NIST: We’re from the government and we’re here to help

Is cloud computing ready for government work? Not yet, but a new U.S. Government Cloud Computing Technology Roadmap draft sets out action items that government IT gurus say will speed the adoption of safe and secure cloud implementations suitable for government use.

While popular among consumers who love their Google Apps, (s goog) Facebook, and Dropbox, cloud computing still gets a bad rap from some IT buyers who see security problems emanating from the shared infrastructure that underlies the cloud model. There’s also a lack of consistent terms and service level agreements (SLAs) that large government agencies (or any large enterprises, for that matter) want before investing heavily in moving IT from on-premise deployments to the cloud.

The draft released this week from the National Institute of Standards and Technology (NIST), working with the U.S. Federal CIO Council and others, aims “to make it substantially easier to buy, sell, interconnect and use cloud environments in the government,” NIST Director Pat Gallagher said Wednesday, according to InformationWeek. “The roadmap will serve as our action plan, and we expect it not only to drive federal standards efforts, but because our needs are not unique in government, we think it will help the private sector as well.”

In related news, Steven VanRoekel, the CIO of the federal government, told attendees of the NIST Cloud Computing forum and workshop this week that FedRAMP, the Federal Risk and Authorization Management Program, a standard way to vet or approve cloud computing deployments will eventually be mandatory for government agencies.

Here are some highlights from this week’s events.

1. FedRAMP as on-ramp (bottleneck?) to government cloud

In theory, FedRAMP would speed government cloud deployments because it will assess various cloud computing services up front, so each agency wouldn’t have to do that on its own. (Although each agency will still be encouraged to assess the service’s risk/benefits for its own specific use case.) That would, in theory, alleviate some concerns about risk.

According to Government Computing News, VanRoekel said FedRAMP will help agencies avoid duplicated efforts around IT procurement, but also speed their move to cloud computing.

Final review of the FedRAMP guidance is underway at the White House and the Office of Management and Budget. The next step is for the OMB to organize and publish guidelines. Outside the government, there’s consternation about FedRAMP. Security expert Chris Hoff of Juniper Networks (s jnpr) clearly needed to be talked off the ledge when he read the initial draft last year. He characterized it as a rehash of “existing legacy risk assessment, vulnerability management and reporting frameworks.”

2. Safety first

Recent developments  highlight concerns that  cloud computing technologies aren’t secure enough for use by law enforcement organizations that deal with in sensitive information. There has been a hue-and-cry, for example, around the Los Angeles Police Department’s refusal to deploy  Google Apps (s goog) as its email system.

According to the NIST roadmap:

“While cloud computing security requirements are not unique in their entirety or separate from general IT security requirements, the cloud computing environment presents unique security challenges. The architecture,
potential scale, reliance on networking, degree of outsourcing, and shared resource aspects of the cloud
computing model make it prudent to reexamine current security controls. Multi-tenancy is an example of
an inherent characteristic of the cloud environment which intuitively raises a security concern that one
consumer may impact the operations or access data of other tenants running on the same cloud.”

The group recommended that the ongoing identification that a list top security concerns for federal, state, and local governments be formulated each quarter along with a list of mitigations for these concerns.


3. Setting service level agreements

The whole notion of vendor accountability is a huge hurdle for cloud computing. When a vendor’s software is running on servers in-house, it’s relatively easy to assess responsibilities when things go south. In the cloud world, the supply chain is more muddled.

Government agencies want the same sort of SLAs that big IT buyers can get in the non-cloud world. Buyers and sellers typically negotiate such agreements up front, and SLAs include guarantees and warranties for a certain level of service.  In short, if there are snafus, there are also remedies.

According to the roadmap:

The concept of reliability is a key cloud computing element addressed by practically every provider’s SLAs, but how it is defined, what is being measured, and the associated guarantees vary widely. Customers are faced with
evaluating different SLAs with cloud providers defining reliability using different terms (uptime,
resilience, or availability), covering different resources (servers, HVAC systems, customer support),
covering different time periods (hours, days, years), and using different guarantees (response time versus
resolution time). SLA ambiguities leave the customer at risk.

4. Defining the terms

Confusion about just what a Platform-as-a-Service, Software-as-a-Service, and Infrastructure-as-a-Service is or does will only continue as vendors churn out new (insert your favorite term) as-a-Service offerings. On the NIST to-do list is a clear and consistent categorization of cloud services so buyers will understand what it is they are buying.

Currently, consumers must seek to understand cloud services through the customized view presented by each service provider. Moreover, while many vendors seek to establish new categories of service, which would improve their market positioning, it is not clear that any proposed categories are unique and not included in the existing three primary services. Examples of proposed additions include Data as a Service, Network as a Service, Service as a Service, and more. The result is a confusing landscape of possible cloud services.

This all needs to be cleared up, according to the report, so that potential customers can make meaningful comparisons between like services. And there is some thinking that the whole “*aaS” model of layered services  — from infrastructure up to applications — will be outdated.

5. What’s it all mean?

Measured by sheer amount of verbiage–two volumes weighing in at about 120 pages, with a third volume to come — the NIST effort is impressive. There is undoubtedly a real need for realistic definitions and terminology. But much skepticism remains about how well government entity can realistically assess cloud technologies. The choice between vendor-generated hype that muddies the waters for IT buyers evaluating cloud deployments or a  government-led bureaucracy generating check-box lists and definitions, isn’t a pleasant prospect for anyone.