Betting on Cloud Services?
Published: January 10, 2013
Cloud ComputingCybersecurityInnovation
A recent headline heralded 2013 as the “Year of the Cloud Broker.” These suggestions seem to follow the line of thinking that as government cloud investments expand, the market for cloud brokers will explode to outpace other cloud market sub-segments by 2015. Meanwhile, agencies are still wrestling with the potential responsibilities of cloud service brokers. In several instances, they’ve opted to set up shop in house. Begging the question, regardless of how much of the market it comprises, will that piece of cloud computing services even be addressable by contractors?
At times, watching the motions of the dynamic between government and industry has been reminiscent of a simple Shell Game: We start with three shells – let's say they represent the roles of Cloud Service Providers, Cloud Service Brokers and Cloud Service Assessors. A pea hidden under one of the shells will stand in for government spending (or alternatively, contractor profit). The Federal Government fills the role of the Operator who shuffles around the shells. The final role in the game is played by Industry, as the Audience casting bets as to which shell holds the pea. The Audience is led to believe that they will be able to increase their money if they bet on the right shell, so contractors invest in capabilities aligned to the various cloud service roles. The prospect of doubling your investment sounds enticing, but in this game, it’s really up to the Operator to determine who wins.
Stretching this analogy a bit, I have to point out that the shells are still in motion. We know that government agencies are spending on cloud services, but how these other roles (brokers and assessors) fit into the situation is still taking shape. Until it’s clear how these roles hang together, the pea could be anywhere (or nowhere).
Cloud Service Providers
To date, agencies have largely invested directly in cloud services. While solutions for email, collaboration, web hosting and document management have been popular, new budget documentation guidance will start to frame all IT projects in relation to cloud investments. Released by the Office of Management and Budget last August, agencies will be tasked with detailing the “Agency Cloud Computing Portfolio” as well as documenting the results of cloud alternative analysis. Between consolidation efforts and new budget guidance, the spending may shift both for overall levels as well as ratios between types of services and delivery models.
Cloud Service Assessors
Early government adopters of cloud computing were responsible for defining their own requirements and evaluating cloud services. Repeatedly completing the certification process was both time-consuming and costly. Going forward, federal cloud computing systems will need to meet security controls outlined by the Federal Risk and Authorization Management Program (FedRAMP). This “do once, use many times” approach for security certification relies on the third party assessment organizations (3PAOs) to confirm that providers comply with security baselines. It’s worth noting that not just any group can perform these assessments. The FedRAMP office has accredited 15 vendors and one government agency to complete these evaluations. Vendors need to follow guidelines to ensure the independence of their assessment organizations. It’s important to keep in mind that while this is tangent the federal cloud market, by and large, the Cloud Service Providers will be footing the bill for these assessments. Assessment fees vary across vendors and depend on the size and complexity of systems being reviewed.
Agencies are facing with mandatory compliance with FedRAMP. Once the program is fully operational, agencies will need to ensure their cloud service providers are FedRAMP approved. The provisional awards for Authority To Operate (ATO) are just being issued. (The first being announced at the end of 2012.) It’s possible that as many as a dozen ATOs will be awarded by the end of 2013. In the meantime, agencies have a 2 year window to evaluate their cloud requirements and make sure their contracted services meet security standards.
Cloud Service Brokers
As agencies get a handle on their cloud portfolios, they will look to for ways to improve cost savings. Back in September of 2011, the National Institute of Standards and Technology included a definition of Cloud Service Brokers (CSB) in the Cloud Computing Reference Architecture. The NIST definition provides a strategic view of the CSBs along with three categories of services that might be provided. The broker would help agencies to procure cloud services more smartly by streamlining to improve strategic fit. The definition helped to identify a needed role, but it stopped short of specific responsibilities or contracting models.
Last year, in a memorandum released June 26, the Defense Department announced that the Defense Information Systems Agency (DISA) would fill the role of DOD Enterprise Cloud Service Broker (CSB). Then, in August, DISA issued a Request For Information (RFI) to identify cloud services and products that would facilitate their CSB function. Similar moves to establish in-house brokers were made by the National Aeronautics and Space Administration, the Department of Energy’s National Nuclear Security Administration and the Recovery Accountability and Transparency Board. But something curious happened in July 2012. The General Services Administration also issued a request for information on the subject of cloud brokers. However, GSA was looking to industry to define potential roles and responsibilities for CSBs; specifically how contracting might work and what daily operations might look like. GSA received 79 responses (1,467 pages of material) by the end of the year. There’s a lot of buzz around the potential market for Cloud Service Brokers, but for now it’s just buzz and potential.
The Payout
Let’s return to the Shell Game for a moment. As you consider where that bet is placed, what the payout will look like is both difficult and important to determine. That uncertainty is partly due to market maturation and partly to other powerful drivers, like constricting financial resources. The current budget environment has agencies looking for savings and efficiencies, which equates to trying to keep the odds in their favor to minimize pay outs. And, ultimately, the agencies will determine who wins.
Vendors that have received accreditation as an assessor or provisional authorization under FedRAMP will be well positioned to pursue cloud opportunities as agencies continue advancing adoption, migration and compliance of their cloud environments. While the role of brokers is still in question, the vendors that grasp and adapt to respond to the concerns surrounding the role of cloud brokerage will be able to leverage their insight regardless of whether the role is filled by government or industry.