Transitioning systems to the cloud
- By Cristina Gillaspie
Commercial cloud service providers offer government agencies a number of advantages, but they do introduce new business concerns and risks. By taking the time to craft policies on the transition, conduct engineering studies and ensure the solution meets security requirements, these risks can be significantly reduced. Following are some best practices:
Start with policy. Agencies should prioritize creating the policies governing the transition to a CSP. The focus of this guidance should not be to anticipate every possible tech variation or supported option. Primarily policy should focus on compliance, system data protection requirements and things to look for in a CSP -- or alternately describe one or two organizationally acceptable solutions. It should also outline the requirements for administration and financial responsibilities.
Conduct an engineering study prior to transition. All systems should be examined prior to transfer to a CSP environment. Agencies can save time during this examination by bundling similar services. For instance, publicly accessible websites with no sensitive data can be fast-tracked and grouped for cost and technical benefit. A checklist-style approach helps system owners answer many of the questions needed to do an effective engineering analysis.
Understand the security required for the agency's data and assign accordingly. The protection requirements for different data types strongly affect the transition to the commercial cloud or hybrid cloud. Currently, there are different requirements among authorizing officials for the demonstration of security controls. This can include compliance with the Federal Risk and Authorization Management Program, the Risk Management Framework along with specific organizational requirements for the data. Staging the data migration by starting with publicly releasable data and progressing to more secure data protection, AOs can progressively test security.
Select CSPs with government experience. To radically increase approval of a CSP by an AO, the CSP offerings should focus on delivering solutions that meet government needs. Agencies can take the path of least resistance when these solutions address many of the major concerns.
Certification and accreditation. Do not migrate to non-accredited solutions without guidance from an AO. Agencies must get approval from the AO that supported by the evidence from the engineering study before migrating their systems. Finally, ensure that the system owners understand that even following migration they will still be responsible for the financing and support of Certification and Accreditation activities for their systems.
Outline requirements for secure operations. Security operations must be analyzed when creating a service-level agreement with a CSP, and agencies may also need to modify providers' SLAs. For instance, backup and recovery can be handled by a CSP or they can remain the responsibility of the agency. Each CSP offers different services by default, and agencies must carefully analyze and consider everything they need to ensure secure operations.
Include metrics in SLAs. CSPs often provide a plethora of metrics, and it is up to agencies to decide if the data meets their needs. Many of the metrics provided by default are related to cloud usage, but agencies should also require metrics on:
- Service/system availability
- Reliability as demonstrated through mean time between failure and mean time to repair
- Response time
- Throughput (transactions per second or megabytes per second)
- Service and helpdesk
Metrics on policy, cost, cyber security, data analysis and CSP selection handled in conjunction with government AOs will help with an agency's cloud implementation timetable.
Use of statement of objectives. Using SOOs gives agencies a way to achieve their desired goals by focusing on outcomes. SOOs allow an agency to state its needs, streamline the acquisition process, shorten acquisition lead time and provide greater flexibility in selecting the best solution. The use of SOOs provides the opportunity to propose solutions that are market-based and describe how CSP would modify its services to meet government requirements. Using an SOO gives the government the greatest autonomy to evaluate proposals to decide which CSP best understands the requirements as expressed in the proposal. It also helps agencies determine which CSP is most advantageous in terms of ease of use, efficiency, price and other criteria.
The journey to the cloud is never easy. Following the above suggestions will alleviate a good amount of the concern around transitioning government systems to a CSP.
Cristina Gillaspie is an IT consultant who helps innovative organizations develop cloud solutions.