among the Commission’s best practices fi ndings and recommendations:

• A strong state central governing ICT body can be extremely benefi cial for adopting a state-wide cloud initiative and leveraging existing ICT budgets.

• An identifi ed funding stream for enterprise cloud solutions was using funding out of existing data center budgets.

• A single vendor or integrator should be considered that provides an overall solution which leverages best of breed sub-solutions and technologies from a variety of vendors. Cloud technology is changing too rapidly and deployments are comprised of too many technologies and subsystems to rely on a single vendor to provide them all.

• Each state should complete a cloud RFP leveraging all state requirements and awarding based on value and price. This new cloud state contract vehicle is then available for each sub-agency to leverage state government pricing and use individual budgets to procure. RFPs should be appropriately designed or divided to allow for vendor teaming.


ACQUIRING

• State government respondents believe it more likely that an operating expense increase request is more likely to be approved than a capital budget increase. Applications such as VoIP can demonstrate a cloud-based cost improvement.

• As it relates to A.87 compliance, state and local governments may want to consider a “Cost Allocation Plan” where federal funding is being used to provide cloud-based solutions. This plan should clearly defi ne the shared benefi ts and costs associated with migration to the cloud for both spending justifi cation and audit considerations.

• School districts should consider cloud-based solutions to deliver applications to students and staff. The consistency of services to all schools, combined with the benefi t of re-vectoring the savings to other school or educational needs is a win-win for all.

The award-winning IlliniCloud for IaaS was developed by the Bloomington, Illinois school district to deliver state-of-the-art computing resources for K–12 education. It is being adopted statewide — a tribute to its innovation and cost effi ciencies.

The University of Kentucky has deployed its enterprise business applications in a managed private cloud to increase the fl exibility and level of service to end users while simplifying the IT infrastructure. Initial tests have shown some impressive results, and expected customer benefi ts include a reduced total cost of ownership of 25%.

In summary, state and local government agencies and ICT departments should collaborate and leverage their collective strengths when negotiating for cloud-based solutions. A new way of thinking and talking about the information utility from both a technology and budgeting perspective is needed. This process will be greatly aided and the anxiety of risk-averse offi cials greatly mitigated by adopting common terms and conditions language in areas like portability, security and records management. With these new approaches in place, the benefi ts of a cloud-based solution should save money for state governments and taxpayers while delivering consistently better government services to end users.

Key Takeaways

• Successful procurement of cloud services must address three key acquisition and contracting issues: procurement vehicles, contractual terms and funding streams;

• Procurement vehicles in use today may or may not be specifi cally designed for cloud services. They may be offered by multi-government consortia or by the federal government;

• Contract vehicles for cloud services are also offered by multi-government consortia and the federal government;

• To date private clouds have dominated state CIO discussions, factor in the need for varying application requirements such as development and test environments, prototyping, collaboration and e-mail and the case for hybrid and virtual private clouds are gaining ground;

• Private clouds offered by cloud vendors have the potential to obviate the need for large capital expenditures by state and local governments;

• Acquiring cloud architectural design services raises specifi c procurement issues which must be addressed.


• Create a state RFP specifi cally tailored for cloud services to support a variety of delivery models — and available for use by local governments;

• When using an existing, non-cloud specifi c procurement vehicle, use terms and conditions specifi c to cloud services;

• Develop and require specifi c terms and conditions for data portability, records management, security and privacy, and SLAs;

• When addressing multijurisdictional clouds highlight and adjudicate governance issues;

• Create or leverage buyer’s guides, including those from Federal and commercial sources, to vet and prequalify providers.

move fearlessly among the cloudsit’s open, yet secure.agile, yet efficient.virtual, yet real.intelligent, yet simple.virtual, yet real.

it builds on your current network,combining servers, networking,storage and virtualization.so you can deployapplications in minutes,not weeks.

move among the clouds.grow your productivity.and turn silos intonew ways of working together.introducing the Cisco data centerbusiness advantage.

cisco.com/go/slgcloud

©20

11Cisco

Systems,Inc.

Allrig

htsreserved

BUILT FORTHE HUMANNETWORK


FEBRUARy 2012

Final Summary and Conclusion

State and local government agencies face a dramatic opportunity to shift the focus of their activity from the mechanics of ICT infrastructure to the delivery of enhanced government services. Cloud computing, based on new models for the ownership, location, pricing and maintenance of IT assets, sets the stage for this change.

Whether it’s Infrastructure as a Service for K–12 education in Illinois … a private cloud for enterprise management at the University of Kentucky … Platform as a Service for Minnesota economic development … Email as a Service for New Hanover County, North Carolina hurricane recovery … or Software as a Service for collaboration in Wyoming … cloud computing has become the imperative for state and local government.

The purpose, dimensions and construction of the cloud environment must be carefully planned, the cloud computing customer base must be well understood, and the benefits of cloud computing must be thoroughly articulated to builders, buyers and users.

The process of building begins with the technology itself. Hardware and software assets can be combined in different configurations or used in various ways to deliver very different services: discrete applications, development platforms, entire computing infrastructures. And the sharing of these services can likewise be very different, from none whatsoever to totally open and available.

Technology provides the elasticity necessary to shape clouds to their intended purpose and the seamlessness necessary to enable state and local government customers to move between competing cloud solutions with limited disruption to operations. Technology also provides the security and privacy safeguards needed so that cloud computing does not become a porous or corrupted resource, violating the trust and confidence of its users.

A structured approach to implementation can help eliminate false starts and blind alleys by considering all elements of the


equation: infrastructure, applications, people, processes and dollars. Having the right roadmap — a map that addresses all of the appropriate technical and business issues — helps cloud planners reach the right destination. Strong governance and data classifi cation policies can help reduce risk, identify gaps, and set priorities. While cloud computing is a rapidly evolving fi eld, this paper identifi es a series of program, project and operational best practices that can help state and local government agencies tap into this exciting new mode of service delivery.

Cloud computing can help state and local governments transform information services in a fl exible and affordable manner. The key is to get started. Multiple models exist for the multiplicity of cloud services. Understand the service delivery models and best practices for their implementation. Whether the cloud model is private or public, software, platform or infrastructure as a service, cloud is about aggregating demand and achieving economies of scale to increase business agility and lower cost and overhead. Thus the issue of how cloud computing is acquired comes to the forefront. A thorough understanding of procurement options and a mapping of procurement vehicles to cloud services will help assure a far better end result.

Finally, as discussed in the beginning, this paper and the related web portal do not aim to answer all of the questions and/or issues around cloud computing for state and local governments. While providing some framework knowledge about cloud computing as a set of technologies and processes, from the start, the Commission collaborated with the leading state and local government policy makers, ICT executives and leading vendors to create a platform for further collaboration and idea exchange. The Commission believes cloud computing and surrounding technologies around cloud computing will rapidly evolve in the near future. As needs and requirements change, surrounding technologies and processes will evolve as well. The Commission is dedicated to further develop this paper and the web platform for future needs.

While cloud computing is a rapidly evolving fi eld, this paper delivers an end-to-end roadmap for program, project and operational best practices that can help state and local government agencies tap into the most exciting information technology wave since the Internet.

Welcome to the Cloud. Welcome to the Beginning.


Why the need for speed? The storm drainage tax assessment allows property owners to go online to view and, if necessary, challenge their assessment. With the drainage charge itself going into place quickly, the city needed the online system up and running quickly as well.

The Challenge and Solution

Rather than make a best guess at the number of new servers that would be needed to develop, test and operate the new application, planners elected IaaS solution from Amazon Web Services. Selecting an IaaS for the storm water drainage charge application allows the city to gain the utility-like benefits of cloud computing with a service that can scale up as Houston residents open their assessment letters and to scale back down when interest in storm water drains away. Assessment payers use the system to view and verify their property records and, if necessary, to challenge inaccurate assessments.

The city’s IT team worked with a partner to implement its new application in the cloud and integrate back to the legacy systems needed. Parallel environments running development, test, and production in the cloud all at the same time made it easier to build and bring the new solution online. Only a cloud computing data center, with its unique scalability, could dramatically shorten the time-to-implementation and make this parallel approach much more cost-effective than working in an on-premise environment.

While adoption was well-received, there was some initial skepticism on recognizing the need to re-skill the IT team to manage this new cloud deployment. Additionally, developing interfaces to the legacy applications’ on-premise environment

Appendix I State and Local Government

Cloud ExamplesThere are many other examples of cloud computing helping state and local governments to improve

service, foster collaboration and save taxpayer dollars. For a complete list of case studies and use case examples, visit the SLG-CC Community Portal (www.cloud4slg.org).

Cloud Computing Helps Houston Float over Storm Water System Woes

Abstract

A city’s need to bring a new storm drainage tax assessment application online fast for customers makes the move to cloud computing a natural, with environments that allow for development, test and implementation without the need to add servers or predict usage.

Customer Profile

When the Houston City Council told the municipality’s IT department that it needed a storm drainage tax assessment system up and running on a very tight timeframe, planners opted for the cloud. The city operates two data centers and a full IT staff. What officials did not have was a good sense of how often city property owners would use such a system — and the demand such an unpredictable usage would place on their in-house servers.

Storm water drainage might not seem like the stuff of innovative local government services. But Houston’s 6,000 miles of streets, 3,300 miles of storm sewers and 2,800 miles of roadside ditches need work well beyond the current rate of rehabilitation and rebuilding. Proposition 1, passed by voters in May 2011, imposes a drainage charge on residents to help fund repairs. Elected officials told the city to have the new charge-viewing utility in place by July 1, 2011 — eight short weeks after passage of the measure.

Powered by a suite of IP and customized solutions.

Additionalservices

High performing

Highly secureand compliant

High availability

Enterprise class data centers

Controllable &flexible

Dell provides a portfolio of secure Private, Public, and Hybrid Cloud offerings including consulting, application migration, and managed services. By leveraging core technologies from recent acquisitions we offer a comprehensive cloud solution that best meets your needs. For example, Dell SecureWorks processes over 13 billion security events on a daily basis and is a core component of the Dell Cloud. And Dell Boomi is helping customers bridge legacy and cloud applications.

Our commanding presence in many industry verticals, including Healthcare, Education and Government, brings the expertise necessary to ensure success. Whether you are looking for secure private clouds or vertically specific community clouds, we simplify the customer experience by being your single vendor of choice, offering hardware, software and services for your cloud solution.

Dell Cloud

Visit us at www.dell.com/cloud or www.dellintheclouds.com

DellCloud_TechAmerica_Ad_FullPage.indd 1 1/26/2012 11:09:25 AM


APPENDIX I

proved to be a complex challenge. Nonetheless, the successful implementation of the project in only seven months convinced the IT team to look at moving other applications to the cloud.

Results

While its capabilities may not make property owners happy about paying their assessments, the service does allow the city to make a more cost efficient cap-ex versus op-ex tradeoff. Using the cloud, Houston avoids upfront costs and accesses just the server power needed during the development and testing phases of application development, jettisoning this capability when these aspects of the project are complete.

Acquisition of the cloud solution has also proved to be as right as rain. Again responding to its tight timeframe, the city purchased the service from Amazon on a municipal credit card. This portion of the acquisition proved sufficient for buying cloud services in the development and test phases of the project. When the application moved to production mode, the city acquired the additional service needed from Amazon through GTSI and the U.S. Communities Government Purchasing Alliance, a non-profit cooperative that aggregates the purchasing power of over 44,000 participating agencies.

Organizational and staffing impacts have also been kept to a minimum. City of Houston IT staff developed the storm water drainage charge application system. The decision to host the application in the cloud had no impact on current data center operations or personnel. Rather, the hand-off between application developers and service operators has gone smoothly, and, because the application is now in operation, city officials only need monitor its use and budget accordingly.

Cook County Taps Cloud to Float powerful Idea: openness

Contact: Greg WassEmail: [email protected]

Abstract

The Cook County, IL Board passed the Cook County Open Government Ordinance (11-O-54) to establish and implement an Open Government Plan to promote transparency, accountability, collaboration and public participation. To provide this information in a consistent, cost-effective manner, the ordinance mandated that a single web site be constructed. The ordinance mandated that the web site be established within 90 days.

Customer Profile

Cook County, Illinois had a problem: The public simply did not understand how its county government operates or how tax dollars were collected and spent. Because many county systems and processes were still paper-based, data were not readily available in digital format. This paper-based data contributed to the public’s lack of understanding by making information difficult to find and obtain.

The County Board made the clear connection between greater government transparency and a more informed, engaged and supportive citizenry, acting to open things up with a new law requiring County agencies to, among other mandates, make at least three “high value” data sets available on a new County website.

Prior to the ordinance, several departments of the Cook County government, including the Clerk, Sheriff, Recorder and Treasurer and Public Health, either provided some information to the public and/or had plans to make additional information available.

These efforts, while significant and important, created less value for open government because datasets were scattered, inconsistently formatted, presented in machine-readable formats, out of date, and limited to one record at a time.

In passing the measure in May 2011, the Board gave fresh government-wide impetus to improve dramatically on information-sharing efforts that were otherwise uneven, disjointed, and downright unusable for County residents.

The Challenge and the Solution

The pressure was on. The new ordinance required that the web site be operational within 90 days. The County working group debated whether to build an open data portal based on open government standards, or to use a hosted solution. Planners opted not to reinvent the wheel or slow the wheels of progress. Since the County had already partnered with the State of Illinois and the City of Chicago on open government initiatives, the fact that both of those organizations had embraced the Socrata data portal solution, and given the lack of County staff familiarity with a possible alternative, the CKAN open source data portal software, the County entered into an agreement with Socrata to host the County’s open government website.

The Socrata platform has a number of prebuilt tools that provide much of the functionality required by open data standards and principles in general, and the Cook County ordinance in particular. For example, the platform provides an opportunity for users to publicly comment on individual datasets using the “discuss” feature. It allows users to contact the dataset owner with questions or comments, or to

Refreshing advice.

www.deloitte.comAs used in this document, “Deloitte” means Deloitte & Touche LLP, Deloitte Consulting LLP,Deloitte Tax LLP, and Deloitte Financial Advisory Services LLP, which are separate subsidiariesof Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legalstructure of Deloitte LLP and its subsidiaries.

Copyright © 2011 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited


APPENDIX I

suggest new dataset ideas. Social media (Facebook, Twitter) and email can be used to share a dataset or particular view with others. And the site provides a ranking feature so that datasets can be ranked by popularity (most viewed).

The deployment was completed within the three month schedule. Following the initial deployment of the County open data portal, the County has continued to populate the portal with additional data. The open data site is currently populated with information from more than 40 County government departments and includes more than 75 data sets that reflect the most up-to-date information.

Results and Benefits

The Cook County open data website was launched on-time and it has been a reliable platform for the County to deliver data to citizens and for potential use by entrepreneurs developing applications. The shared platform with the State of Illinois and the City of Chicago keeps costs down and promotes consistent approaches for data sharing.

The County’s experience with its open data portal suggests that there is substantial potential for having regional data platforms to host data from multiple political entities. While some important work will still be necessary to validate the consistency of the data models, the hosted SaaS approach allows new organizations and data sets to be brought online in a rapid and consistent fashion. Another consideration to be addressed in the future is that other data (e.g., social services or homeland security data) will require increased security solutions.

Cloud Helps municipality Do more with Less

Contact: Kevin Capp, Chief Technology Officer Email: [email protected]

Abstract

With a population of nearly 50,000 that has seen rapid growth in the last 15 years, the municipality of Castle Rock, Colorado is sourcing more applications to the cloud to deliver a wide range of government services across public safety, utilities, GIS-mapping, IT operations and finance, mobility for the workforce and much more — innovating with an IT budget which is less than 2% of the town’s overall spend.

Customer Profile

Castle Rock, Colorado has been exploring ways to reduce IT costs and move applications off premise for a number of years. In 2009, when a new Finance Director updated their legacy financial systems with something more contemporary to run payroll, budgeting, accounts payable/receivable, reporting, and the like, Castle Rock embarked on its first major migration to an off-premise hosted vendor solution.

Castle Rock was one of the first customers to migrate to the SunGard vendor’s shared infrastructure in their early steps to the cloud, and they gained significantly more finance functionality while cutting their IT support costs in half. The savings were then re-invested to expand their Internet bandwidth so they could further migrate to other hosted or cloud-based solutions going forward.

The Challenge and the Solution

Because of their small IT team and limited budget, Castle Rock seeks to strategically access cloud-based IT solutions offered through larger jurisdictions in Colorado and commercial Software as a Service solutions whenever possible.

For example, their plans include moving common services like credit card processing into the Statewide Internet Portal Authority (SIPA) Portal, which is the state’s central hub for delivery of e-Government services including Collaboration, Office Productivity, Email and more.

They use the Intuit QuickBase database Software as a Service for surety management and tracking of funds and plans for the construction of roads and sewage capacity to support new developments.

They also access sister city Aurora’s COPLINK software in the cloud for comprehensive information sharing and collaboration among local, regional, state and national law enforcement and public safety agencies. Finally, they use the Innotas cloud solution for project portfolio management of enterprise IT projects.

They are most recently investigating the replacement of desktops with tablets and VDI (virtual desktop) software in the cloud, to mobilize their workforce more cost-effectively. Their goal is to eliminate the need to replace all desktops every five years, which would free up a significant part of their infrastructure budget to invest in new applications for services innovation instead.

EMC2, EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. © Copyright 2012 EMC Corporation. All rights reserved. 70039

STATE & LOCAL IT

Serve citizens and drive down costs. Transform IT with EMC.

TRANSFORMED


Property Tax Management Software as a Service for Pueblo County, Colorado

Unable to afford a more expensive upgrade of property management software, Pueblo County spearheaded the creation of a Software as a Service model to deliver multi-county access to property assessment and taxation applications, with integrated GIS data warehouse, and web-based information access for citizen queries.

Not only are the seven participating counties saving on shared IT costs, but they now have access to more sophisticated functionality, like customized online parcel viewing, which was previously unaffordable for the smaller counties.

Email and Collaboration Software as a Service for the “Best Run” State of Wyoming

The State of Wyoming migrated all 10,000 state employees to an email and collaboration solution in the cloud. The consolidation will save the state $1M annually and is providing all employees with modern, easy-to-use technologies that enable them to collaborate anytime, anywhere and with any device. More than just a shift in email, the ability to collaborate in real time has made the employees more efficient and, according to Wyoming CIO Flint Waters as quoted in Government Technology “given them a much greater toolset with which they can invest in themselves.”

APPENDIX I

Additional Abstracts

IlliniCloud: Community Cloud for Education Offering Both SaaS and IaaS Services

Abstract: Amidst shrinking IT budgets, the IlliniCloud offers a benchmark for how the State of Illinois can more affordably provide student information systems, ERP applications, email and even disaster recovery via a pool of software, hardware, services, and support that is shared across 150 K-12 school districts. Launched as a non-profit consortium, IlliniCloud started at the grassroots level in one school district, and its adoption across many districts grew quickly because of its attractive cloud economics and cross-agency collaboration model.

ITSM SaaS: Shared IT Services Cloud for the State of Montana

Abstract: The State of Montana is migrating its heavily customized central service desk operations and ITSM processes to a more industry standard SaaS cloud system to achieve cost savings, conserve technical staff time, and expand service delivery to a larger customer base. Montana requires an ITIL compliant system that supports more than a dozen ITIL processes for the state’s aggressive ITSM program.

e-Childcare Platform as a Service for the State of Oklahoma

Abstract: Oklahoma’s Department of Health and Human Services (OKDHS) needed to improve its subsidized childcare system with streamlined payment processing and better tracking. OKDHS contracted with a cloud hosting vendor to develop the e-Childcare Platform as a Service solution, which was built on the existing Electronic Payment Processing and Information Control (EPPIC) Software as a Service. The e-Childcare solution permits parents to check their children in and out of daycare with a convenient card. Account tracking and payments are automatic with no claims processing, and OKDHS re-invests the savings into additional children’s services.

No doubt cloud’s promise is appealing. Wary about thereturn on investments, risks and governance? Let HP experience guide you to cost effective, secure technology solutions. Learn how HP can assist you.

hp.com/government/cloud


Appendix II Follow Up Links and Resources

10 Things To Consider When Purchasing Cloud Computing

Infrastructure

www.blog.gogrid.com/2011/02/28/10-things-to-consider-when-purchasing-cloud-computing-infrastructure

2011 State CIO Survey, TechAmerica

www.techamerica.org/2011-state-cio-survey

Accelerate Cloud Performance with WAN Optimization, Jon Olstik,

August 2010

www.riverbed.com/us/assets/media/documents/analyst_reports/AnalystReport-Riverbed-ESG-Riverbed-Accelerating-Cloud.pdf

Building a Solid Cloud Adoption Strategy: Success by Design, Drue

Reeves, Gartner Technical Professional Advice, 19 May 2010

Capitals in the Clouds Part III — Recommendations for Mitigating

Risks: Jurisdictional, Contracting and Service Levels, December 2011

www.nascio.org/publications

Challenging Security Requirements for US Government Cloud

Computing Adoption (Draft), NIST

www.collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/CloudSecurity/NIST_Security_Requirements_for_US_Government_Cloud.pdf

Choosing a Hypervisor for Cloud: KVM, David Rokita

www.hexagrid.com/blog/?p=42

Choosing a Virtualization Hypervisor: Eight Factors to Consider,

Eric Siebert

www.searchservervirtualization.techtarget.com/tip/Choosing-a-virtualization-hypervisor-Eight-factors-to-consider

Cloud Computing Reference Architecture, NIST, Liu,Tong, Mao,

Bohn, Messina, Badger, Leaf, NIST Special Publication 500–292,

September, 2011

Cloud Computing Use Cases, NIST

www.collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/CloudComputingUseCases

GRC Stack an Integrated Suite of Four Initiatives

www.cloudsecurityalliance.org/research/initiatives/grc-stack

How Do You Choose a Hypervisor? Andrew Buss

www.theregister.co.uk/2010/08/26/server_management_hypervisor_choice

Planning for Cloud 2.0 How Cloud Infrastructure-As-A-Service Will

Change for the Better, Galen Schreck, June 22, 2011

Securing Government Network Access While Reducing Costs in a

Post-9/11 World

www.wyse.com/sites/default/files/resources/whitepapers/ Wyse-Government-WhitePaper.pdf

Selecting a Hypervisor

www.docs.openstack.org/cactus/openstack-compute/admin/content/selecting-a-hypervisor.html

Six Best Practices for Gaining End-user Adoption of New Technology

www.youtube.com/watch?v=Q7y5c8Xgbms

Six Tips to Supercharge Your Cloud Deployment, Hamish McGovern

www.netapp.com/us/communities/tech-ontap/tot-supercharge-cloud-computing-0909.html

Standards Roadmap, NIST

www.collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/StandardsRoadmap

The Forrester Wave: Platform-As-A-Service For App Dev and Delivery

Professionals, John R. Rymer and Stefan Reid, May 19, 2022

Top 10 Hypervisors: Choosing the Best Hypervisor Technology,

Eric Siebert

www.searchservervirtualization.techtarget.com/tip/Top-10-hypervisors-Choosing-the-best-hypervisor-technology

Understanding the Cloud Computing Stack: SaaS, PaaS, IaaS

www.broadcast.rackspace.com/hosting_knowledge/whitepapers/Understanding-the-Cloud-Computing-Stack.pdf

US Government Cloud Computing Technology Roadmap, NIST

www.collaborate.nist.gov/twiki-cloud-computing/pub/

CloudComputing/Documents/DRAFT_SP_500_293_volume_II.pdf

Project Management Institute

www.pmi.org

Making the Cloud Work for You

intel.com/datacenter/cloud

Intel is working with leading IT organizations and systems and solutions

providers across the industry to make your agency’s transition

to cloud computing simpler, safer, and more cost-effective.

30.01.2012 13:10 Twist 235


Deputy Commissioners

Steve Touw42six Solutions

Vance raeside8x8, Inc.

brad richACS, A Xerox Company

Matthew blanchetAT&T

Nishant JadhavBrocade

Nathaniel “Nate” rushfinnCA Technologies

Larry WrightCapgemini Government Solutions

Michael ShepherdCisco Systems, Inc.

Terry CasparisCGI

C. Douglass “Doug” CoutoDell

Mike bourgeoisDeloitte Consulting LLP

breck DeWittEMC Corporation

David LieberGoogle

Graeme FinleyGrant Thornton LLP

Prem JadhwaniGTSI

braden PrestonHarris Corporation

Larry SchmidtHP

brian PattInfosys Public Services

Sarah KremsnerIBM

Paul SathisIntel

John SkinnerIntel

David Kirk, PhDKPMG LLP

Scott O. AndersenLockheed Martin IS&GS

Kim NelsonMicrosoft

Michael MalgeriMorphlabs

Timothy erlinnCircle

Django DeGreeOracle Corporation

richard A. “rick” MartinSAIC

rod MasseySAP AG

Jen NowellSymantec Corporation

Dan bezillaTransLattice, Inc

Fred DillmanUnisys Corporation

Shawn HenryVerizon

Duane FlowersVirtustream

Padma raoWyse Technology

Government Advisors

Kevin Acker IT Operations and Business Systems Manager

State of Wisconsin Investment Board

Tom CharkutSoftware Services Manager

City of Lakewood, Colorado

Adrian Farley, PMPChief Technology Officer & Assistant Secretary for Enterprise Architecture & Technology Initiatives

California Technology Agency

Kyle HilmerState Information Technology Services Division

Department of AdministrationState of Montana

Gary LambertAssistant Secretary for Operational Services

Commonwealth of Massachusetts

Dan LohrmannChief Technology Officer

State of Michigan

Sean McSpadenDeputy State Chief Information Officer

State of Oregon

Hugh MillerChief Technology Officer

City of San Antonio, TX

Jim PetersonDirector of Technology

Bloomington, IL School District and IlliniCloud

Dugan PettyChief Information Officer

State of Oregon

Dr. Alan r. SharkExecutive Director

Public Technology Institute

Gina C. TomlinsonChief Technology Officer

Department of TechnologyCity and County of San Francisco

Greg WassChief Information Officer

Cook County, Illinois

TechAmerica Foundation 601 Pennsylvania Avenue, NW North Building Suite 600 Washington, DC 20004

techamericafoundation.org

The Cloud Imperativei.dell.com/.../solutions/slg/en/Documents/cloud-imperative-slg.pdf · The Cloud...

Documents

Transcript of The Cloud Imperativei.dell.com/.../solutions/slg/en/Documents/cloud-imperative-slg.pdf · The Cloud...