Professional Documents
Culture Documents
Industry Panel Responses: When the panel was asked about opportunities for cloud computing: o Innovation o Time to deploy short time allows the ability to fail often What the US Government should and shouldnt do: o The Government needs to act like a customer. The industry is driven by what customers what and the Government has to know and explain what they want. o NIST should coordinate de facto standards There needs to be stop gaps and coordination of standards as new things appear o Look to international community GovCloud in EU o Take feedback from first adopters and use this as a key driver to feed back into standards development Security and privacy what things are overstated/understated/just right? o Understated: Security and lack of transparency by providers to show what they are doing to address security concerns. Customers do not know what they are doing and therefore cannot adequately assess concerns o Overstated: defining the cloud Its important to not continue to site on the sidelines until a definition is nailed down. o Just right: jurisdictional issues o Understated: how cloud exacerbates current problems, such as with privacy. If old infrastructure had issues, there will just be different problems. Also, access issues
will not go away as the laws and guidance in this area is outdated. Scaling up can multiply problems o Understated: Differing rules for international customers Biggest challenges (outside of privacy and security) o Overall management of data how to move it in the cloud, how to move it out, how to access once its in. Impact on the broadband network. o How to move to tools and capabilities with current employees there is a psychological impact to owners of systems of services. Individuals will need to think in a different way and focus on gains to be had instead of what they may lose. o From the systems perspective monitoring, perception, and anticipating needs Resourcing o Could be easier to do in a cloud environment, such as getting an inventory of systems o People need to get more comfortable with technology o It will take some time for vendors to become more transparent Impediments to adoption o Global norms need to have some agreement on policy and best practices. They suggested NIST as the body to coordinate these efforts o FedRAMP is critical to this process to provide a higher bar for a common understanding of security. The focus should be on compatibility and interoperability. o Pace of development is so rapid that it may be difficult to find the right place to standardize. What should the role of government de facto standards vs. traditional standards and where should cloud computing come in? o Standards shouldnt squelch innovation o Standards should help use products more efficiently and safely o Too early to tell The government should do guidance and create a framework and let the marketplace work itself out o Provide clarity and let it happen continue to do work of creating a definition for cloud computing so that the same words mean the same things. Where should there be standards in the short, medium and long term? o Data management o Short: Infrastructure (OBF), identity management o Medium: Identity management, access control Compliance and International issues o This is an area of US government de facto and de jure standards are in conflict o US should work with EU o Commercial and national interests are conflated o Help government use technology as its supposed to be used
Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC) NIST answer to how to support adoption during this interim period of needing standards and the time before they are actually written. NIST is working on creating a strategy, process and portal for community collaboration. Publicly accessible Standards Portal: o Method of communication and exchange o Users submit use cases to be validated by NIST o Goal is to enable interoperability for cloud computing before formal standards are complete. Until standards mature, what they are looking to create is a process to test system requirements. o NIST is populating existing standards and de facto specification in the portal Within the larger security issues there are several other issues: trust, multi-tenancy, encryption, and compliance (included mention of Federal regulations) o Data management another area of concern How to transfer data in How to transfer data out How to backup to cloud How to restore from cloud How to archive/preserve in/to cloud From the use cases submitted, NIST will create a taxonomy around o Portability about keeping costs down and being able to cheaply and easily move from cloud to cloud o Interoperability o Security FedRAMP Federal Risk and Authorization Management Program Came out of Cloud Computing Advisory Council which is made up of 75 members from 25 agencies Problem: agencies must do risk management of shared systems individually. They are duplicating efforts. They may have incompatible requirements. Acquisition is slowed by this lengthy compliance process. They are looking to develop a program for government-wide risk management so that agencies can leverage authorizations already in FedRAMP. Agencies keep responsibility and authority to ensure systems and determine suitability of systems. With FedRAMP, the anticipated benefits include: o Risk management cost savings and increased effectiveness o Interagency vetted approach o Rapid acquisition o Consistent application of Federal security requirements
USAspending.gov is an example of a site using Nebula At NASA now, employees are free to get a laptop, provision resources and broker cloud vendors seamlessly to users
US Census Uses Iaas with the Akamai content delivery network They had an issue with the time it would take to stand up 2010census.gov, so they used Akamai They use Everbridge for mass notification of temporary Census employees, approximately 500,000 They also have an internal private cloud used for correspondence tracking and other activities. Maryland Department of Transportation Began using Salesforce in 2006/2007 for state statistics reporting as required after the election of a new governor. Released a public portal in December 2009 roads.maryland.gov DOD CIO DISA is their infrastructure provider through RACE Focused on adoption of cloud computing and developing a data strategy Have a Cloud First mindset Most Challenging issues and how theyve worked through them: NASA: using the same definitions for cloud, platform and infrastructure for systems developers and system administrators. Also acceptance in the agency. US Census: bridging IT and services and explaining how cloud computing is just a mode to deliver services. Also demonstrating value to the organization, setting up a few for service shop, and moving away from the old mindset of buying a server and setting up a system. DOD: unknown as it is an evolving technology. Also, trying to make clouds work together across clouds (e.g. identity management) MD DOT: Resistance from those not understanding within the office. Also the psychological impact to the data owners of what it means to not have data in house.