Contracting cloud services ron scruggs 6960 pdf

man-His presentations and publications include: Cloud Expo West 2011, presentation, Cloud ing Contract Issues, November 7, 2011; Educause 2011, presentation, Managing Cloud Security Risk

Ron Scruggs, Thomas Trappler, & Don Philpott

Contracting for Cloud Services

A 6-Step “How-To” Guide to Contracting for Cloud Services Includes a 137-Element Contracting Checklist

About the Publisher – Government Training Inc.™

Government Training Inc provides worldwide training, publishing and consulting to government agencies and contractors that support government in areas of business and fi nancial management, acquisition and contracting, physical and cyber security and intelligence operations Our manage-ment team and instructors are seasoned executives with demonstrated experience in areas of Fed-eral, State, Local and DoD needs and mandates

For more information on the company, its publications and professional training,

go to www.GovernmentTrainingInc.com

Copyright © 2011 Government Training Inc All rights reserved

Printed in the United States of America

Th is publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system or transmission in any form or by any means, electronic, mechanical, photocopying, recording or likewise

For information regarding permissions, write to:

Government Training Inc

Rights and Contracts Department

Th is book has drawn heavily on the authoritative materials published by a wide range of sources

Th ese materials are in the public domain, but accreditation has been given both in the text and in the reference section if you need additional information

Th e author and publisher have taken great care in the preparation of this handbook, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions

No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or recommendations contained herein

go to http://www.governmenttraininginc.com

Telework: How to Telecommute Successfully

A 5-Step Guide Designed for the Modern Teleworker

Millions of people go to work every day without ever leaving their homes They are part of a growing army of teleworkers in both the private and public sector

If you think you can do your job from home without being distracted, then teleworking could be right for you—and it is certainly worth considering The book spells out all the positives—and the negatives—and with the use of checklists and questionnaires will help you succeed as a teleworker

Developing the Positive, Healthy & Safe Workplace

A 7-Step Management Process Leading to a Culture of Personnel Safety & Security

Rita Rizzo is a nationally recognized expert on all aspects of workplace quality, employee development, leadership and workplace security Her thought-provoking seminars and books have brought practical solutions to the challenges of leadership In the book, Rita presents a 7-step process for use

by management and staff to create a positive, healthy, and safe workplace

Delivering Your Message with PowerPoint

Highly Effective Communications for Government & Corporate Managers

PowerPoint presentations can be an enormously effective communications tool—provided you follow some basic rules

These rules are spelled out in “Delivering Your Message with PowerPoint,” written by Dave Paradi, a proven expert and sought-after speaker at all levels of government and corporations

The book is crammed with examples—good and bad—best practices, and checklists to ensure your presentation is a success

be a strange title, but you should never get into a kick-boxing fight with a kangaroo—you would lose In order to be successful you must understand the other participants —what they want, and the tools they use You can then pick the tools and techniques that will work in your favor.

Executive Briefings & Presentations Best

Practices Handbook

A Step-by-Step Process and Guide to Making Powerful

Presentations to Colleagues and the Press

The book will teaches you how you to develop a plan so that you will know what to do, what to say, and how best to say it in any situation These techniques will support you whenever you need to communicate—whether

it is in the office, or in front of millions of people during a live television interview

GovCloud: Cloud Computing for the Business

go to http://www.governmenttraininginc.com

Handbook for Managing Teleworkers

A 5-Step Management Process for Managing Teleworkers

The book is an A-Z guide aimed at managers tasked with introducing teleworking, or overseeing teleworkers and ensuring that everything runs smoothly The rules for managing teleworking are the same whether you are

a federal or state employee, or work for a private company or organization The book is also very useful to people who are considering teleworking, or trying to persuade their employer to introduce it

Handbook for Managing Teleworkers – Toolkit

The handbook discusses all the arguments that have been put forward against teleworking and then debunks them using the latest surveys and case studies There are chapters on problems and how to overcome them, how to motivate through counseling and coaching, and developing trust

It is an invaluable resource for all telework managers and those who might

be tasked with taking on this responsibility An essential companion guide to Government Training Inc.’s Handbook for Managing Teleworkers

Th is handbook has drawn heavily on authoritative materials published by many federal agencies and especially the Department of Defense (DoD), General Services Administration (GSA) and the Government Accountability Offi ce (GAO) Th ese materials are in the public domain, but ac-creditation has been given either in the text or in the reference section at the end of the book if you need additional information

Disclaimer

Our aim is to provide a comprehensive framework that will allow you to understand the challenges

of cloud computing, how to defi ne procurement vehicles, processes and how to build and fi nalize a contract, as well as how to manage that contract However, this book is a guide only and contains references should you need more detailed information on particular subjects Th is book is not a legal handbook “Example” clauses are given throughout this book, but before preparing a contract you must seek legal counsel Also, if you have detailed legal questions seek the advice of an appropriate legal expert

About the authors

Ron Scruggs

Ron Scruggs, Certifi ed Technology Procurement Executive, has a distinguished career in ing, purchasing and contract management He started his career in Washington, D.C., negotiating and managing federal government contracts in the 1960s He also knows the international market well, having spent more than 20 years as Director of Contracts in Europe Most recently he has co-developed the original Contracting in the Cloud seminar based on his experience since the early 2000s before the name “cloud” was attached to these services

sourc-Ron has assisted companies with IT and Business Process Outsourcing, Cloud Services, software development, software licensing, and Website development and other projects He has negotiated dozens of Cloud Services agreements and developed a number of Cloud SaaS template agreements for clients Additionally, Ron has developed software agreements for vendors, as well as customers, leading to an edge by knowing the vendors’ reasons for their terms and conditions while also under-standing the customer needs

Acting as a consultant for a number of Fortune 500 and other companies, he has saved these companies millions of dollars while achieving better terms On a single software deal, he saved $50 million for one of his clients

As manager of Strategic Alliances for Digital and Bay Networks, he negotiated major purchases, such

as personal computers ($40 million a year) and software alliances with Microsoft, Olivetti and other major fi rms He also spent 20 years working as Director of Contracts for Digital and Bay Networks.Ron has developed and taught courses to include Negotiation Success, Resolving Software Business Issues, Export Control Issues and Solutions, Open Software Dynamics and Procurement Manage-ment including Purchasing, Legal, Technical and Finance and Contract Management subjects.Ron has a BA and MBA and has also completed post-graduate courses with INSEAD in France, the Institute of Business Methods (IMEDE) in Switzerland and the Swedish Institute of Manage-ment His published articles include: “Get Better Deals by Listening,” “Eff ective SOW Writing,”

“Cloudy SLAs,” and “What Vendors Do Not Want You To Know About Escrow.”

Ron lives in Florida with his wife of 45 years and his pet, Benji He still consults and teaches IT procurement issues

Thomas Trappler

Th omas Trappler (www.thomastrappler.com) is Director of Software Licensing at the University of California, Los Angeles (UCLA), and has extensive experience leading enterprise-wide IT pro-curement and vendor-management initiatives and negotiations focused on cost reduction and risk mitigation, with an emphasis on cloud computing contracts and software license agreements

Elected the inaugural Chair of the University of California (UC) system-wide Technology tion Support Group, Th omas has led the investigation, implementation and ongoing vendor man-agement for more than 30 enterprise-wide IT acquisition agreements Th ese agreements provide 188,000 licenses to 228 operational units in a decentralized enterprise and have resulted in savings

Acquisi-of $7.5 million/year Additionally, Th omas is the lead author and project manager for initiatives to develop UC-wide standard software license agreement and cloud computing contract templates.Dubbed “Th e Cloud Contract Advisor” by Computerworld magazine, Th omas is a nationally rec-ognized expert and published author in cloud computing risk mitigation via contract negotiation and vendor management He has been a guest lecturer at the Polytechnic Institute of New York University, and developed and teaches “Contracting in the Cloud,” the original seminar focused on the unique issues associated with the acquisition and management of cloud computing services

Th omas is currently working with the Cloud Security Alliance as the lead author and project ager on an initiative to establish a standard cloud computing contract checklist

man-His presentations and publications include: Cloud Expo West 2011, presentation, Cloud ing Contract Issues, November 7, 2011; Educause 2011, presentation, Managing Cloud Security Risks Th rough the Right Partnerships, October 19, 2011; Computerworld, column, Th e Cloud Contract Adviser, ongoing; Th e Business of Cloud Computing Conference, pre-conference work-shop, “Due Diligence and Cloud Service Agreements,” June 13, 2011; Security Professionals 2011, presentation, If It’s in the Cloud, Get It on Paper: Cloud Computing Contract Issues, April 6, 2011; Educause West/Southwest Conference 2011, presentation, If It’s in the Cloud, Get It on Paper: Cloud Computing Contract Issues, February 23, 2011; EDUCAUSE Live!, webinar, Spotlight

Comput-on Cloud Computing, December 10, 2010; Educause 2010, discussiComput-on sessiComput-on, Cloud Computing Contract Issues, October 14, 2010; Educause Quarterly, article, If It’s in the Cloud, Get It on Pa-per: Cloud Computing Contract Issues, Volume 33, Number 2, 2010; Educause Quarterly, article,

Is Th ere Such a Th ing as Free Software? Th e Pros and Cons of Open Source Software, Volume 32, Number 2, 2009

Acknowledgements vii

Disclaimer vii

Step 1 Understanding Cloud Computing 1

Why it is Called Cloud Computing? 1

Key Cloud Computing Benefits 4

Challenges of Cloud Computing 10

PaaS Issues 22

Step 2 Understanding The Federal Government’s New Approach To Cloud Computing 23

Cloud First 23

President’s Cyber Policy 25

Federal CIO Statements 28

Cybersecurity Gets a Boost 28

IT Reform Push, Nine Months After ‘Cloud First’ Introduction 41

GSA is in the Cloud 47

Step 3 Identifying/Determining Your Needs 59

Provision of Selected IT Services 61

Successful Move to the Cloud Requires Agency Introspection First 74

Focus/Roadmap 85

Pricing Billing Terms 85

Step 4 Defining Potential Procurement Vehicles and Processes 91

Contracts and RFPs 91

How do you Gather Information on Cloud Services? 91

Customer References 93

A Process For Acquiring Cloud Computing Services 93

Developing a Performance-Based Work Statement 110

Other Agencies’ Cloud Implementations 135

Step 5 Building and Finalizing a Contract 139

Infrastructure/Security 139

Information Security 153

Operations Management 158

Third-Party Certifications 160

Customer Data Center Inspection Rights 163

Performance Reporting 164

Location of Data 172

Data Protection, Access, Location – Questions 176

Fees/Payments 177

Terms and Conditions Online 191

Storage Limits/Fees 191

Technical Support 192

SaaS, Security, the Cloud and the Contract 192

Step 6 Managing The Contract and The Vendor Relationship 213

Contract Administration 213

Overcoming Weaknesses 215

Contracting Officer’s Technical Representative (COTR) 216

Voucher/Invoice Review, Approval and Processing 221

Re-certification/Re-inspection 227

SLA/KPI Monitoring 227

Vendor Continued Viability – Proactively Monitor 228

Payment for Performance 229

Compliance 229

Relationship Advice for Contract Managers 229

Conclusion 230

Notice:

Appendices & Blank Forms are available online To access additional materials, visit our website at

Cloud Services In the Reference Library Login area of the page, use the following credentials to login:

Username: GTI246679

Password: 10119781

Th is username and password are assigned to you, the purchaser You will need to enter your email address when logging in so that we can verify each visitor Th is information is for the use of the purchaser only and not to be distributed to anyone except the purchaser

Throughout this book you will see a number of icons displayed The icons are there

to help you as you work through the Six Step process Each icon acts as an advisory –

for instance alerting you to things that you must always do or should never do The

icons used are:

This is something that you must always do

This is something you should never do

Really useful tips

Points to bear in mind

Have you checked off or answered everything on this list?

STEP 1

Understanding Cloud Computing

Cloud computing describes a broad movement to treat IT services as a commodity with the ability

to dynamically increase or decrease capacity to match usage needs By leveraging shared ture and economies of scale, cloud computing presents organizational leadership with a compelling business model It allows users to control the computing services they access, while sharing the investment in the underlying IT resources among consumers

infrastruc-When the computing resources are provided by another organization over a wide-area network, cloud computing is similar to an electric power utility Th e providers benefi t from economies of scale, which in turn enables them to lower individual usage costs and centralize infrastructure costs Users pay for what they consume, can increase or decrease their usage, and leverage the shared underlying resources With a cloud computing approach, a cloud customer can spend less time managing complex IT resources and more time investing in core mission work

Why it is Called Cloud Computing?

Th e term “cloud” is used as a metaphor for the Internet, based on the cloud drawing used in the past

to represent the telephone network, and later to depict the Internet in computer network diagrams

as an abstraction of the underlying infrastructure it represents

“It comes from the early days of the Internet where we drew the network as a cloud… we didn’t care where the messages went… the cloud hid it from us.” – Kevin Marks, Google

NIST Provides a Formal Definition for Cloud Computing

Cloud computing is defi ned by the National Institute of Standards and Technology (NIST) as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of confi gu-rable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management eff ort or service provider interaction

Th is cloud model promotes availability and is composed of fi ve essential characteristics, three vice models and four deployment models.”

ser-Five Characteristics

On-demand self-service A consumer can unilaterally provision computing capabilities, such as

server time and network storage, as needed automatically without requiring human interaction with each service’s provider

Broad network access Capabilities are available over the network and accessed through standard

mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops and PDAs)

Resource pooling Th e provider’s computing resources are pooled to serve multiple consumers ing a multi-tenant model, with diff erent physical and virtual resources dynamically assigned and reassigned according to consumer demand Th ere is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state or datacenter) Ex-amples of resources include storage, processing, memory, network bandwidth and virtual machines

us-Rapid elasticity Capabilities can be rapidly and elastically provisioned, in some cases automatically,

to quickly scale out, and rapidly released to quickly scale in To the consumer, the capabilities able for provisioning often appear to be unlimited and can be purchased in any quantity at any time

avail-Measured Service Cloud systems automatically control and optimize resource use by leveraging

a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth and active user accounts) Resource usage can be monitored, controlled and reported, providing transparency for both the provider and consumer of the utilized service

Three Service Models

Th e NIST defi nition categorizes cloud computing into three service models:

Cloud Software as a Service (SaaS).Th e capability provided to the consumer is to use the vider’s applications running on a cloud infrastructure Th e applications are accessible from various client devices through a thin client interface, such as a Web browser (e.g., Web-based email) Th e consumer does not manage or control the underlying cloud infrastructure including network, serv-ers, operating systems, storage or even individual application capabilities, with the possible excep-tion of limited user-specifi c application confi guration settings

pro- Examples: Google, NetSuite, RightNow, Salesforce, Service-Now, SuccessFactors, Taleo

and Workday

Cloud Platform as a Service (PaaS) Th e capability provided to the consumer is the ability to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider Th e consumer does not manage or control the under-lying cloud infrastructure including network, servers, operating systems or storage, but has control over the deployed applications and possibly application hosting environment confi gurations.

 Examples: Google App Engine, Salesforce.com’s Success on Demand, Engine Yard and Azure.

Cloud Infrastructure as a Service (IaaS).Th e capability provided to the consumer is to provision processing, storage, networks and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications

Th e consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage and deployed applications, and possibly limited control of select net-working components (e.g., host fi rewalls)

 Examples: Amazon Web Services (EC2, S3 etc.), ENKI, GoGrid,Logicworks, OpSource,

Rackspace, SAVVIS (acquired by CenturyLink) and Terremark

Four Deployment Models

Th e NIST defi nition of cloud computing includes four deployment models, each of which provides distinct trade-off s for agencies which are migrating applications to a cloud environment

Public cloud Th e cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services

Private cloud Th e cloud infrastructure is operated solely for an organization It may be managed

by the organization or a third party and may exist on premise or off premise

Community cloud Th e cloud infrastructure is shared by several organizations and supports a cifi c community that has shared concerns (e.g., mission, security requirements, and policy and com-pliance considerations) It may be managed by the organizations or a third party and may exist on premise or off premise

spe-Hybrid cloud Th e cloud infrastructure is a composition of two or more clouds (private, nity or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds)

commu-Key Cloud Computing Benefits

A number of government agencies are adopting cloud technologies and are realizing able benefi ts For instance, NASA Nebula, through a community cloud, gives researchers access

consider-to IT services relatively inexpensively in minutes Prior consider-to adopting this approach, it would take researchers months to procure and confi gure comparable IT resources and signifi cant management oversight to monitor and upgrade systems Applying cloud technologies across the entire federal government can yield benefi ts such as:

 Rapid Deployment/Easy Implementation

 Access to Higher Level IT Resources

 Green IT

Cost Reduction

 You only pay for what you use, as you use it

 Hardware, software and IT staff expense reductions

 Additional reduced costs from energy and real estate

In FY2010, approximately 30 cents of every dollar invested in Federal IT was spent on data center infrastructure Unfortunately, only a fraction of this investment delivers real, measurable impact for American citizens By using the cloud computing model for IT services, the federal government will be able to reduce its data center infrastructure expenditure by approximately 30 percent (which contributes to the estimated $20 billion of IT spending that could be migrated to cloud comput-ing solutions) Similar effi ciency improvements will be seen in software applications and end-user support

Th ese savings can be used to increase capacity or be reinvested in agency missions, including citizen-facing services and inventing and deploying new innovations Cloud computing can allow IT organizations to sim-plify, as they no longer have to maintain complex, het-erogeneous technology environments Focus will shift from the technology itself to the core competencies and mission of the agency

Across the public and private sectors, data center frastructure investments are not utilized to their full-est potential For example, according to a recent sur-vey, many agencies are not fully utilizing their available storage capacity and are utilizing less than 30 percent of their available server capacity Low uti-lization is not necessarily a consequence of poor management, but, instead, a result of the need to ensure that there is reserve capacity to meet periodic or unexpected demand for key functions.With cloud computing, IT infrastructure resources are pooled and shared across large numbers of applications and organizations Cloud computing can complement data center consolidation eff orts

in-As utilization is improved,

more value is derived from the

existing assets, reducing the

need to continuously increase

capacity Fewer machines mean

less spending on hardware,

software and operations

maintenance, and real estate

and power consumption.

Tip

by shifting workloads and applications to infrastructures owned and operated by third parties pacity can be provisioned to address the peak demand across a group of applications, rather than for

Ca-a single Ca-applicCa-ation When demCa-and is Ca-aggregCa-ated in this fCa-ashion Ca-and properly mCa-anCa-aged, the peCa-aks and troughs of demand smooth out, providing a more consistent and manageable demand profi le

Th e shift to cloud computing can help to mitigate the fragmented data, application and ture silo issues associated with federated organizational and funding models by focusing on IT services as a utility IT services become candidates for more cost-eff ective procurement and man-agement, similar to the model currently used for buildings and utility services

infrastruc-Cloud computing has the potential to provide a more interoperable and portable environment for data and systems With the appropriate standards, over time, organizations may be able to move to common services and platforms

Cloud computing can accelerate data center consolidation eff orts by reducing the number of plications hosted within government-owned data centers For those that continue to be owned and operated directly by federal agencies (e.g., by implementing private IaaS clouds), environments will

ap-be more interoperable and portable, which will decrease data center consolidation and integration costs because it reduces unnecessary heterogeneity and complexity in the IT environment

Scalability

 Easily access resources needed

 Start small and increase over time

 Facilitate seasonal peak needs

 Resources can grow as your needs grow

With traditional infrastructure, IT service reliability is strongly dependent upon an organization’s ability to predict service demand, which is not always possible For example, the IT system used

in the Car Allowance and Rebate System (CARS, more commonly known as ers”) had numerous failures because the load was considerably higher than what its system could handle Th e sponsor for “Cash-for-Clunkers,” the National Highway Traffi c Safety Administration (NHTSA) anticipated a demand of 250,000 transactions over a four-month period, but within just 90 days, the system processed approximately 690,000 CARS transactions Within three days

“Cash-For-Clunk-of the fi rst dealer registrations, the system was overwhelmed, leading to numerous outages and

service disruptions Th e $1 billion appropriated for the program was nearly exhausted within one week, and

an additional $2 billion was appropriated to triple the potential number of transactions just nine days after the program began

NHTSA deployed a customized commercial tion hosted in a traditional data center environment, but the CARS system presented a very good example

applica-of an unpredictable service demand and a short

devel-The impact of cloud computing

will be far more than economic

Cloud computing will also allow

agencies to improve services and

respond to changing needs and

regulations much more quickly.

Remember

opment window that could have been more effi ciently handled using a cloud computing approach Cloud computing will allow agencies to rapidly scale up to meet unpredictable demand, thus mini-mizing similar disruptions Notably, cloud computing also provides an important option for agen-cies in meeting short-term computing needs such as the one above; agencies need not invest in infrastructure in cases where service is needed for a limited period of time.

With a larger pool of resources to draw from, individual cloud services are unlikely to encounter capacity constraints As a result, government services, such as “Cash-for-Clunkers,” would be able

to more rapidly increase capacity and avoid service outages Given appropriate service level ments and governance to ensure overall capacity is met, cloud computing will make the govern-ment’s IT investments less sensitive to the uncertainty in demand forecasts for individual programs, which frequently emerge rapidly in response to national program needs which cannot be foreseen

agree-in the early stages of the federal budget cycle

 Th is can present a challenge if you don’t want to update For example, due to lack of integration with in-house systems or lack of training for your end user staff

Remote/Mobile Access

 Employees, partners and clients can access and update fi les and information wherever they are (as long as there’s an active Internet connection), rather than having to run back to the offi ce

 Th is increased accessibility can lead to increased productivity for employees that are on the road

 Th is increased accessibility can lead to increased collaboration Th e ease with which a graphically dispersed team can access the same documents makes it easier to work coopera-tively on the same project Th ere is no need for time to be wasted waiting for emailed revisions because every team member can see what is being done by the others in real time

busi- An additional benefi t is that your in-house resources can be redirected from these areas to focus on diff erentiating projects related to and supporting your core business

Rapid Deployment/Easy Implementation

Cloud computing also provides an indirect productivity benefi t to all services in the IT stack For example, less eff ort will be required to stand up and develop software testing environments, en-abling application development teams to integrate and test frequently in production-representative environments at a fraction of the cost of providing this infrastructure separately

Cloud-based projects can be conceived, developed and tested with smaller initial investments than traditional IT investments Rather than laboriously building data center capacity to support a new development environment, capacity can be provisioned in small increments through cloud comput-ing technologies After the small initial investment is made, the project can be evaluated for ad-ditional investment or cancellation Projects that show promise can gain valuable insights through the evaluation process Less promising projects can be cancelled with minimal losses Reducing the minimum required investment size will also provide a more experimental development environ-ment in which innovation can fl ourish

This “start small” approach collectively reduces the risk associated with new

application development.

 Th e ability to reduce capital investment and transform it into operational expenses is an vantage of cloud computing Cloud computing can lower the initial cost and reduce the time it takes to deploy new services, and thus can align expense with actual use Many businesses also prefer OPEX over CAPEX because of tax considerations

ad- Instead of having to acquire, install and confi gure a wide range of hardware and software to get

a new IT solution up and running (a process often taking months to complete), you just sign

up for what you need over the Internet, and access to the service is typically provisioned in a matter of hours

 Business process owner units, in particular, may value the ability to get a solution up and ning quickly Th e time reduction in their case may also be increased by the ability to by-pass traditional central/corporate IT and/or procurement processes that they may have had to go through in the past From an overall organization perspective, this may not always be a good thing

run-Access to Higher Level IT Resources

 Some organizations, especially smaller agencies, may not always be able to aff ord to acquire the latest technology and/or hire IT staff with the highest level of skills By moving to a cloud solution, those organizations can have more equal access to such technology and IT staff re-sources, thus allowing them to compete more eff ectively with larger organizations Due to the economies of scale achieved by a cloud vendor, those resources can be provided at a lower cost that doing so in-house

 Additionally a cloud vendor may have expertise in business processes that are needed to keep your business running, but that are not your core business or a key diff erentiator For example, Salesforce and CRM, or Workday and payroll/personnel Moving to a cloud solution could provide you with access to expert systems and resources in those areas, again allowing you to redirect in-house resources to initiatives supporting your core business

Cloud computing will not only make the federal government’s IT services more effi cient and agile,

it will also serve as an enabler for innovation Cloud computing allows the federal government to use its IT investments in a more innovative way and to more easily adopt innovations from the private sector Cloud computing will also help the federal government’s IT services take advantage

of leading-edge technologies including devices such as tablet computers and smart phones

Green IT

 Since a cloud provider’s core business is running data centers, they’re more likely to be able to build and run them in the most energy effi cient manner possible (virtualized servers, effi cient cooling, building close to renewal energy sources, etc.) than an organization with a diff erent core business Th is results in reduced needs to acquire in-house hardware, and reduced energy consumption and carbon footprints, per server

 Organizations with green initiatives may be able to further those initiatives by adopting cloud services

Cloud Benefits: Efficiency, Agility, Innovation

EFFICIENCY

Improved asset utilization (server

utilization>60-70%)

Aggregated demand and accelerated system

consolidation (e.g., Federal Data Center

Consolidation Initiative)

Improved productivity in application

development, application management,

network and end-user

Low asset utilization (server utilization<30% typical) Fragmented demand and duplicative systems Difficult-to-manage systems

More responsive to urgent agency needs

Years required to build data centers for new services Months required to increase capacity of

existing services

Cloud Benefits Current Environment INNOVATION

Shift focus from asset ownership to

service management

Tap into private sector innovation

Encourages entrepreneurial culture

Better linked to emerging technologies

(e.g devices)

Burdened by asset management De-coupled from private sector innovation engines Risk-adverse culture

Challenges of Cloud Computing

 Cloud Services are Dynamic and Changing

 Cloud Services Growth is Exploding

 Procurement Contracting has not Caught up with the Growth

 Vendor Contracts (Caveat Emptor, Buyer Beware)

 Legal “Cloudy and Foggy”

 Private Cloud Challenges

 PaaS Issues

 Other Key Challenges

Cloud Services are Dynamic and Changing

Th e cloud is a paradigm shift allowing people to network, compute and store data diff erently lier, the solutions provided by the predecessors to the cloud were called time-sharing, then load-balancing and the Web; today we call the evolution the cloud Th e enablers to cloud include virtu-alization, Web 2.0, service-oriented architecture (SOA) and pay-as-you-go models among others

Ear-When using cloud services, the gain has to be weighed against the cost and risk According to an Information Week study, 62 percent of fi rms don’t monitor their cloud application performance Th at lack of monitor-ing creates issues in getting what you pay for Perfor-

You cannot outsource your

responsibility to the cloud.

Caution

mance management including Service Level Agreements are part of the solution, when SLAs are drafted and managed properly.

Your clients and users look to you when cloud service problems arise Th erefore, you need to do some thorough due diligence before contracting for cloud services

Cloud Services Growth is Exploding

 We will see a growth to thousands of cloud vendors – Gartner

 By 2012, it will be 30% percent of IT budgets

 By 2012, over 80 percent of fi rms will be using the cloud

 Th e industry is poised for strong growth through 2014, when worldwide cloud services revenue

is projected to reach $148.8 billion.” Gartner

 A 2011 IBM poll of CIOs shows 70% will pursue the cloud in the next 5 years as a means of growing business and revenue

 Total revenues SaaS in 2012 are expected to reach $21.2 billion

 SaaS revenues will reach $92.8 billion by 2016

 By 2016, SaaS will have 26 percent of the total packaged software market (Forrester)

According to IDC’s landmark 2010 Digital Universe Study, the amount of data created and stored

in 2009 via IaaS when used primarily as a storage vehicle was greater than ever before and was a remarkable 62 percent higher than the previous year Over the next decade, the amount of data will

be 44 times greater than it was in 2009

Cloud services and growth will clearly change the way we do things

Procurement Contracting has not Caught up with the Growth (dealing with outdated contract models)

 Th ere are few customer cloud agreement templates

 Outsourcing agreements are a good base Some consider cloud services as outsourcing

 ASP, “Hosting” are also good base documents

 Develop cloud agreements (or work statements) with emphasis on SLAs and KPIs, security and other key provisions, and address your business or mission needs

Th e authors have included checklist references and other data in this book to help you determine the provisions you should address in your “cloud” agreements As part of the procurement process developing an agreement and preparing a procurement document requires a knowledgeable team including a technology specialist, a lawyer, a procurement professional, a security professional and

a user of the services

Vendor Contracts

“Th e ease and convenience with which cloud computing arrangements can be set up may lull tomers into overlooking the signifi cant issues that can arise when key data and processes are en-trusted to cloud service providers,” said Professor Christopher Millard, principal researcher on the Cloud Legal Project Th is premise has also been the authors’ experience Some key reasons for pre-contract due diligence include ensuring the vendor provides adequate infrastructure and security, the vendor is viable, and the cloud solution meets your mission or business requirements

cus-Businesses often jump to cloud solutions, since there are immediate economic benefi ts However this is often done without the realization of long-term risks and consequences that can easily eradi-cate the short-term savings

Lack of security is one such consequence Sometimes to get cloud services started, you just click on

“accept” on the Web Some cloud contract issues include:

 Major issue: information security policies and compliance often are not addressed

 Vendor contracts are written to protect the vendor

 Generally missing key concerns (your reasons for using cloud services)

 Performance (results are not meeting requirements)

 Data loss without backup guarantee

 SLAs and KPIs are missing – as well as the right SLAs/KPIs

 Performance results

 Remedies (no remedy for vendor cloud failure)

 Disaster Recovery (including how much data is lost, and when you can use the services again).Vendor contracts are drafted by them in order to protect themselves, the vendor Often the dis-claimer language is much clearer than the language describing the services you are contracting for Following is a summary of the forms and format of standard vendor terms and some recommenda-tions More details are provided later in this book Note that in Federal Government contracting the vendor contracts are not part of the Government award GSA for example has the terms of their Schedule 70 apply to awards

Vendor agreements usually have a number of modules and a provision that the cloud vendor can change the terms at any time (often by just posting the changes on the Web)

 Terms of Service (ToS) – the agreement boilerplate Th is has disclaimers of warranty, liability and other risk reduction provisions Th e authors recommend you develop your own template agreements in a way that balances your requirements and risk, as well as vendor risk

 Acceptable Use Policy (AUP) – usually adequate except for remedy without notice Th ese require review, should be aligned with your use policy and have a notice for violations and a cure period

 Privacy Policy – often allowing the vendor to share data without notice to you Th ese should require notice to you prior to the sharing of data or, in the event of legally required immediate release, that you are notifi ed as to its release.

 Service Level Agreement (SLA) – generally not addressing customer needs May refl ect only

downtime of system with exclusions to downtime Does not refl ect loss of data when system returns to operation or how long system is down

 SLA may allow vendors to market 100 percent uptime – BUT there may be exceptions to what

is considered downtime (or uptime) or the credits may not apply until a lesser uptime (they guarantee 100 percent, but credits do not apply until the 99 percent uptime threshold is hit)

 Exceptions to uptime (maintenance, force majeure, etc.)

 Little remedy for failure – does not address loss of revenue, customers, and does not address loss of data and recovery points for data loss or time to restore service

 Th reshold for remedies – often remedies do not kick in until after a period of “free” time as the example in the prior bullet point shows

down-An Acceptable Use Clause (a Cloud Vendor Example)

“You agree to be solely responsible for the contents of your transmissions through the Services You agree not to use the Services for illegal purposes or for the transmission of material that is unlawful, defamatory, harassing, libelous, invasive of another’s privacy, abusive, threatening, harmful, vulgar, pornographic, obscene, or is otherwise objectionable, off ends religious sentiments, promotes racism, contains viruses, or that which infringes or may infringe intellectual property or other rights of another You agree not to use the Services for the transmission of ‘junk mail,’ ‘spam,’ ‘chain letters,’

‘phishing’ or unsolicited mass distribution of email We reserve the right to terminate your access to the Services if there are reasonable grounds to believe that you have used the Services for any illegal

an agreement that is one-sided does provide the vendor an economic benefi t, but does not provide customers with reasonable protections and does not guarantee performance

For instance, the following actual summary of terms and conditions from a cloud vendor were a major cause of concern:

 Minimum 5 yr term, renewal 3 yrs

 Customer to comply with online terms of use, terms may change (including price)

 Ninety-nine percent uptime, fi ve percent for each percentage point below to a maximum credit

of 15 percent

 Exception for upgrades and maintenance and events beyond control of vendor

 No acceptance testing of customization

 Service “as is” and disclaims it will provide satisfactory quality, data accuracy, uptime

 No guarantee that the service will meet your requirements or needs

 No guarantee of access to the service or the accuracy of the service

 No guarantee availability of its Website

 Customer’s Sole remedy – Customer stops use of service

 Oh, by the way - $500K upfront payment for the fi rst year of service

 Other security and backup: You are responsible for properly confi guring and using the service

and taking your own steps to maintain appropriate security, protection and backup of Your Content, which may include the use of encryption technology to protect Your Content from unauthorized access and routine archiving of Your Content

 Disclosure of Data: We may also share information when we have a good faith belief it is

nec-essary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities Th is may include sharing information with other companies, lawyers, courts or other government entities.Remember that, almost without exception, providers go to considerable lengths to deny that any performance warranty (or security warranty in many cases) existed

[Note that this procurement was sent out to bid after a review of the many issues (the term was too long, there was no guarantee of performance, plus the others issues noted above) Th e particular vendor with these provisions was not invited to bid.]

Loss of Governance

In using cloud infrastructures, the client necessarily cedes control to the cloud vendor on a number

of issues which may aff ect security At the same time, Service Level Agreements (SLAs) may not

off er a commitment to provide such services on the part of the cloud vendor, thus leaving a gap in security defenses

Governance implies control and oversight over policies, procedures and standards for application development, as well as the design, implementation, testing and monitoring of deployed services With the wide availability of cloud computing services, lack of organizational controls over employ-ees engaging such services arbitrarily can be a source of problems While cloud computing simpli-

fi es platform acquisition, it doesn’t alleviate the need for governance; instead, it has the opposite

eff ect, amplifying that need as vendors and third parties are now involved

A recent study of the private sector showed that some company executives went directly to cloud vendors and ordered their services without involving their IT department Th e executives had the budget and wanted fast deployment and cheaper costs without the normal internal processes im-peding their eff orts In the government markets, this is not as easy to accomplish with the formal processes in place to put controls on spending public funds

 One way vendors avoid having to address due diligence issues with IT is to go around IT

 Technology companies know the value in selling directly to the line-of-business

 Often this “end-around” is a normal sales tactic

 Today, many commercial managers themselves want to avoid the IT process

 Th e majority of cloud vendors admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms

 Th e majority of cloud vendors believe it is their customer’s responsibility to secure the cloud and not their responsibility Th ey also say their systems and applications are not always evalu-ated for security threats prior to deployment to customers

 Buyer beware – on average, providers allocate 10 percent or less of their operational resources to security and most do not have confi dence that customers’ security requirements are being met.Only 36 percent of U.S and 57 percent of European cloud computing users strongly agree or agree that their organization is vigilant in conducting audits or assessments of cloud computing providers before deployment

A cloud vendor should be able to off er world-class security and data privacy better than its tomers can do on their own, and at no additional cost Processes and policies should encompass physical, network, application and data level security, as well as full back-up and disaster recovery

cus-Th e provider should be compliant with security-oriented laws, certifi cations and auditing programs, including Safe Harbor, ISO 27001/2, and SSAE 16 (replaced SAS 70 eff ective 6/15/11) and the NIST standards

Data Issues

 Data ownership

 Confi dentiality

 Will you get your data?

 How and when?

 What format?

 Will it be transitioned?

 Will it be blocked from future access?

Th ese issues are addressed later in this book when we examine the key contract issues in detail.Multi-tenancy/Shared Services

Multi-tenancy refers to a principle in software architecture where a single instance of the software runs on a server, serving multiple client organizations (tenants)

Multi-tenancy is the key common attribute of both public and private clouds, and it applies to all three layers of a cloud: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS)

Cloud computing services go beyond tactical features such as virtualization, and head towards plementing billing—or chargeback in the case of private clouds—based on metered usage Cloud computing service also features improved accountability using service-level-agreements (SLAs), identity management for secured access, fault tolerance, disaster recovery, dynamic procurement and other key properties

im-By incorporating these shared services at the infrastructure layer, all clouds automatically become multitenant Th en tenants can enjoy the full spectrum of common services from a cloud, starting at the hardware layer and going all the way up to the user-interface layer

Th e challenge is how to eff ectively share infrastructure resources among multiple users, while at the same time ensuring data isolation between users, as if they are running on completely physi-cally separate servers If not done well this could lead to unauthorized data access, or unintentional intermingling of data

Vendor Lock-In

Lack of data portability makes it diffi cult to migrate to another provider or migrate to an in-house

IT environment A Gartner survey in 2010 found that many customers considered the fear of

lock-in a greater deterrent to cloud computlock-ing than security Lock-lock-in makes the customer contractually dependent on the vendor for products and services, and there are usually substantial costs in switch-ing to another vendor One concern is that information might not be easily transferable if vendor

A uses one technology, i.e., a proprietary platform, and vendor B uses another However, as more

customers choose multiple vendors to provide the diff erent services required, cloud vendors may be forced to provide better transportability of information.

Note Th e Storage Networking Industry Association’s Technical Work Group is developing an API called the Cloud Data Management Interface that would allow providers to migrate customer data from one vendor’s cloud to the next – a move aimed at alleviating vendor lock-in When that occurs, you will have the issue of cloud vendor acceptance and use among others Th e CDMI is a step in the right direction that customers should be requiring once it is fi nalized

Contract Term Lock-In

Another form of vendor lock-in is a term of agreement provision In the example previously noted, the vendor required a fi ve-year term Th at fi ve-year term posed many risks including:

1 Th e solution required tailoring without an acceptance process for the solution

2 Th e customer had to pay before the solution was developed, tested and accepted

3 If better technology came along, you were stuck with this solution during contract term

4 Th e cloud vendor could change the price and terms of the agreement at any time

5 Th e vendor may not be around for fi ve years

Generally, start with a short term of around one year from acceptance of the services with renewals at customer’s option Have an agreed renewal/extension price ceiling included in the original agreement.Vendor Viability

With the explosion in cloud computing, many vendors are jumping on the bandwagon to provide products and services Some are well prepared to do this and have a proven traffi c record Others do not Selecting the right vendor is critical Th e vendor must not only be the owner of the services it

is providing, it should prove that it has adequate arrangements and expertise in place to guarantee long-term viability You should always ask the following questions:

 Is the company fi nancially stable?

 Does it have a proven backup strategy?

 What do other users say about the company and its performance?

Also, in many customer agreements, there is a ment for annual fi nancial statements and interim re-ports required when signifi cant events occur, such as a vendor offi cer resigns, there is a lawsuit instigated that may impact your rights to use the service, there is a de-cision to fi le for chapter 11 bankruptcy or other events that impact the company’s ability to stay in business

require-Do your due diligence when

choosing a vendor

Must Do

Th is provision would be one that both public and private organizations should incorporate in their contracts.

Ask for fi nancial information from the company itself, and use whatever other resources are able to you to check this Some cloud vendors may be private companies so a lot of their fi nancial in-formation is not made public If they want your business they should be willing to provide fi nancial documents If they refuse to do so, suspect the worse and refuse to contract in such circumstances

avail-Th ere are several ways you can still check out private companies Check out their online investor relations information, and fi nd out which venture capitalists (VCs) are supporting them You can check out the track record of the VCs, and see how well they have done in this arena and what expe-rience they have supporting other cloud vendors Check out the vendor’s management team – who are they, what experience do they have, are there any skeletons in their closet—(i.e., did the CEO’s previous two companies declare bankruptcy!)

Recent Vendor Problems

EMC shut down its Atmos EMC and offered no guarantee that its customers

could retrieve their data once the service closed Vaultscape also closed.

In April 2011, Iron Mountain announced it had stopped accepting new customers

for its Virtual File Store service and was planning to shut it down over the next

two years Also in April 2011, Cirtas Systems announced it was leaving the market

to regroup.

The Sony PlayStation Network reported a data breach that compromised the

personal data of more than 100 million customers because of IT failure to

safeguard (including encryption) personal data Reuters reported that the

data breach “may claim another victim – the cloud computing industry.” These

failures are more prevalent than people want to accept, and they existed well

before the cloud did.

Microsoft’s Business Online Professional Services (BPOS) experienced a series of

major outages BPOS was down for six to nine hours for most customers in early

May 2011, followed by sporadic outages over the next couple days During that

time, productivity was significantly impacted, since much of getting business

done relies on being able to send and receive emails.

Online backup company Carbonite alerted the public that it had lost data

belonging to more than 7,500 customers over a number of separate incidents

by filing a lawsuit against a hardware vendor and systems integrator Carbonite

claims that the cloud storage disaster was the result of $3M in faulty equipment

provided by a vendor In fact, according to Carbonite, it turned out that only

54 customers were unable to retrieve their data Regardless of the number,

companies lost data that they were not able to retrieve.

Cloudy SLAs

When moving to cloud services, Service Level Agreements (SLAs) are a cornerstone to success Having a part of the agreement with SLAs to align with business goals is a key Th ose vendor agreements that do have SLAs (generally only for system availability during a defi ned period) are inadequate in that availability is only one of the key elements relating to one’s business goals and measures of success

Additionally, the vendor SLA generally has minimal downtime credits (if any), some downtime not applicable and other escapes that do not give you much protection For example, the vendor may limit the amount of credits and start downtime at a point lower than the promised threshold One vendor limited credits to 15 percent of the monthly revenue even if the system was down for 100 percent of the time Regardless the downtime, credits do not address your lost revenue, lost custom-ers, lost data and other things

Availability/downtime SLAs should address a Recovery Point Objective (RPO) and a Recovery Time Objective (RTO) in order to be eff ective and to allow you to understand the full risk If a system goes down at 2:00 pm local time, and you have a four-hour RTO and an eight-hour RPO, you may be looking at the next business day for restart of services and the prior business day where your data is recoverable RTO and RPO are also key elements of a disaster recovery/business con-tinuity plan

Business SLAs fall into these major categories: Availability, Performance/Workload (including tency), Accuracy/Quality, Recoverability, and Security and Cost Th e cost consequences of failures

la-to meet a requirement is a key SLA negotiation issue A due diligence process can help one focus

on areas that need attention and/or improvement Another point is to have a few key SLAs that are reasonable and measurable For example, If you are focusing on availability you don’t need to include

in the SLAs all the elements that go into availability, such as response time, trained technicians, responsive call handlers and so forth You may want to include a vendor’s report on these elements

as key performance indicators (KPIs) to help understand what went wrong in the process that led

to a failed SLA Th e SLA KPI diff erence is that the vendor monetary credits are based on missing SLA targets, not missing KPI matrices

Some additional tips:

 When a vendor owes credits, have a process to take the credits quickly

 Have an “at risk pool” to set up SLA process

 All SLAs should include root-cause analysis fi ndings for failures to meet the SLA

 Consider using a third party to monitor SLAs

 Monitor SLAs on a frequent basis, ideally on a continual basis

 Have a clause to review the SLAs at least monthly and apply credits for mal-performance

An “at risk” pool is a sum of money available for allocation to the SLA Th e “at risk” amount can be

a percentage of total monthly charges held back and placed at risk by the service provider, and it is tied to attainment of critical service levels Th e risk pool may be a percentage of the total contract amount set aside as a payment-for-performance amount Th e result is a fi xed price of 80 percent, with 20 percent set aside as payment for performance of SLAs A proportion of the “at risk” pool is usually allocated to each performance category For the service provider, it establishes the maximum

“at risk” amount without excessive risk, fi xes the size of the “at risk” pool and allows for earn-back if

it meets the performance requirements or targets specifi ed in the SLA For the customer, it provides

a meaningful “at risk” amount which can be applied to critical service levels, and it can be tied to annual performance reviews to ensure performance, as well as continuous improvement discussions and implementation

Legal “Cloudy and Foggy”

In the past many legal issues involved in commercial cloud computing were resolved during tract evaluation (i.e., when making comparisons between diff erent providers) similar to the days of the mainframe computer vendors when their contract was required by them for the project

con-Opportunities exist for prospective customers of cloud services to choose providers whose contracts are negotiable Employing an RFP process (such as used in the GSA cloud eff orts for email and IaaS) helps your negotiation eff orts

Standard contract clauses require additional review because of the nature of cloud computing Th e parties to a contract should pay particular attention to their rights and obligations related to no-tifi cations of breaches in security, data transfers, data ownership, change of control and access to data by law enforcement entities Because the cloud can be used to outsource critical internal in-frastructure, and the interruption of that infrastructure may have wide-ranging eff ects, the parties should carefully consider whether standard limitations on liability adequately represent allocations

of liability, given the parties’ use of the cloud or responsibilities for infrastructure

Until legal precedent and regulations address security concerns specifi c to cloud computing, tomers and cloud providers alike should look to the terms of their contract to eff ectively address security risks

cus-In commercial agreements most companies will “carve out” exceptions to limitations of liability

Th ese carve outs would be for gross negligence, willful misconduct, violations of confi dentiality

or intellectual property matters Use a lawyer to help you with specifi c language, in the event your template agreements do not address the limitation of liability and carve-outs from the limitation

of liability

Th e following is a list of areas the customer should pay particular attention to when assessing SLAs and other agreement documents for cloud services (from European Network and Information Se-curity Agency (ENISA):

1 Data Protection: attention should be paid to choosing a processor that provides suffi cient technical security measures and organizational measures governing the processing to be carried out, and ensuring compliance with those measures

2 Data Security: attention should be paid to mandatory data security measures that potentially

cause either the cloud provider or the customer to be subject to regulatory and judicial measures

if the contract does not address these obligations

3 Data Transfer: attention should be paid to what information is provided to the customer for

information security regarding how data is transferred within the cloud provider’s proprietary cloud, outside that cloud, and within and outside the United States

4 Law Enforcement Access: each country has unique restrictions on, and requirements

provid-ing for, law enforcement access to data Th e customer should pay attention to information able from the provider about the jurisdictions in which data may be stored and processed, and evaluate any risks resulting from the jurisdictions which may apply

avail-5 Confi dentiality and Non-disclosure: the duties and obligations related to this issue should be

reviewed Defi ne personal identifi able information as confi dential information

6 Intellectual Property: in the case of IaaS and PaaS, intellectual property, including original

works created using the cloud infrastructure, may be stored Th e cloud customer should ensure that the contract respects their rights to any intellectual property or original works as far as possible, without compromising the quality of service off ered (e.g., backups may be a necessary part of off ering a good service level)

7 Risk Allocation and Limitation of Liability: when reviewing their respective contract

obli-gations, the parties should underscore those obligations that present signifi cant risk to them

by including monetary remediation clauses, or obligations to indemnify, for the other party’s breach of that contract obligation Furthermore, any standard clauses covering limitations of liability should be evaluated carefully

8 Change of Control: transparency concerning the cloud provider’s continuing ability to honor

their contract obligations in the case of a change of control, as well as any possibility to rescind the contract

Private Cloud Challenges

 Cloud services with slower implementation – you keep data on your machines and software, but lose some of the economic and fast implementation benefi ts

 May not provide the scalability and agility of public cloud services – the expense of nance, upgrades, new servers and new technology are foregone

mainte- Have to procure and manage hardware and software

 Generally more expensive than public cloud

PaaS Issues

First Generation PaaS solutions may necessitate from you redundancy and higher costs, and result

in proprietary lock-in Developing on a particular PaaS platform may require that a customer write using the vendor’s potentially unique code Th is may not be easily transferable to another PaaS platform, so could lead to lock-in Ideally PaaS should support your current programming models and applications, enable cloud portability, and provide the abstraction and management capabilities necessary to simplify application development and deployment PaaS systems should have fl exibil-ity and portability designed into the architecture to prevent technology lock-in

Other Key Challenges to Consider

 Where do the applications and/or servers reside?

 What is their capacity?

 What support is provided?

 What are your options to minimize the impact if the cloud vendor has service interruption?

 In the event of a security breach, what are the privacy and legal liabilities – as databases housing sensitive information will not be housed off site?

STEP 2

Understanding The Federal

Government’s New Approach

To Cloud Computing

Why is Cloud Computing Important?

Th e global cloud-computing market is expected to reach $241 billion in 2020, up from $41 billion

in 2010, according to Forrester Research In a nutshell, cloud computing can save time and money,

as well as provide for quick solution deployments How you implement it is important since you must address security (including personal data privacy), consider vendor viability and how to mea-sure performance and success among other factors Th e federal government’s “Cloud First” policy is energizing agencies’ movement to the cloud

Cloud First

To harness the benefi ts of cloud computing, the White House has instituted a Cloud First policy

Th is policy is intended to accelerate the pace at which the government will realize the value of cloud computing by requiring agencies to evaluate safe, secure cloud computing options before making any new investments

By leveraging shared infrastructure and economies of scale, cloud computing presents a ling business model for federal leadership Organizations will be able to measure and pay for only the IT resources they consume, increase or decrease their usage to match requirements and budget constraints, and leverage the shared underlying capacity of IT resources via a network Resources needed to support mission critical capabilities can be provisioned more rapidly, and with minimal overhead and routine provider interaction

compel-Cloud computing can be implemented using a variety of deployment models—private, community, public or a hybrid combination.

Cloud computing off ers the government an opportunity to be more effi cient, agile and innovative through more eff ective use of IT investments, and by applying innovations developed in the private sector If an agency wants to launch a new innovative program, it can quickly do so by leveraging cloud infrastructure without having to acquire signifi cant hardware, lowering both time and cost barriers to deployment

Th is Federal Cloud Computing Strategy is designed to:

 Articulate the benefi ts, considerations and trade-off s of cloud computing

 Provide a decision framework and case examples to support agencies in migrating towards cloud computing

 Highlight cloud computing implementation resources

 Identify federal government activities, and roles and responsibilities, for catalyzing cloud adoption

Consistent with the Cloud First policy, agencies must modify their IT portfolios to take full advantage of the benefi ts of cloud computing in order to maximize capacity utilization, improve IT fl exibility and respon-siveness, and minimize cost

“Th e cloud will do for the government what the net did in the ’90s We’re interested in consumer tech-nology for the enterprise It’s a fundamental change

Inter-to the way our government operates by moving Inter-to the cloud Rather than owning the infrastructure, we can save millions.” Vivek Kundra, former federal CIO

In testimony before the Senate Subcommittee on Federal Financial Management, Government Information Services, Federal Services and International Security Committee on Homeland Secu-rity and Homeland Aff airs, on April 28, 2009, the Government Accountability Offi ce (GAO) said management and oversight of projects totaling billions of dollars needed more attention

David A Powner, Director of Information Technology Management Issues at GAO, said billions of taxpayer dollars are spent on federal information technology (IT) projects each year Given the size of these investments and their signifi cance to the health, economy, and security of the nation, it is impor-tant that the Offi ce of Management and Budget (OMB) and federal agencies are providing adequate oversight and ensuring transparency of these programs Appropriate oversight and transparency will help ensure that programs are delivered on time, within budget and with the promised capabilities

Each agency is required to

re-evaluate its technology sourcing

strategy to include consideration

and application of cloud

computing solutions as part of

the budget process

Must Do

President’s Cyber Policy

In the Memorandum on Transparency and Open Government, issued on January 21, 2009, President Obama instructed the Director of the Offi ce of Management and Budget (OMB) to issue an Open Government Directive Responding to that instruction, OMB issued its Directive on December 8,

2009 It directs executive departments and agencies to take specifi c actions to implement the ciples of transparency, participation and collaboration set forth in the President’s Memorandum

prin-Th e three principles of transparency, participation and collaboration form the cornerstone of an open government Transparency promotes accountability by providing the public with information about what the government is doing Participation allows members of the public to contribute ideas and expertise, so that their government can make policies with the benefi t of information that is widely dispersed in society Collaboration improves the eff ectiveness of government by encourag-ing partnerships and cooperation within the federal government, across levels of government, and between the government and private institutions

Th is Open Government Directive establishes deadlines for action But because of the presumption

of openness that President Obama has endorsed, agencies are encouraged to advance their open ernment initiatives well ahead of those deadlines As part of the open government initiative, federal departments have also been urged to exchange information and best practices and to contribute to the federal dashboard which is designed to help them assess the eff ectiveness of government IT spending – and make this information available to the public Departments are also being encouraged to review their data center policies and consider the economics of switching to cloud computing

gov-25-Point Implementation Plan to Reform Federal Information Technology Management

Information technology should enable government to better serve the American people But spite spending more than $600 billion on information technology over the past decade, the federal government has achieved little of the productivity improvements that private industry has realized from IT Too often, federal IT projects run over budget, behind schedule or fail to deliver promised functionality Many projects use “grand design” approaches that aim to deliver functionality every few years, rather than breaking projects into more manageable chunks and demanding new func-tionality every few quarters In addition, the federal government too often relies on large, custom, proprietary systems when “light technologies” or shared services exist

de-Government offi cials have been trying to adopt best practices for years – from the Raines Rules

of the 1990s through the Clinger-Cohen Act and the acquisition regulations that followed But obstacles have always gotten in the way

A 25-point action plan has been designed to clear these obstacles and deliver more value to the American taxpayer It should allow agencies to leverage information technology to create a more

effi cient and eff ective government Th ese actions have been planned to take place over the next 18 months and place ownership with OMB and agency operational centers, as appropriate While the 25 points may not solve all federal IT challenges, they will address many of the most pressing,