W h i t e pa p e r

Cloud Computing: A Vital Step to

Federal IT Transformation

INTRODUCTION

The federal government’s approach to information technology is undergoing a seismic shift. Information access and
security concerns, dominated by physical access and control, have long governed agency thinking when it comes to
building the infrastructure that houses their data assets. Increasingly, though, high costs with few or no economies
of scale, and an inability to share or aggregate information across departmental and agency boundaries in a timely
way are causing real problems. The government’s responsiveness to its citizenry and its effectiveness in dealing with
twenty-first century threats – techno-terrorism and cybersecurity attacks as cases in point – are being affected.

With his Memorandum on Transparency and Open Government1, issued on January 21, 2009, the President instructed
the Director of the Office of Management and Budget (OMB) to issue an Open Government Directive that mandates
agencies to develop public-facing websites and post up-to-date information to support federal transparency,
participation, and collaboration goals:

• Transparency: Promote accountability by providing the public with information about what the government is
doing through public-facing websites.

• Participation: Allow the public to contribute ideas and expertise so that the government can make policies with
the benefit of information that is widely dispersed in society.

• Collaboration: Improve effectiveness by encouraging partnerships and cooperation within the federal government,
across levels of government, and between the government and private institutions.

The Memorandum also set aggressive timelines for meeting these goals. Agencies were directed to take prompt steps
by making information available online in open formats that can be easily retrieved, downloaded, indexed, and searched
by commonly used web search applications. However, creating public-facing websites and converting stored data to
user-friendly formats poses significant IT infrastructure and security challenges.
CLOUD COMPUTING: MEETING NEW INFRASTRUCTURE DEMANDS

Agencies have traditionally deployed and managed their own IT infrastructure. Much intra-agency information was
held captive by the constraints of security and compliance concerns. The Open Government Memorandum represents
a departure from traditional IT practices, and meeting its requirements will have a significant impact on agencies’
infrastructures. Additional guidance was recently provided when the federal government’s 2010 IT initiatives were
outlined at a high level. The budget overview discussed the government’s plan to “transform its IT infrastructure
by virtualizing data centers, consolidating data centers and operations, and ultimately adopting a cloud-computing
business model.2”

Cloud computing represents a fundamental change in managing and delivering information because the information
owners and users no longer need to work directly with the supporting physical infrastructure to benefit from the
services and information it delivers. As the National Institute of Standards and Technology (NIST) defines it, “Cloud
computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing
resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released
with minimal management effort or service provider interaction.3” As such, this offers a number of marked advantages
to agencies seeking to meet the government’s new open government requirements or otherwise make more effective,
collaborative use of their data.

INCREASING SCALABILITY WHILE REDUCING INFRASTRUCTURE COST

Making agency data publicly accessible or available to other departments for collaborative action means that Federal
CIOs will face a common challenge: how to support unpredictable usage peaks and patterns as interaction that is not
easily modeled ebbs and flows. Many government sites receive millions of hits per day and traffic volumes can vary
significantly. Traffic increases dramatically and performance degrades when highly anticipated statistics are released,
during times of natural disasters or other crises, or at peak reporting times. As a growing volume of data is made
public or otherwise shared, traditional infrastructure cannot scale to support surge requirements or the real-time
responsiveness required. Building extra capacity into the infrastructure to accommodate usage peaks results in idle
capacity and is not a cost-effective strategy.

Cloud computing revolutionizes infrastructure cost and scalability decisions. First, IT decision-makers can leverage
a massively scalable, shared virtualized infrastructure to avoid capital expenditures and reduce operating expenses.
Agencies don’t have to win approval for large capital expenditures, and can avoid the costs of hardware, software,
salaries for specialized IT resources, training and ongoing support. Cloud computing also enables granular scalability,
scaling up and down as needed to deliver guaranteed resources on demand. If traffic volume spikes, additional
capacity can be immediately enabled, either directly via a provisioning interface or programmatically via the use of
application programming interfaces (APIs), and those resources can be retired just as easily after the event. With
dynamic access to capacity on demand, agencies are not faced with building an infrastructure sized to usage peaks.
Agencies need only pay for what they use, improving asset utilization and simplifying financial decision-making.

ENABLING AGILITY

Infrastructure agility will be an important component to encouraging agency and citizen participation and
collaboration. New data sets must be made rapidly available for the information to be relevant and useful to users.
Traditional government procurement and deployment cycles can take months, reducing the usability of data before it
can even be published. Because cloud infrastructure delivers guaranteed resources on demand, new capacity can be
added and high volumes of data posted or shared in real time.
ALLEVIATING RESOURCE CONSTRAINTS

Building, deploying, managing, and monitoring high-availability, real-time infrastructure is costly and resource-
intensive. Meeting the Memorandum’s requirements while staying within IT budget and headcount limitations will be
virtually impossible for many agencies applying traditional solutions.

Cloud computing solutions greatly reduce the pressure on already-constrained agency resources. Because the service
provider builds, deploys and manages the infrastructure for all users, each agency is freed from the time, cost, and
expertise requirements associated with mission-critical infrastructure. Web-based consoles make it easy for agencies
to control resources allocated to environments and automate tasks without requiring specialized knowledge or
assistance. Role-based security allows agencies to set, define, and revoke user roles and responsibilities as needed,
delegating workloads amongst internal resources and creating controls for workflow management. The relative ease
of managing cloud compute resources allows the agencies to focus on the utility of their data and objectives of their
missions.

ENSURING SECURITY AND COMPLIANCE ON THE CLOUD

Federal CIOs must also balance mandated broader, access to their data with the need to secure the content of their
information and to comply with various federal protocols for IT systems security. Commercial cloud infrastructure, like
traditional IT infrastructure, can and must be audited and certified for a range of requirements under federal protocols.
As a baseline for cloud computing, service providers should comply with all requirements of PCI DSS 1.2 as a Service
Provider, as well as NIST 800-53, 800-86 and 800-61 and US-CERT Concept of Operations for Federal Cyber Security
Incident handling. Another consideration is the physical site housing the agency’s cloud infrastructure. Commercial
datacenter facilities housing cloud infrastructure should be certified and accredited using NIST 800-83. Ultimately,
agency CIOs will want to find the most accredited cloud environment available.

Multi-layer security services can be delivered in the cloud to defend websites, applications and data from malicious
attacks, and cloud computing providers should employ these services while enabling agencies to acquire the
appropriate level of risk protection. A service provider’s cloud computing infrastructure should also provide highly
experienced, certified professionals who are deeply familiar with government security requirements and who can audit
and certify an agency’s cloud infrastructure. Advanced, managed security services should also be delivered through
the cloud to fully protect mission-critical data and services. Service providers should be able to deliver services that
will address federal best practice for a range of requirements, including logging, information security management,
application firewalls, two-factor authentication, full packet analysis, and vulnerability management. Providers must
also be able to help agencies prepare and undergo required certifications and accreditations for cloud infrastructure,
including conducting assessments and audits to ensure standards are met, as well as working with agency security
and IT teams to enact policy for standards. The economies of cloud computing permit agencies to redirect resources
toward even more stringent security provisions than they might have enjoyed before.

USA.GOV AND DATA.GOV IN THE CLOUD

Cloud computing is uniquely positioned to address the challenges faced by Federal CIOs as they work toward
meeting the Memorandum’s requirements and other growing needs to share data. Various federal websites have
already been deployed using a commercial provider of secure cloud computing services. Two of these, USA.gov and
Data.gov, are public-facing sites that operate on a commercial cloud computing infrastructure and are charged with
providing public benefit from the massive amounts of government-held information that is not in any way sensitive or
classified. USA.gov is the federal government’s official web portal and resource, designed to help the public interact
with the government more efficiently by directing people to a wide variety of federal, state and local government
services, such as grant instructions, consumer guides, health and nutrition updates, tax forms, voter registration,
student financial aid, and critical national disaster information. USA.gov had previously been deployed in-house and
used a virtualized approach. It was migrated to a service provider cloud infrastructure within 10 days. The General
 CLOUD CO M PU TIN G

Services Administration (GSA) received the monitoring and reporting features it needed and it also added a number
of security elements provided and integrated by their service provider atop the cloud environment. For example, GSA
required multi-factor authentication to access the USA.gov administrative portal, along with resource tracking, 128-bit
encryption for traffic, and packet flow analysis. Now USA.gov can maintain a small persistent footprint and deploy
on-demand scaling as traffic fluctuates. When traffic is at normal levels, GSA pays only a contracted baseline fee, but
it can seamlessly accommodate volume spikes when needed. Migration to the cloud has enabled GSA to avoid paying
for idle server time without compromising its ability to deliver real-time performance for users. As Federal CIO Vivek
Kundra has repeatedly said publicly, the GSA reduced annual costs for this service from $2.5 million to $800,000 by
moving it to cloud technology. In addition, this agile computing infrastructure allows GSA to deploy upgrades to USA.
gov in 24 hours instead of the six months that would otherwise be required in a traditional infrastructure model.

Enterprise-class cloud providers are building security into their cloud offerings, and services can be audited and
certified to meet government and agency-specific requirements. Agencies considering a cloud computing solution can
benefit from adopting a service with the same characteristics as the USA.gov and Data.gov cloud computing solutions.

NEXT STEP: IT TRANSFORMATION

The government’s 2010 IT initiatives outline further guidance on using virtualization and cloud computing to transform
agencies’ IT infrastructures and initiatives. However, the benefits already realized by two large federal agencies are
helping lead the way for other agencies tasked with bringing data to citizens through public-facing web sites. For more
information about cloud computing services designed for government requirements, visit www.terremarkfederal.com,
or contact Terremark Federal at (703) 964-8900.

Endnotes:

1. Executive Office of the President of the United States. Memorandum for the Heads of Executive Departments and Agencies. Transparency and Open Government. By President Barack Obama. 1/21/10.

2. Office of Management and Budget. Crosscutting Programs. Budget of the United States Government, FY 2011. 2010.

3. National Institute of Standards and Technology (NIST). The NIST Definition of Cloud Computing. Version 15. By Peter Mell and Tim Grance. 10/7/09.

Terremark Worldwide, Inc. One Biscayne Tower, 2 S. Biscayne Blvd. Ste 2800 Miami, FL 33131
terremark.com TMRK_OG/032010