February 2012

The Cloud Imperative Better Collaboration Better Service Better Cost

TechAmerica Foundation 601 Pennsylvania Avenue, NW North Building Suite 600 Washington, DC 20004 A Comprehensive Guide for Best Practices in Cloud Computing for State and Local Governments

Prepared by TechAmerica Foundation’s State & Local Government Cloud Commission (SLG-CC) Acknowledgements

TechAmerica Foundation gratefully acknowledges the contributions of the dedicated professionals who made possible this report, specifically the Commissioners, Deputy Commissioners, and Government Advisors. Each generously shared their deep knowledge and long experience with state and local government technology issues and implementations. Through their leadership and broad participation, we realized the mission of this Commission.

Leadership

Chair Vice-Chair Vice-Chair Tarkan Maner Daniel Kent David L. Cohn Wyse Technology, Inc. Cisco Systems, Inc. IBM

Commissioners

Andrew Walker Scott McIntyre Kevin Paschuck 42six Solutions Google Oracle Corporation

Kim Niederman Steven Perkins bill birnie 8x8, Inc. Grant Thornton LLP Panasonic Systems Networks

Tom Davies Jim Sweeney Jack O’Connor ACS, A Xerox Company GTSI SAIC

John Stuhrenberg W. Wyatt Starnes Jacqueline Vanacek AT&T Harris Corporation SAP AG

PG Menon bob Otterberg Ned Miller Brocade HP Symantec Corporation

William F. Clark JP balakrishnan Ashok balasubramanian CA Technologies Infosys Public Services Syntel

Sean rhody rick Herrmann robert Geiger Capgemini Gov’t Solutions Intel TransLattice, Inc.

Aldona Valicenti Michael L. Moore David Asprey CGI KPMG LLP Trend Micro

Gareth Patterson richard Johnson Steven Peacock Cognizant Technology Solutions Lockheed Martin IS&GS Unisys Corporation

Kevin Hanes Stuart McKee John Considine Dell Microsoft Verizon

Paul Clemmons Winston Damarillo Sean Jennings Deloitte Consulting LLP Morphlabs Virtustream bethann Pepoli Jim Acquaviva EMC Corporation nCircle

State & Local Government Cloud Commission Staff

Carol Henton Michael Kerr TechAmerica Foundation TechAmerica Foundation

The Cloud Imperative: Better Collaboration, Better Service, Better Cost Executive Summary and Foreword

Just as political, social and economic structures change and transform society, Information and Communication Technology (ICT) has rapidly evolved to better address consumer and organizational needs. ICT’s most recent redefinition has taken shape faster than ever because technology innovation cycles are shrinking. Toward the end of the last decade, a substantial innovation cycle began with three major simultaneous paradigm shifts: wide-spread use of social media, ubiquitous mobility and pervasive big data.

Now add a fourth sweeping trend to the disruptive technology mix: cloud computing.

While some initially saw the cloud excitement as mere hyperbole, those who have used cloud to solve real-world problems have proven otherwise. Many organizations are realizing important benefits through improved service driven by improved collaboration and integration — all while enjoying the benefit of lower cost. Through shared platforms capable of delivering ICT applications and services, state and local government organizations can do the same.

The timing is fortuitous. Political, social and economic realities are driving federal, state and local governments both to improve services and to save money. Cloud can do both.

Sensing the convergence of these business and technology trends, in September 2011 the TechAmerica Foundation formed a group of experts to develop guidance for helping state and local governments evaluate, adopt and implement cloud computing. This State and Local Government Cloud Commission (SLG-CC) initiative follows the Foundation’s earlier release of a blueprint for the U.S. federal government’s adoption of cloud computing, which supported the Obama Administration’s cloud-first strategy for government technology and for driving U.S. commercial leadership and innovation.

Tarkan Maner, President and CEO of Wyse Technology, leads the Commission. David L. Cohn, Ph.D., Program Director, Smarter Cloud, T.J. Watson Research Center, IBM; and Cisco’s Public Sector CTO, Daniel Kent, co-chair the Commission. Numerous experts drawn from business, government and industry serve as SLG-CC Commissioners and Deputy Commissioners (A list of Commissioners and Deputy Commissioners is available at the back of this report and on the Commission’s website: SLG-CC Community Portal).

TechAmerica Foundation I SLG Cloud Commission Big Data/ Improved Intelligence Collaboration

Secure Cloud Secure Cloud Computing Computing Frameworks Frameworks Social Mobility and Improved Lower Total Media Consumerization Service Cost of Ownership of IT

Global IT Mega Trends for Mega Business Benefits

This paper is a distillation of the SLG Cloud Commission’s computing for state and local governments. Rather, they will efforts. It addresses cloud access and deployment challenges create a knowledge framework for cloud computing. From the that are unique to states and localities — including start, the Commission has collaborated with leading state and procurement practices — and provides recommendations for local government policy makers, ICT executives and vendors surmounting barriers. In producing its recommendations, the to build a basis for further collaboration and idea exchange. Commission considered delivery of critical services to the The Commission believes cloud computing and its surrounding public, such as healthcare, human services, and education, technologies will continue to evolve rapidly. As needs and and discussed ways that large, complex programs can best requirements change, technologies and processes will leverage the cloud. respond. The Commission is dedicated to further develop this paper and the web platform for future needs. While the paper addresses technical subjects, it also covers business and policy issues for a broad audience. A document A final thought: This report and its companion web platform targeting only technologists would do little to move the are called: “The Cloud Imperative: Better Collaboration, Better adoption of cloud computing forward or speed the delivery of Service, Better Cost.” The Commission encourages state and enhanced government services to constituents. Building on local governments to engage on cloud and, quite frankly, to join its knowledge of technology innovation and business process the cloud revolution. While not the last word on this important re-engineering, the Commission seeks to establish a widely subject, this white paper does mark the start of an on-going shared communication process that draws all state and local public/private dialogue, describing the business impact stakeholders into a common cloud computing vision: better of cloud computing, providing best practices and allowing collaboration within and between government agencies; better government employees to leverage what others have done. service to government employees, to the public and to citizens; and all delivered at a better cost to taxpayers. So welcome to the cloud…and to the transformation of ICT- based services in state and local government. This paper and the related web portal will not answer all of the questions or address all of the issues around cloud

Tarkan Maner David L. Cohn Daniel Kent Jennifer Kerber President, CEO and Chief Program Director, Smarter Cloud Director, Public Sector Solutions President Customer Advocate T.J. Watson Research Center & Federal CTO TechAmerica Foundation Wyse Technology, Inc. IBM Cisco Systems, Inc.

The Cloud Imperative: Better Collaboration, Better Service, Better Cost Table of Contents

Introduction: Cloud for State & Acquiring the Cloud ...... 21 Local Government ...... 1 Selecting Procurement Vehicles Deployment Model Considerations Understanding Cloud Technology ...... 7 Architecture Design Considerations Picking the Right Cloud Solution Key Contractual Terms Physical Layer Considerations Abstraction Layer Considerations Funding Streams Service Models Takeaways and Recommendations Service Layer Key Technology Issues Final Summary and Conclusions ...... 29 Portability Security and Privacy Appendix I ...... 31 Data Protection State and Local Government Cloud Examples Identity Management Security Incident Response Vulnerability and Risk Management Appendix II ...... 39 Takeaways and Recommendations Follow Up Links and Resources

Implementing the Cloud ...... 13 Cloud Readiness Assessment Risk Management and Governance Implementation Best Practices Preparing and Planning Implementation and Deployment Program and Project Management Managing Culture Change Managing Process Transformation Operations Takeaways and Recommendations

TechAmerica Foundation I SLG Cloud Commission

The Commonwealth of Virginia migrated its procurement process for 171 organizations to a cloud solution, saving $30M annually. Its “eVA” has become a benchmark for other states in their cloud strategy and initiatives.

Cloud for State & Local Government

Despite today’s budget constraints, some state and local governments have won “good government” awards and industry recognition for delivering more services more efficiently to more citizens at lower cost.

How have they earned such distinction in today’s economic climate?

They have been moving to the cloud.

For education, health and human services, public safety and even email — moving ICT to the cloud can transform a discouraging budget shortfall into a world-class result.

This report shows how state and local governments can use cloud computing. It explains what cloud is and how it can transform government. It identifies successful uses of cloud and sources of advice on how to better serve citizens — and annually save up to tens of millions of dollars. It shows that cloud’s support for enhanced collaboration and improved services make it an imperative for state and local governments.

Background

Governments, like other organizational users of information technology, have traditionally purchased and operated their own hardware and software. With the new cloud computing approach, a provider entity offers some or all of these ICT resources as a service, reducing what the government must do for itself. The provider supports a group of cloud consumers, reducing cost, increasing flexibility and promising improved operations. Like all new technologies, cloud raises important questions and poses novel concerns, but it also offers compelling opportunities. This report draws on industry experts and early adopter experience to help state and local governments answer questions and resolve concerns so they can benefit from opportunities.

TechAmerica Foundation I SLG Cloud Commission 1 TechAmerica Foundation’s Cloud Commission for State and colors) each handle their own hardware and software (shown Local Government examined five key aspects of cloud: in the consumers’ colors).

Issues for State and Local Government — Key concerns With cloud computing, some or all of these resources are and benefits of cloud computing for governments. provided as services in one of three cloud service models. For Technology for Cloud Computing — Key technical issues to example, a cloud provider could handle just the basic hardware consider when moving to cloud computing. and operating system (OS) layers, offering Infrastructure as a Service (IaaS) as shown Figure 2. The figure uses white for the Implementing the Cloud — A four-stage management hardware layer since there is not a separate, physical hardware structure for transition to cloud. box for each consumer. Rather, a special software layer Acquiring the Cloud — Procurement vehicles, business creates multiple virtual hardware and operating system images models, funding streams and contractual terms for cloud. on a single computer. This process of virtualization is critical Case Studies & Success Stories — Examples of how state to giving cloud its key features. With IaaS, the consumer and local governments are acquiring and using cloud. manages the middleware and applications, but leaves the hardware and (usually) the operating system to the provider. In addition to this paper, the Commission is creating the This is important for those consumers (like start-ups creating SLG-CC Community Portal (www.cloud4slg.org), an on-line web sites) that want specific middleware or need to scale ICT repository of real-world experiences of state and local resources automatically to meet varying demand. government with cloud. It will add case studies and resources and cultivate a community of interest spanning governments and technology providers.

APP APP APP APP APP APP Defining the Cloud Middleware Middleware Middleware Hardware & OS Hardware & OS Hardware & OS Many forms of cloud are available today. There are clouds to host start-ups’ new web sites, clouds to store individuals’ APP APP APP APP APP APP photographs, clouds to deliver software applications, Middleware Middleware Middleware even clouds that host entire enterprise and government Hardware & OS Hardware & OS Hardware & OS infrastructure. In each case, cloud provides attractive economies of scale, giving consumers what they want when they want it at reduced cost. Cloud solutions will also provide significant value to state and local governments. Of course, Figure 2 Public Cloud for Infrastructure as a Service neither cloud technologies nor governmental operations are simple, and the transition from traditional information technology to cloud must be handled with care and concern. Customers who can use standard runtime platforms may choose a Platform as a Service (PaaS) cloud like that in Figure Some simplified figures will illustrate various ways cloud can 3. The provider offers a standard middleware platform (shown deliver services and indicate the responsibility of providers in grey) on which applications can be run. Consumers focus and consumers. Figure 1 shows the traditional approach to on the application software and leave platform management information technology where states and localities (in different to the provider.

APP APP APP APP APP APP APP APP APP APP APP APP

Middleware Middleware Middleware Middleware Middleware Middleware Hardware & OS Hardware & OS Hardware & OS Hardware & OS Hardware & OS Hardware & OS

APP APP APP APP APP APP APP APP APP APP APP APP

Middleware Middleware Middleware Middleware Middleware Middleware Hardware & OS Hardware & OS Hardware & OS Hardware & OS Hardware & OS Hardware & OS

Figure 1 Classic Computing without Cloud Figure 3 Public Cloud for Platform as a Service

2 The Cloud Imperative: Better Collaboration, Better Service, Better Cost INTRODUCTION

Increasingly, software developers are delivering their A community cloud is a compromise between the public applications as services, allowing consumers to dispense and private deployment models. It restricts availability only with on-site computing resources. Figure 4 shows such a to a selected set of consumers with shared concerns (like Software as a Service (SaaS) cloud (where everything is grey). agencies of a state government or municipalities in a region), Its applications often support new capabilities like multi- and hosts only approved applications. Figure 6 uses a green tenancy that allows multiple consumers to safely share single fi eld to indicate the community of consumers that can access application instances at lower cost. this Software as a Service community cloud.

APP APP APP APP APP APP APP APP APP APP APP APP

Middleware Middleware Middleware Middleware Middleware Middleware Hardware & OS Hardware & OS Hardware & OS Hardware & OS Hardware & OS Hardware & OS

APP APP APP APP APP APP APP APP APP APP APP APP

Middleware Middleware Middleware Middleware Middleware Middleware Hardware & OS Hardware & OS Hardware & OS Hardware & OS Hardware & OS Hardware & OS

Figure 4 Public Cloud for Software as a Service Figure 6 Community Cloud for Sofware as a Service

A cloud can be available in one of four deployment models As cloud becomes more common, multiple clouds will likely which determine who can use its services. A broadly available be combined in a hybrid cloud deployment model to further public cloud (like those above) is open for use by the seamlessly and transparently extend ICT capacity. general public. A large organization, like a major commercial enterprise, may want its own private cloud where all users are part of that organization. As shown in Figure 5, a private cloud Benefi ts for State and Local Governments tightens the trust scope, but reduces economies of scale and These are diffi cult times for state and local governments. leaves data center ownership, maintenance, housing and Budgets are down and needs are up — creating pressure to operations in the hands of the consumer. do more with less. Cloud computing can help with budgets, starting from day one.

Reduced operating expenses — Most state CIOs agree that

APP APP APP APP APP APP “controlling IT costs” is key. Cloud computing leverages economies of scale and uses consolidated, centralized Middleware Middleware Middleware computing resources to minimize ICT cost. A Brookings Hardware & OS Hardware & OS Hardware & OS Institution study pegs these cloud-specifi c public agency APP APP APP APP APP APP savings at 25–50%.1

Middleware Middleware Middleware Hardware & OS Hardware & OS Hardware & OS Governments are essentially information-driven businesses, but they’ve generally been ineffective users of information. In fact, when the 9/11 Commission wanted to help governments improve terrorism defenses, they said:

Figure 5 Private Cloud for a Single Consumer 1 Darrell M. West, “Saving Money Through Cloud Computing,” Brookings Institution (April 7, 2010). www.brookings.edu/~/media/Files/rc/papers/2010/0407_cloud_ The state of Michigan built its award-winning MiCloud computing_west/0407_cloud_computing_west.pdf Automated Hosting Service to deliver Infrastructure as a Service to state agencies in a shared services community cloud. Their next steps include building a hybrid model to extend IT capacity even further to support ongoing agency transformation projects.

TechAmerica Foundation I SLG Cloud Commission 3 “The culture of agencies feeling they own the information they Issues for State and Local Government gathered at taxpayer expense must be replaced by a culture in which the agencies instead feel a duty to the information — to Some cloud computing issues are particularly important for repay the taxpayer’s investment by making that information state and local governments. Governments want effi cient available.”2 and effective operations, but they also are committed to the welfare of their communities. Thus, even though cloud computing can shift or reduce workload in some areas, it can Today, cloud is helping government improve public safety. foster innovation and create even more jobs in others. With For example, the Lake Havasu, Arizona police department proper planning, the transition to cloud can include provisions migrated its email and other applications to the cloud so for staff involvement and skills enhancement to produce a that law enforcement could access information anytime, substantial contribution to economic development. anywhere from their vehicles or smart phones to better “protect and serve.” The City and County of San Francisco has invested in And Castle Rock, Colorado is accessing sister city Aurora’s implementing cloud certifi cation training tracks for IT COPLINK software in the cloud to improve crime-fi ghting with support personnel as part of its “Cloud First” policy. Helping comprehensive information sharing and collaboration among staff learn new, updated skills to better position themselves all levels of state and national law enforcement and public for future cloud initiatives is a critical element of the overall safety agencies. success of “Cloud First.”

Additionally, when the Texas Workforce Commission Cloud computing won’t directly change government culture, but migrated its email to a SaaS service, not only did they not it will provide a platform that eases culture change. incur any new project costs, but they also lost no jobs while Improved information use — Cloud replaces stand-alone achieving a clear and measurable annual cost savings. business processes and data systems with centralized resources, including information. This will improve access State and local laws often dictate how governments buy to data, help employees do their jobs and enhance things, sometimes complicating the acquisition of cloud constituent interaction with government. computing. By acting together, governments and industry can develop contractual and services standards to ease this Sharing information is a beginning, but cloud can do more. As process. Procurement models like those developed for the the National Association of State CIOs (NASCIO) wrote: Western States Contracting Alliance (WSCA) have worked well “Cloud computing is a technology strategy that enables for other types of ICT purchases, and can be replicated for more than simply optimizing computing utilities. It enables cloud. strategies for optimizing government business services, and One of cloud’s great strengths for governments is to be achieving new levels of orchestration of government services a catalyst for collaboration. Today, many governments across a state, a region and even nationally.”3 are “siloed,” with limited information sharing between, This will take time and effort, but it should be a goal of any and even within, departments and agencies. Mayors and cloud implementation. governors have repeatedly said they want cloud to integrate information across their cities and states. A regional group Increased government effectiveness — Cloud supports of governments could create a community cloud for sharing resource sharing between and among units while services and for improved, information-based cooperation. preserving their independence and data integrity. It simplifi es collaboration within and across governments All organizations want the information they place in a cloud and helps identify and implement best practices. Globally, to be secure, but governments have particularly tough governments are using cloud computing to better protect security and privacy requirements. They may need to keep their citizens and make their cities more resilient. sensitive information inside geographic limits or even within designated buildings. Some information, like public safety data, educational histories and healthcare records, needs 2 The 9/11 Commission Report, p. 417. tight privacy protection, and cloud computing can provide it. www.911commission.gov/report/911Report.pdf Given the sensitivity of government offi cials to public opinion, 3 Eric Sweden, “Capitals in the Clouds, Part III, Recommendations for Mitigating Risks: Jurisdictional, Contracting and Services Levels,” these privacy and security issues must be fully, clearly and NASCIO (2011). openly addressed. www.nascio.org/publications/documents/NASCIO_ CloudComputing_PartIII.pdf

4 The Cloud Imperative: Better Collaboration, Better Service, Better Cost INTRODUCTION Located in a hurricane zone, New Hanover County, North Carolina moved email and collaboration apps into the cloud to ensure that critical communication infrastructure was “always on” to respond and mobilize in emergencies.

Technology for Cloud Computing Implement the Solution — Help technical work proceed according to plan using proven practice and accepted Cloud consumers don’t deal directly with technical details. The standards. cloud provider manages the facilities, selects and maintains Operate Cloud Solution — Meet objectives by carefully the hardware and delivery software, handles communication transforming culture and business processes. with vendors and owns the service delivery elements. These matters are reflected in the service levels that the provider guarantees for the consumer. These are somewhat technical Acquiring the Cloud and include considerations like system responsiveness, expected “up time,” communication speed and service Buying cloud solutions can be complex for state and local reliability. governments. However, alignment between government and industry on definitions, approaches and purchasing There are, however, technical aspects of a government’s mechanisms will allow broader acceptance, adoption cloud decisions that need to be understood even by policy and utilization of cloud. Eventually, buyer’s guides and makers. For example, the selection of the appropriate cloud standardized service definitions can identify vetted cloud service model depends, in part, on the technical responsibility providers for the more common services. a consumer can accept. With IaaS, the consumer doesn’t operate a full computing center but does need to install and Classic government procurement vehicles for ICT are generally manage some system software, middleware and applications. ill-suited to cloud computing. They’ve been used, but can be A PaaS cloud can be used to develop and run custom slow and must add conditions on portability, security, privacy applications, and only requires managing applications. With and service levels. Cloud-specific procurement vehicles have SaaS, the consumer can focus on the operational aspects of also been developed, typically for services shared by multiple using the applications. departments. Cross-government consortia and the federal government are beginning to help states and localities more Regardless of which service model is used, cloud consumers easily purchase cloud solutions through new procurement must understand how their provider supports these functions: vehicles.

Portability — The cost and complexity for the consumer to Since cloud consumers must trust their data to the cloud change providers. provider, data governance is key to any cloud purchase. This Service Management — Service acquisition and monitoring broad and evolving discipline ensures that only the right and user identification. Security — Consumer and provider roles in assuring an Assess acceptable level of protection. Cloud Readiness Privacy — The collection, communication, use and Operate Assess disposition of personal information. Cloud Risk and Solution Plan Governance Implementing the Cloud Implement the Transitioning to cloud pays increasing dividends as more Solution processes are migrated. With foresight and planning, the initial steps will provide savings to help fund follow-on activities. The four-phase management framework in Figure 7 Figure 7 Cloud Implementation Lifecycle can assure successful cloud deployment.

Assess Cloud Readiness — Identify business goals, ICT imperatives and level of current cloud maturity, and plan transition to desired ICT process maturity. Assess Risk and Plan Governance — Early focus can eliminate undue risk and help meet target standards and requirements.

TechAmerica Foundation I SLG Cloud Commission 5 users have the right access to the right data. Private clouds Analysts are predicting the broad emergence of regional cloud minimize data governance concerns, but still must assure hubs where one government agency provides cloud-based proper access control. Community clouds that follow a computing services to others within its home state and across common data governance structure mitigate data security and state lines.4 multi-tenancy issues. Public clouds are less controlled, and governments tend to use them only for non-sensitive data. 4 Best Practices: Regional Community Cloud Hubs — The New “Trickle Down” Effect That’s Boosting State and Local Computing, IDC All cloud consumers must consider the pricing model and Government Insights, Document #G1232470. required service levels, and purchase agreements should also include terms of disengagement and provisions for sensitive data. Governments may want to specify cloud location and ownership as part of their purchase, explicitly require data and asset segregation policies, and stipulate background checks for support personnel. For instance, privacy laws are very different in the U.S. versus the European Union versus China. Knowing where one’s data sits in the cloud as part of the contracting process is a necessary step to ensure data privacy.

There is significant value in collaboration within and among governments on cloud acquisition. Joint efforts have addressed the concerns of risk-averse officials about portability, security and records management. Together governments are realizing the benefits of cloud, saving taxpayer dollars and delivering better and broader services.

Google provides innovative technologies that help government agencies organize information and make it accessible and useful to citizens and to authorized government employees.

Google’s solutions for search, geospatial data, communication, and collaboration are easy to use, quick to deploy, fast, and scalable.

Learn more at www.google.com/apps/government.

© Copyright 2012 Google. All rights reserved. Google and the Google logo are registered trademarks of Google Inc.

6 The Cloud Imperative: Better Collaboration, Better Service, Better Cost In considering the right cloud computing option, the services must enable the customer to port solutions and change cloud providers as necessary; to manage, monitor and meter demand; to assure an acceptable level of security; and to safeguard the handling of personal information.

Understanding Cloud Technology

Cloud providers make cloud services available to users, including state and local government employees and the people who depend on state and local government services. Cloud providers represent, therefore, the technology backplane on which cloud services are built and delivered. Service deployment can take the shape of public, private, community or hybrid clouds.

The most common cloud models are:

1. Public Cloud — A public cloud is one based on the standard cloud computing model in which a service provider makes resources, such as applications and storage, available to the general public over the Internet. Public cloud services may be free or offered on a pay-per-usage model.

2. Community Cloud — Community cloud shares infrastructure between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-party and hosted internally or externally. The costs are spread over fewer users than a public cloud (but more than a private cloud), so only some of the benefits of cloud computing are realized.

3. Private Cloud — Private cloud is infrastructure operated solely for a single organization, whether managed internally or by a third-party and hosted internally or externally

4. Hybrid Cloud — Hybrid cloud is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together, offering the benefits of multiple deployment models. It can also be defined as multiple cloud systems that are connected in a way that allows programs and data to be moved easily from one deployment system to another.

TechAmerica Foundation I SLG Cloud Commission 7 Abstraction Layer Considerations

Software is used to simulate and manage physical resources. The cloud provider uses software to access and control the physical environment. Software “abstractions” like hypervisors, virtual machines and virtual data storage enable the one-to-many scale up of infrastructure that lies at the heart of cloud computing. Virtualization technologies impact utilization and performance, virtual machine portability, virtual machine management, scalability, interoperability, supportability and cost.

Service Models

There are three cloud service models:

1. Infrastructure as a Service (IaaS) — cloud providers deliver compute infrastructure, storage and networking as a service. Rather than purchasing servers, software, data- center space or network equipment, clients instead buy those resources as a fully outsourced service. Suppliers typically bill such services on a utility computing basis; the amount of resources consumed (and therefore the cost) will typically reflect the level of activity. IaaS is ideal for customers who want to retain control over their applications and data.

2. Platform as a Service (PaaS) — cloud providers deliver a computing platform and/or solution stack as a service. PaaS is ideal for customers who want to focus on development and deployment of applications and want to eliminate the Using these service definitions, a state and local government cost and complexity of buying and managing the underlying agency — recognizing that it will ultimately maintain an active hardware and software layers. role in planning, overseeing, monitoring and assessing cloud performance — begins to determine the type of cloud service 3. Software as a Service (SaaS) — cloud providers deliver configuration that most closely matches its requirements. software as a service over the Internet. SaaS is ideal for customers looking to utilize software and only worry about data. Examples of SaaS include Email as a Service (EaaS) Picking the Right Cloud Solution and Data as a Service (DaaS). Service Orchestration and Service Management Service Layer Physical Layer Considerations Interfaces allow cloud users to access the cloud services. The determination process begins by considering the physical Under SaaS the cloud user enjoys network access to a variety information technology resources like computers, storage of off-the-shelf and custom-built applications. Thus users need and networks and facility resources like HVAC units. Critical technologies that enable web access, central management, considerations are the ability of the cloud provider to manage automated upgrades and patches, and application program performance, to provision and de-provision physical resources interfaces for enterprise integration. on demand and to handle diverse workloads. A cloud provider’s performance management technologies should be In the PaaS service layer, cloud users have access to the tools sufficient, for instance, to assure resource isolation and Wide and execution resources required to develop, test, deploy and Area Network (WAN) optimization. manage the applications hosted in a cloud environment. For platform management and configuration technology, using virtual machines as the basic building block but customizable through templates should be the primary focus.

8 The Cloud Imperative: Better Collaboration, Better Service, Better Cost UNDERSTANDING When Larimer County, Colorado built its PaaS solution to centralize constituent data sharing between non-profit agencies to streamline authorization and distribution of food, clothing and housing assistance to needy families, data security was key. The PaaS model allowed IT staff to tailor different levels of secure data access by type, agency and use, while still enjoying the “IT mass customization” benefits of the cloud deployment model. This was critical since some sensitive data could only be made available to select agencies on a case-by-case basis.

Users of IaaS services have access to virtual computers, associated data from one PaaS environment to another. Here, network-accessible storage, network infrastructure proprietary development environments and middleware may components, and other fundamental computing resources lock-in cloud users or force them to re-write code and retrain on which they can deploy and run systems and software. programmers in order to move to a new platform. Exacerbating Agencies utilizing IaaS environments should be most this situation is the fact that service providers may choose to concerned with technologies for provisioning, monitoring, differentiate themselves by offering a wide array of “platform metering and migration of compute, storage and network services” — most of which are likely to be proprietary features capabilities. which can quickly result in service provider dependency and lock-in. Users should consider open source solutions and In considering the right cloud computing option, the services platforms that support industry standards like Open Stack to must enable the customer to port solutions and change avoid vendor lock-in. cloud providers as necessary; to manage, monitor and meter demand; to assure an acceptable level of security; and to safeguard the handling of personal information. SaaS and Portability

Cloud users at the SaaS level lose additional control because Key Technology Issues commercial off-the-shelf (COTS) software can be configured but not customized. The user cannot control the actual Portability software application or the data structures used. Portability in the SaaS service model is the ability to migrate data (since Migrating to and from cloud computing environments is, applications are not owned) to another service provider’s first and foremost, the responsibility of the customer. SaaS environment — perhaps running the same core COTS The customer must evaluate the best solutions and their application, or one that provides similar functionality (e.g. ramifications. CRM application) — without a loss of data or end-user functionality. IaaS and Portability

With the cloud user controlling the database, middleware Security and Privacy and software in the IaaS service model, portability concerns While security and privacy issues like authentication and might appear to be minimal. But the reality is that the desired authorization are not new, they require new perspectives in the portability objective in the IaaS service model is a layer cloud environment. For instance, the opportunities for central lower than these resources, concerning the ability to move authority implicit to cloud computing increase options for virtual machines to and between different cloud platforms coordination, standards adoption and allow enhanced security and providers and thereby avoid lock-in. Most enterprise certification. application solutions require tightly coupled multi-tiered server models that are supported by virtual networks. All such Like other users, state and local governments need to be relationships and controls must also ‘port’ with the machine aware of the security questions and issues associated with images for a successful re-deployment. the cloud, regardless of the deployment model, and what technologies are available and deployed to overcome these PaaS and Portability challenges. Straight talk, supported by plenty of case studies, can help reduce security and privacy concerns. In the PaaS service model the cloud user no longer controls the platform (database, middleware, development Thus, cloud users needs a clear security policy. This policy environment, and related resources). In the PaaS service should cover all security relevant aspects of information model, the user seeks the ability to migrate an application and security, including personnel, information, facilities, hardware and software. The user cannot simply sign away organizational

TechAmerica Foundation I SLG Cloud Commission 9 Top issues impacting security and privacy in the cloud include: • Data Protection Disruptive • Identity Management • Security Incident Response /dis•rup•tive/ • Vulnerability and Risk Management adjective The following sections address some of the security issues for 1. characterized by unrest or disorder, each of these topics and the technology implementations that help address them. as in Disruptive IT trends on the horizon Syn: cloud computing, mobile devices, social Data Protection computing, IT appliances, IT consumerization, Data protection is a common security concern when moving cybersecurity data and applications to the cloud. Whether data resides in a dedicated private cloud environment or a shared multi-tenant environment, cloud users must ensure that their data are properly stored and located, consistent with state and local legal requirements; protected and isolated while residing in Learn more at: the cloud; that records get legitimately deleted when no longer http://www.disruptiveittrends.com/trends/cloud needed; and, that the storage space is properly sanitized once the data are removed from the cloud.

Identity Management

When organizations utilize cloud services, authenticating users in a trustworthy and manageable manner is a vital requirement. Organizations must address authentication- related challenges such as credential management, strong responsibility for information security. Best practice requires authentication, delegated authentication, and managing that the user retain a role in governance, defining an overall trust across all types of cloud services. Managing identities security program and policy covering all lifecycle activities. and leveraging directory services to provide access control Policies must be visible throughout the organization, carry is essential for effective cloud security. State and local the weight of management, and assign responsibilities. government agencies should verify that their cloud environment Policies should be updated as needed, and they should be (whether private or public) supports at least one of the supplemented by the use of standards, procedures, and prominent standards (SAML — Security Assertion Markup related guidelines that enable implementation of policy. To Language, WS-Federation, or OAUTH) for identity management. the extent that the cloud service provider performs a security function or activity, the user must be able to point to the Security Incident Response relevant service provider policy or service level agreement (SLA) and monitor changes. Proper and adequate incident detection, response, notification, and remediation are required when migrating Because security will likely be a shared responsibility, the workloads to cloud computing. State and local governments user organization should select a cloud service provider must understand and negotiate adequate contract provisions based in part on the provider’s attention to security and and procedures for incident response. At the same time, how it compares to current practices, including the ability to cloud providers must have a transparent response process leverage security capabilities built into cloud access devices. and mechanisms to share information with their subscribers The provider should make key security practices reasonably during and after the incident. Still, many incident response transparent to the user, including information about risk considerations are directly related to the technologies assessment, control, practice and incident response. employed in the cloud environment.

Incident response in cloud environments requires sound infrastructure management coupled with robust monitoring and alerting. For internal clouds, organizations need to have

10 The Cloud Imperative: Better Collaboration, Better Service, Better Cost UNDERSTANDING strong management capabilities and visibility into their Key Takeaways systems. Virtualization tools enable organizations to run their infrastructures and setup their own monitoring. Some • Deployment models take the form of public, private, of these tools include virtualization-specific log management community or hybrid clouds; and intrusion detection, data leakage protection, security • Service models take the form of IaaS, PaaS, and SaaS; event management, anti-malware and quarantine capabilities (including Network Access Control, or NAC). • Hardware standardization is important but not always available. Easily replaceable, commodity hardware and solutions that support open standards are a must in cloud Vulnerability Assessment and Risk Management environments; One of the keys to ensuring that a cloud service is protected • The virtualization software used to access and control from vulnerabilities is employing a continuous monitoring hardware is a primary cloud evaluation consideration; approach. Continuous monitoring refers to the ongoing • Migration and portability from one cloud environment observation of an organization’s networks, information, and to another is the responsibility of the customer. Each systems. It allows for responses that accept, transfer, or cloud service level represents its own special portability mitigate risk as situations change. challenges; Continuous monitoring helps manage risk by allowing agencies • Cloud computing increases the need for due diligence with to prevent data loss, respond rapidly to attacks, and predict respect to security coordination, standards adoption and future threats. While continuous monitoring alone does not certification. Cloud users should create clear security and provide a comprehensive, enterprise-wide security solution, identity management policies and insist on the same from it is a key component in the SLG cloud risk management providers; strategy. Continuous monitoring is essential for protecting • For data protection in the cloud, data retention records all elements of a cloud environment. Continuous monitoring need to be maintained and data should be isolated, should be employed at a minimum for change management encrypted and sanitized and removed when necessary. and vulnerability assessments.

Almost all security issues can be detected and mitigated Recommendations Recap by simply detecting change in an environment. Changes Picking the right deployment and service models should be in firmware and software can open holes in a security • a primary consideration; implementation that, if undetected, can open up vulnerabilities in a cloud environment and leave it subject to attack. • Authentication must be managed across all cloud environments; cloud environments should include identity Continuously monitoring and validating changes using management and related user protection capabilities; automation within the cloud environment is essential for maintaining a secure cloud. Automation methodologies like • Encourage cloud providers to limit the use of proprietary Security Content Automation Protocol (SCAP) provide excellent tools and storage platforms; methods for automating and controlling continuous monitoring • Understand the issues behind portability to avoid service deployments. Change validation is a key element of an effective provider lock-in; cloud security implementation. Validating cloud environments Security incident response must be clearly addressed in against known good references allow cloud users to gauge • contracts and procedures in place. Providers should have a their security profiles and effectively manage risk. transparent response process; • Employ continuous monitoring for risk and vulnerability Looking Ahead management.

Cloud computing is continuing to evolve, providing new ways to serve consumers. It will, for example, change to accommodate the paradigm shifts to ubiquitous mobility and pervasive big data. As users become mobile, they interact with the cloud from different contexts (hardware capability, connectivity, security level), and soon cloud will be able to support context aware applications. The dramatically increasing volume of data stored in the cloud will enable increasingly sophisticated analytics that will help consumers improve and manage their operations.

TechAmerica Foundation I SLG Cloud Commission 11 Heading to the cloud? What’s your biggest concern?

We’ve asked our clients this same question in an informal poll, with nearly 3,600 responses so far. We invite you to add your vote at cgi.com/cloudsurvey. And, we commend TechAmerica’s State and Local Cloud Commission (SLG-CC) for its valuable suggestions to address these issues.

❑ Security risks Many studies show security as the #1 concern for cloud adoption, and the same has been true in our poll to date, with nearly 2,000 respondents (56%) citing “security risks” as their top issue. The SLG-CC report points to the need for technologies that comply with the tough security and privacy requirements of government.

❑ Sorting reality from hype This was the next biggest concern in our poll, with more than 1,000 votes (29%). The SLG-CC report helps demystify cloud deployment and models, and shares best practices for their evaluation and implementation.

❑ Lack of governance 15% of respondents in our poll cite lack of governance as their key concern. The SLG-CC report offers a straight-forward game plan for risk management and governance.

In addition, the SLG-CC report raises portability and procurement models, as well as change and transition management, as key issues for states and localities. Would you rank one of these as your top concern?

❑ Portability ❑ Procurement ❑ Change management ❑ Transition management

Take our survey at cgi.com/cloudsurvey and see these results evolve.

Why CGI? We know the terrain. With more than 35 years of providing IT infrastructure and managed services to government and business, CGI delivers enterprise cloud solutions with superior savings, accountability and controls. We are the first certified provider to deliver secure cloud services under the General Services Administration’s Blanket Purchase Agreement for Infrastructure as a Service.

www.cgi.com/cloud _experience the commitmentTM Cloud adoption, taking place over multiple years and incorporating multiple projects, requires a clear understanding of risk — and firm governance models.

Implementing the Cloud

Data center consolidation. Virtualization of critical applications and resources. Emerging technologies. Continuous change will be the order of the day for state and local government IT (SLG IT) services agencies for the next ten years. So an ounce of preparation will be worth a pound of cure. Four key stages are fundamental to cloud computing success: business case and readiness assessment, risk assessment, implementation, and operation of the new environment (Figure 8).

Cloud Readiness

Risk Operations Assessment

Implementation

Figure 8 Cloud Implementation Lifecycle

These four phases should be part of any cloud planning process and be included in any major initiatives regarding applications and infrastructure.

TechAmerica Foundation I SLG Cloud Commission 13 Cloud Readiness Assessment assessment should be performed after the cloud readiness assessment in order to minimize vendor lock-in and maintain What’s the best way to leverage cloud computing? What an objective approach. business needs will be addressed by cloud adoption? Am I ready for a cloud solution? How do I build a long term In the absence of an Executive or Legislative mandate to roadmap? To answer these questions, state and local consolidate more than fi fty (50) email systems across many government offi cials need to generate a plan based on a disparate agencies, the state of Oregon had to develop an pragmatic framework. A cloud readiness assessment is the extremely compelling business case to build sponsorship place to start. The assessment should take into consideration and drive adoption of an email consolidation roadmap that strategic business goals and ICT imperatives. It should also included the use of a SaaS-based email solution. Over the objectively compare the current state ICT process maturity past year, use of the SaaS-based solution has tripled from against the planned state ICT processes maturity. Such an fi ve to fourteen agencies and one local government. As a approach enables the organization to plan effectively for result, Oregon has achieved impressive IT savings. The state’s implementation and ensure that the cloud adoption and methodical approach offers an excellent example of how implementation are strongly aligned with the business vision. a powerful business case and collaboratively developed The assessment will help the organization to minimize risks, consolidation roadmap can be applied to drive change in a disruptions, project delays, and budget over-runs during challenging environment. This Oregon case study and other implementation and operational phases. Since adoption documents can be found in the SLG-CC Community Portal at of cloud computing on a broad scale is likely a series of www.cloud4slg.org. projects deployed in a sequential manner over many years, a cloud readiness assessment process should be considered a “living document” which can be updated based upon new Figure 9 provides a graphical depiction of the assessment objectives or initiatives. Whether done internally or with help project structure. from a partner, a readiness assessment is a best practice for starting any cloud initiative within the agency. Finally, implementation of any products and services provided by Risk Management and Governance a vendor should include an assessment of that vendor’s Cloud adoption, taking place over multiple years and capabilities and compliance to a contract or SLA. Vendor incorporating multiple projects, requires a clear understanding of risk and fi rm governance models. Information can be leveraged to make decisions about the appropriate The key deliverables of an assessment should cloud models for an agency’s applications based on data include the following: classifi cation and associated risk. Luckily, several standards, guidance documents, and risk models already exist. • Cloud Computing Business Case and ROI Implementing a risk framework and governance model and • Cloud Vision, Strategy and Customer institutionalizing these tools into the agency’s operating Benefi ts environments are highly recommended for safe cloud adoption. • Application Assessment (inventory and target application profi le) Here’s a general game plan for making it happen: • Operational Impact Analysis (processes and Understand the application assessment — An application organization) assessment should be carefully planned and executed for • Technical Impact Analysis (infrastructure, every application moved to the cloud. From a technology and applications, people skills) operational perspective, the target cloud environment must provide similar performance and service capabilities as the Current and Future State Architectures (high • current environment. This means reviewing current operations, level plan) procedures, costs, technology and service levels to make sure • Governance and Risk Impact Analysis the new cloud is a match for the organization’s applications needs. Start with an application inventory and application Security Impact Analysis • profi le. Use the information to create a data classifi cation • Financial Analysis (benefi ts to all agency policy in order to measure compliance and enable governance. stakeholders) The policy will ensure that the appropriate availability, integrity and confi dentiality are provided at the necessary levels for Roadmap and Resource Planning to build or • all identifi ed assets and controls implemented where most buy cloud services needed.

14 The Cloud Imperative: Better Collaboration, Better Service, Better Cost IMPLEMENTING

Application Assessment Work Stream

Operations and Governance Assessment Work Stream Project Cloud Strategy Project Kickoff Work Stream Wrap-up Technical and Arhictecture Assessment Work Stream

Financial Analysis Work Stream

Figure 9 Cloud Readiness Assessment Project Structure

The State of Ohio has established a data classifi cation policy Experts in data management and open data access can be which clearly describes both criticality and confi dentiality found in the state of Oregon, who leveraged their expertise in attributes to be considered when implementing a cloud Geospatial Data Management to implement the nation’s fi rst infrastructure.5 citizen social interactive state data portal as a SaaS cloud service located at Data.Oregon.gov. This breakthrough online The State of Colorado has a similar policy. They provide system offers access to both state-specifi c as well as federal the following description which sums up the importance of data (available via Data.gov), to provide a rich, no-cost collaboration between the business and IT… public information service for decision makers, researchers, journalists, developers, residents, and other governments “Data classifi cation is not just the act of designating or with a variety of information needs. labeling data as ‘confi dential’ or ‘critical.’ It involves close collaboration between business units and IT organizations to work through issues that go well beyond IT. The classifi cation Utilize the data classifi cation policy and application mapping of data is truly a business function, not an IT function, based to make decisions — Cloud computing deployment should on business rules and federal and state regulations.”6 be based on acceptable risk levels, appropriate for each application and in consideration of other related applications or data connected to that application. If business and ICT Map applications to the data classifi cation policy — Leverage leaders have a low risk tolerance, they may decide to leverage this opportunity to improve communications and collaboration a private cloud model or approach where they have the with business owners in understanding the data which resides most control given the sensitive nature of the application in the application and the applications with which data are information. Similarly, for GIS data or other applications which shared. Medicaid applications may have the highest criticality contain information that is already publicly available, public or and confi dentiality, which will determine the cloud model that community cloud models may be implemented. is right for the business owners and ICT. GIS applications may have a lower risk profi le. Identify architecture gaps and “to be” state for technology architecture — Keeping in mind the various cloud models, 5 State of Ohio IT Policy, Investment and Governance Division, March 19, risk tolerance, and data classifi cation mapping, defi ne a 2008. “To be” architecture. Again, multiple cloud models should be 6 State of Colorado Information Asset Classifi cation Policy, October 8, considered based on levels of risk. Combining or integrating 2010. various cloud models can enable fl exibility, control and security options necessary.

TechAmerica Foundation I SLG Cloud Commission 15 Recognize the importance of governance and risk mitigation The City and County of San Francisco (CCSF) IT management model — Together, these steps form a long-term framework took such a “people/process/technology/policy” approach to reduce risk and maintain security. Figure 10 represents when developing their Cloud Computing strategy. For an example of a governance framework where local ICT example, they fi rst sought ratifi cation of a “Cloud First” policy and business leaders collaborate to write policy and to secure ongoing sponsorship for broad cloud adoption. They make decisions on risk tolerance for implementing cloud then encouraged cloud certifi cation training for designated technologies, and how Federal ICT leaders interact at local IT personnel to re-skill their staff to support the cloud levels to establish Federal policies and standards. For a computing model. And fi nally, in their email migration to “deeper dive” into data governance issues, visit the SLG-CC the cloud, they selected a solution that could offer an on- Community Portal. premise/off-premise SaaS solution for maximum fl exibility, with the ability to bring the infrastructure in-house later if their business or IT needs changed. State/Local CIO Federal CIO Because cloud computing is an emerging business and technical market, implementation best practices can be diffi cult to defi ne. They also depend on the requirements, use cases and readiness assessment of the entity considering cloud migration. A basic series of recommended best Agency/ FedRAMP or State/Local Other Cloud practices follows: Department CISO Standards CIO Bodies Preparing and Planning for Implementation

Figure 10 Cloud Governance and Policymaking Framework Taxpayers expect more than to see their critical state and local government services “lost in the clouds,” so begin the implementation process by being inclusive, complete and Finally, the data governance approach also needs to be sure candid. Spell out and agree on the mission, purpose, goals, of the legislative and policy framework within which it exists — objectives, and performance metrics of a cloud computing and the impact of regulation, audit, inspection, administrative program right from the start. law (such as the Data Protection Act, the Freedom of Information Act, and Human Rights legislation), and the • Create a core evaluation team comprised of ICT, business, guidance on information sharing. legal and fi nance, and executive members. Leverage the help of vendor community professionals capable of demonstrating a comprehensive implementation framework Implementation Best Practices and tools aligned with industry standards and proven success in cloud transformation initiatives; Adopting well-established ICT program and project management best practices are essential to cloud planning • Determine “proof of concept” strategies for those who may and implementation. Integrating cloud delivery resources into otherwise be risk averse; an organization’s infrastructure and moving applications into • Defi ne clear business cases and performance goals for the cloud will be a sustained and long-term process. Following adoption of cloud services based on industry proven use- the principles of good ICT project management means seeing cases. Establish which process indicators will measure the the big picture — and ensuring that technology, process, business value of cloud investment; policy and people are considered and included in the change Consider joint acquisition as an implementation step and process. Agencies that rush to deploy technology alone could • encourage up-front planning for multi-tenant environments. increase their risk of project failure, unnecessarily expose Budgeting for the cloud is a considerable shift for both IT data and users to security threats, and slow the realization leadership and the owners or custodians of that service. of benefi ts from the deployment of that technology. The shift from a capital intensive, project-based budgeting model to an expense-based, shared model requires a signifi cant effort in fi nancial planning and communication; • Identify agency services and or application candidates that will move to the cloud and how such movement will result

16 The Cloud Imperative: Better Collaboration, Better Service, Better Cost IMPLEMENTING

in tangible usage benefits such as scalability, elasticity and Best Practices During Implementation interoperability as well as potential cost savings. In doing and Deployment so, analyze the technical architecture trade-offs. Define evaluation criteria for objectively identifying candidates to Once a cloud computing engagement is underway, many “best be moved; practices” fall into the domain of the cloud service provider. Still, there are steps that can keep the process running Define a cloud services adoption strategy and roadmap • efficiently and effectively: in alignment with prioritized business cases and create a formal communications plan not only to inform but to • Plan and conduct pilot test for services requested; promote adoption of the cloud; • Verify QoS requirements and validate risk and mitigation • Define a detailed architecture design artifact aligning plans; business and technology. Both service models (IaaS, Use vendor-neutral “cloud middleware” wherever possible; PaaS, SaaS) and deployment models (Private Cloud, Public • Cloud, Hybrid Cloud, Community Cloud) must be included. • Minimize the technical architectural complexity; Quality of Service (QoS) requirements such as reliability, Keep loosely coupled components and asynchronous availability, serviceability, scalability, and security must be • message-based, parallel execution as a guiding principle; defined and approved by all enterprise stakeholders; • Peer review solution architecture requirements compliance; • Define the additional business and technical questions that must be addressed as a user and those that must be • Consider a disaster recovery plan that involves an answered by cloud providers. For instance, if a customer alternate provider, understand the capacities and wishes to move their workload away from a cloud provider, capabilities of your providers to play a backup role can that be done at low cost and minimal disruption? should one provider have a catastrophic event. i.e., does the cloud provide portability? Can a customer concurrently employ multiple cloud providers to achieve Program and Project Management a single goal at low cost? i.e., does the cloud provide interoperability? What support for security can cloud Select a production proven, robust delivery framework and providers offer to allay concerns about how customer data tools designed to help state and local government agencies are protected from unauthorized disclosure or modification; achieve a phased approach to cloud adoption. Table 1 shows and what kinds of availability requirements can cloud the elements state and local governments need to consider in providers satisfy? Government agency adopted use-cases such a framework. with prescriptive guidance and case studies from sources Table 1 Sample Cloud Program Management Planning such as NIST should be referenced; Framework • Analyze industry accepted standards, best practices, use cases and align with the agency’s cloud adoption strategy Governance, Risk, and roadmap from leading standards bodies such as NIST; Business Case and Compliance Adoption assessment Integration and orchestration Define compliance, security and recurring audit • approach plan requirements compliant with agency requirements. Incorporate direction and guidance from government Architectural impact review Privacy and security accepted sources; management • Define cloud provider vendor requirements that must be Organizational operating Training and staffing plans included in contractual agreements such as portability, model back-up, data access/transfer, QoS requirements, key Business process capability Quality assurance plans performance indicator reporting capabilities, threat map detection/incident management, as well as regulatory compliance certifications; Business model/strategy Communication plans • Verify the type and number of environments that are Cloud ecosystem summary Change management plans needed for the application/service being moved to the Cloud adoption maturity Data management plans cloud (i.e. production, test, development). model Cloud vendor selection Maintenance and support approach plans

TechAmerica Foundation I SLG Cloud Commission 17 Select a project management team with experience in Larimer County, Colorado offers a stunning example of how program/project management principles, state or local the cloud computing approach can help governments deliver government business and cloud computing. Such a team more with less. In developing its PaaS solution to centralize likely will be composed of both internal and external expertise constituent data sharing between non-profi t agencies, an and human resources. In evaluating vendors and suppliers, IT staff of one person working 35–40% FTE on the project fi rst determine if a “cloud broker” is needed or a “cloud was able to complete it in only 8 months. It was the ready provider” is suffi cient. A cloud broker can help the agency mix availability of the low-cost PaaS model that permitted quick and match from competing solution providers, but this may application development and deployment at very little cost. introduce short-term time and cost delays. As a result, numerous non-profi t agencies are being added to the PaaS solution at only $5,000 each to get started, with a In selecting any solution, whether independently or through nominal monthly subscription fee for ongoing use. Only with a broker, avoid specialized components, hardware and a cloud computing deployment is it possible to achieve so proprietary appliance usage (if proprietary solutions offering much so quickly with so little investment up-front. The cloud exceptional capabilities are selected, be sure that these truly does enable “doing more with less.” include mechanisms that avoid vendor lock-in). Like managing any utility, understand the range of available billing and usage monitoring options. The depth and breadth of service When it comes to state and local government agency use of support may also differ depending on cloud service provider. the cloud computing model, gaining the economies of scale Understand the service support options and trade-offs, and and leveraging innovation means providing more and better have QoS requirements defi ned ahead of time. Pilot and test government services at reduced cost to constituents. So the environments can help avoid costly problems, so having them case for change and the vision of cloud computing should available is a plus. And, of course, because every program be clearly documented and governance defi ned. In particular, and project plan is subject to change, have an exit strategy special effort may be needed to educate and gain the support ready to go. of elected offi cials. The people impacts need to be understood and a workforce development plan created. Stakeholders include those creating, using, and supporting cloud-based Managing Culture Change solutions. Managing culture change successfully requires the continuous engagement of all stakeholders, particularly that The move to cloud computing is as much about people as it is of an executive champion to guide the process. End users about technology — the feelings, beliefs, attitudes, customs need to be engaged early in the process and throughout and norms of conducting work and transacting business. the program or project lifecycle, with the expectations and Cloud computing seeks economies of scale and service success measures for the changeover clearly communicated. innovation. Economies of scale involve doing more with less, and spreading the benefi ts of more productive operations to the broadest group of stakeholders. Innovation involves Managing Process Transformation leveraging on-demand elasticity, massive scalability, rapid prototyping and experimentation in imaginative ways not Looking at the big picture, cloud computing allows state or possible without the features provided by the cloud to create local government agencies to spend less time and money new and higher value services to citizens. on ICT design, development and maintenance and redirect those resources to focus on primary services to constituents in areas like education, healthcare, public safety, and transportation. Process transformation could involve reducing operating expenses, off-loading a data center, increasing agility to deploy new applications more quickly, improving business continuity, supporting seasonal scalability requirements, avoiding revenue losses, reducing liability or achieving other objectives. Process transformation could impact services, channels, business activities, even an organization’s change management procedures themselves.

Once people understand and accept why change is needed, emphasis switches to exactly how change will be achieved. Processes and methods, both business and technical, must be transformed and that transformation must be managed. Often, this means reallocation of staff and resources, a diffi cult and highly charged undertaking. Taking an objective focus to “core” versus “non-core” activities at least provides

18 The Cloud Imperative: Better Collaboration, Better Service, Better Cost IMPLEMENTING a baseline to begin this process. Retraining and other skills Key Takeaways enhancement initiatives can also mitigate the difficulties implicit in staff reassignments. And be sure to look for • Business case and readiness assessment, risk examples in government and industry where cloud computing assessment, implementation and operation are has been adopted and new jobs have been created through fundamental to cloud computing; technology innovation. • The readiness assessment should consider both business A business process re-engineering methodology and related and technical goals; procedures should be used in approaches to technology, • Vendor assessments should follow readiness demand and capacity planning, performance setting and assessments to prevent lock-in; SLA management. System development lifecycle activities Cloud computing impacts register across a broad range of may need adjustment to accommodate cloud services. A • process and performance variables; comprehensive strategy will incorporate any new approaches to change management as well as training. Where vendors are • Cloud deployment should be based on acceptable risk concerned, the watchword should be trust but verify. levels; • Cloud implementation should see the bigger picture, taking Operations Best Practices into account technology, processes, policies and people; • Less money spent to develop and deliver technology Even among early adopters, cloud computing operations solutions can mean more money spent on government are still in the very early stages of deployment. That fact services to constituents; notwithstanding, several lessons learned and best practices Standardization leads to reduced cost and expedited have emerged: • service delivery. Standardize services and processes — Standardization allows automation to reduce cost and speed services Recommendations Recap delivery. • Create a multiphase strategy for cloud computing adoption Adopt new application architectures — Much of the power and deployment; of cloud computing comes from concepts like reuse and portability. Applications must be developed with an eye • Build an inventory of applications to be moved to the toward these capabilities. cloud; Analyze process and financial impacts, gaps, efficiencies; Capacity monitoring and planning and budgeting — • While economies of scale are a cloud computing given, • Determine how cloud computing will impact current appropriate and precise measurement of use and technical operations and architecture considerations; apportioning of cost must be as well. • Perform a cost-benefit analysis comparing cloud to in- house ICT investments and document the case for change; Process automation — Process automation constitutes the most innovative and impactful change that an ICT • Create a data classification policy and rigorous data organization can deploy. By leveraging pre-built automation governance policies; routines, working with application developers to build or • Prepare and plan for implementation with a modify applications that are cloud ready, and standardizing multidisciplinary evaluation team; repeatable processes, state and local government agencies will see substantial cost reductions in labor and • Define objective evaluation criteria and an adoption resources. strategy that aligns with business priorities; • Decide what other business and technical questions need People skills and Managed Services integration — to be answered; Necessary skills and competencies will evolve as cloud computing programs advance. Track the trends and train • Select a capable, experienced project management team; accordingly. • Understand the range of support services available, including those that measure use and apportion costs.

TechAmerica Foundation I SLG Cloud Commission 19 12-1892 SAIC’s half page ad for State and Local Government Cloud Commission Final Report. Ad size: (8 in x 5.25 in). 1/20/2012 x5.25 in (8 size: Ad Report. Final Commission Cloud Government Local and State for ad page half SAIC’s © SAIC. All rights reserved. rights All © SAIC. • CYBERSECURITY • HEALTH & ENVIRONMENT • ENERGY SECURITY NATIONAL atsaic.com/managed-cloud us Visit for alow fi services assessment xed price. for governmentsolutions all of and agencies sizes, initial cloud-readiness tailored and manage secure,precisely in cloud. ongoing We the offer operations develop, to design, implement, practices proven engineering best uses SAIC Managed Cloud Services for for Managed Services Cloud State andState LocalAgencies NYSE: SAI NYSE: The state of Wisconsin is developing a “Cloud Computing Cookbook” detailing the recipe for how a business can evaluate a cloud computing opportunity, engage vendors and consume services from the cloud. The Wisconsin Cookbook can be found on the SLG-CC Community Portal.

Acquiring the Cloud

There is no doubt about it: cloud computing is a state and local government priority. In a recent survey of state and territorial CIOs, “Rationalizing/centralizing state IT services” (67%) and “Controlling IT costs” (55%) were identified as two of their top goals for 2012. NASCIO’s published list of CIO Priorities for 2012 has cloud computing ranked five of ten as a priority strategy and three of ten as a priority technology. However, before a state or local government agencies can integrate cloud solutions into their technology plans, three acquisition and contracting issues need to be properly addressed: • Procurement Vehicles • Key Contractual Terms • Funding Streams In this section, each of these issues is addressed from a cloud perspective, followed by a series of recommendations intended to facilitate the process. Underlying this entire discussion is the need for common definitions, approaches, and purchasing mechanisms, allowing for far easier acceptance, adoption and acceleration of cloud computing programs. Table 2 itemizes some of the most prominent business and design impacts and tradeoffs when selecting among cloud deployment and architectural models.

TechAmerica Foundation I SLG Cloud Commission 21 Table 2 Cloud Features & Business Impacts

DEpLoymEnT moDELS

private Cloud Community Cloud • Dedicated Hardware • Designed for Exclusive Group Use (e.g. Law Enforcement) • Large Scale Resources Drive Cost Efficiencies • Assumes Common Policy Concerns • Single or Multiple Customers • Features Common Data Governance Requirements • Significant Capital Expense • Financial Savings of Shared Environment • Significant Human Capital • Supports Need for Data Center Consolidation • Pay-per-use in Shared Service Model • Managed Cloud Vendor Solutions Available public Cloud Hybrid Cloud • Used by Any Subscriber • Combines Two or More Distinct Cloud Architectures • User-centric, Commoditized Offerings • Supports Private Cloud Need for Security and Control • Productivity and Collaboration Applications with Public Cloud Support of Bursty Applications, Test • Development and Testing Environments Environments and Storage • Shared Multi-Tenant Resource • Allows Flexible Choice for Housing Applications and Data • Pay Per Use • No Build Out Costs SERVICE moDELS

Infrastructure as a Service platform as a Service Pay per use, flat rate or contracts in some cases Pay per user or contracts in some cases Pros Pros • Rapid deployment and cost efficiencies • Delivery of a powerful tool to develop and launch mobile • Replaces the dedicated hardware platform for applications or cloud applications that are on demand, pay-as-you-go and enables sharing of hardware resources that can be service pooled across multiple applications to produce higher • Enables developers to spend more time on enhancing the efficiencies and utilization — and lower costs applications and less time on systems engineering tasks • Grow, shrink or move applications though duplication and by leveraging a single development language and building live migrations of virtual machines reusable components Cons • Permits build, test, run of same application with cloning between parallel environments Limited portal capabilities could limit usability • Developers can push code out to the cloud quickly and on Standardized and automated in support of rapid • • a wide-scale basis deployment limits customization options • No upfront capital investments Application Examples Cons • Data Storage • Depending on the vendor, disadvantages can range from • High Availability and Disaster Recovery the inability to develop traditional enterprise applications • Development and Testing to providing limited customization, workflows, and data • Spikes in Server Demands policies • Dependence on network, customize to ensure sound Business Continuity at a cost

Application Examples • Taxes • Health and Human Services • Transportation • Database • Analytics

22 The Cloud Imperative: Better Collaboration, Better Service, Better Cost ACQUIRING

Table 2 continued The following two standards are paving the way to data portability: SoFTWARE AS A SERVICE • DMTF’s Open Virtualization Format (OVF) is a packaging Pay per user per month standard designed to address the portability and Pros deployment of virtual appliances. OVF enables simplifi ed • Lower acquisition and support costs and error-free deployment of virtual appliances across • Transparency of pricing multiple virtualization platforms (www.dmtf.org/standards/ • Operational budget vs. a capital budget ovf). • Reduction in human capital • OpenStack is a global collaboration of developers and • Shared multi-tenant application and database cloud computing technologists producing the ubiquitous • Single application open source cloud computing platform for public and • Network based service accessible via Public or Private private clouds. The project aims to deliver solutions for all Networks types of clouds by being simple to implement, massively • On-demand licensing scalable, and feature rich (www.openstack.org). • Fully managed by partner Cons The Commonwealth of Virginia implemented a statewide • Nascent SaaS applications lack domain specifi c consolidated procurement SaaS solution, mentioned earlier, workfl ows and business processing capabilities specifi c that would: to state and local vertical • Obtain visibility over all Commonwealth purchases to track • Governance issues of application portfolio and leverage buying power; Longer-term TCO uncertainties • Provide one Internet electronic portal for suppliers to Application may reside outside state or national • • process purchases electronically and access purchasing boundaries information and business opportunities to electronically Limited functionality and limited customization, • conduct business with the Commonwealth; depending on vendor’s platform • Include purchases of cloud services from the cloud service Application Examples itself. • Collaboration Tools • Email Annual savings is $30M per year, and the eVA solution was • eProcurement viewed as a benchmark for the WSCA exploration into their • Survey Tools cloud-based procurement solution to be deployed in 2012. • Social Media Applications A buyer’s guide can be developed to help create a centralized Other Business Model Factors resource which, among other uses, identifi es vetted cloud providers. Several publications from the National Association The business models for cloud services vary widely. However, of State CIOs, including an issue brief recently released, the one constant across this spectrum is the increasing level should also prove useful in this area. of responsibility associated with each architectural platform. From IaaS to PaaS to SaaS, the government agency’s level of responsibility increases.

Providing service in the public sector is highly dependent on data. Data represent the lifeblood of state and local government operations — and must be governed accordingly. However, ICT organizations have additional concerns regarding data when it comes to cloud solutions. The concept of “lock- in” becomes more of a factor as organizations move across the gradient from private to public cloud deployment models- -or from IaaS to PaaS to SaaS architectures. The solution to “lock-in” concerns is standards.

TechAmerica Foundation I SLG Cloud Commission 23 Procurement Vehicles shifts in personnel are contemplated, be sure to include a staff training and retraining provision in the RFP. State and local government organizations seeking to use contracted cloud services will need to execute a procurement Leverage cloud services procurement vehicles vehicle through which to acquire those services, but few at 3 established through multi-government consortia this time have such vehicles specifi cally dedicated to cloud computing. Given this, governments have the following options A number of government organizations are joining together when looking to secure an appropriate contracting vehicle: to create multi-jurisdictional cloud procurement vehicles. These may involve multiple “peer” government entities (e.g., Use an existing procurement vehicle not specifi cally a group of states counties) or may involve multiple levels of 1 designed for cloud services government (e.g., a state that allows counties or other local governments to procure to their procurement vehicles). WSCA The RFP process for many governments can take many is a good example of such a consortium. WSCA members months to issue and to award. This many-month cycle and Utah, Oregon, Montana, Colorado are collaborating on a multi- attendant delay is incompatible with the immediate use and state RFP issued for cloud-based GIS services. The RFP is benefi ts of cloud services. Waiting multiple months could also fl exible enough to be used for general cloud server and result in either needs changing or the capabilities cloud- storage hosting. based solutions having advanced even further. For many government organizations, leveraging an existing procurement Select cloud service procurement vehicles established by vehicle might be the fastest and easiest way to procure cloud 4 the Federal government services. The Federal General Services Administration (GSA) provides While expedient, most traditional network, telecommunications, an array of offerings for cloud computing, available via and software procurement vehicles lack a number of Schedule 70 contracts and accessible by other government important terms and conditions necessary for cloud services entities. These include infrastructure, software, and PaaS to function effectively. In particular, SLAs, data privacy, offerings. GSA has also awarded a Blanket Purchase and data portability requirements are often not adequately Agreement (BPA) for cloud-based IaaS offerings to be available addressed. in three unique lots: cloud storage, virtual machines, and web hosting. Existing procurement vehicles can be effectively leveraged for the procurement of cloud services provided that care is Prior to making IaaS products available through Apps.gov, taken in structuring the procurement. For example, the State vendors will have to complete a GSA administered Federal of California has used several existing procurement vehicles Information Security Management Act (FISMA) assessment to solicit cloud-based network services, Web services, Web and authorization process. Once granted authority to operate, hosting, and SaaS. No signifi cant issues were encountered in products will be made available for purchase by government using these vehicles, mainly because the state added special entities through the Apps.gov storefront. terms and conditions to topics such as service up time and data portability to supplement standard terms and conditions in the base contracts (which in many cases weren’t very The GSA has recently implemented its own cloud-based applicable to a cloud services contract). email solution, for which the case study can be found on the Federal Cloud First Buyers Guide. GSA will soon offer a BPA program for Email as a Service (EaaS) to benefi t state and Create a specifi c vehicle for the cloud services local governments as well. 2 procurement

Some governments have opted to create new contract The Offi ce of Management and Budget (OMB) is also vehicles specifi cally designed for the procurement of cloud facilitating the Federal Risk and Authorization Management services. These vehicles may be tightly or fl exibly scoped, Program (FedRAMP), which is a government-wide program that and may offer customers access to a wide variety of cloud provides a standardized approach to security assessment, services. One state, for example, has created a procurement authorization, and continuous monitoring for cloud products vehicle designed specifi cally for the provision of cloud services and services. FedRAMP has been in development over the in a secure cloud environment that offers email and legal last 18 months in close collaboration with cybersecurity and eDiscovery services and collaboration tools for mobile users. cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, the While the initial contract is for email services, the contract Federal CIO Council and its working groups as well as private is fl exible enough that other types of cloud services can be industry and academia. The FedRAMP program is designed to added later. Where data center consolidation or other major solve the security authorization problems highlighted by cloud

24 The Cloud Imperative: Better Collaboration, Better Service, Better Cost ACQUIRING Email is a popular first step “into the cloud” for every jurisdiction, from the city of Carlsbad, California to Multnomah County, Oregon to the states of Wyoming and Florida. All of these case studies and more are available on the SLG-CC Community Portal.

computing. Through this government-wide approach, FedRAMP Develop and execute a data classification strategy as is intended to enable agencies to either use or leverage 5 a guide to what services should be externally provided authorizations with an: through a public cloud solution, versus what services should be provided internally. • Interagency vetted approach using common security requirements; Consider creating a buyers’ guide which helps centralize • Consistent application of Federal security requirements; 6 the list of available providers that have been vetted and • Consolidated risk management; and prequalified. Increased ability to gain effectiveness and management • Include contract management staff in the procurement cost savings. 7 development process to build knowledge of post-award assessment and monitoring requirements. Recommendations and Lessons Learned on Cloud Procurement Vehicles Gain visibility into lower value and less formal procurement options available to government users. State and local governments that have implemented 8 Cloud services can often be purchased as an operating procurement vehicles for the acquisition of cloud services expense on a “p-card.” The government ICT organization offer the following recommendations and lessons learned: will need to monitor and oversee all procurement purchases in order to manage the government ICT spend If an existing procurement vehicle is leveraged to more comprehensively. 1 procure cloud services, add special terms and conditions to any RFPs that are designed specifically to address Promote a “ramp up” process whereby local staff gain unique needs of cloud services. 9 the expertise needed to support vendor selection and oversight. Regardless of the type of procurement vehicle used, 2 ensure that terms and conditions are established for the most critical elements of the contract. These include: Key Contractual Terms

• Data portability. Since many of the vendors are creating There are five basic areas relative to cloud service purchase integrated, proprietary solutions, understanding how the terms and conditions. They are: government client would get their data off the vendor’s solution at the appropriate time is critical; 1 Asset Location and Ownership • Records management safeguards; State and local government agencies normally require their • Security and privacy of data; and physical assets and the people supporting those assets to be located within the United States. In many locales Financially backed, enforceable and measurable SLAs. • the restriction goes even further to require data and employees to be located within the locale (State, County, IaaS procurement vehicles will be easier than a vehicle or City). This must be clearly identified as a requirement 3 that attempts to incorporate both IaaS and PaaS in the contract for bidders to provide a responsive bid. services. SaaS procurements should be done one Additionally, the ownership of assets during the term of the application at a time. agreement and at the end of the term is often a discussion point with the entity. The recent trend in government is For procurement vehicles that span multiple jurisdictions to have the external service provider own the hardware, 4 to gather requirements, aggregate demand and obtain software, tools and other assets during the term, but for better quantity discounts, address governance issues the government to have the option of buying the assets at early. Highlight methods for agencies to insert their the end of the term at either Fair Market Value or at Net specific requirements. Book Value. These provisions must also be depicted in the sourcing requirements document.

TechAmerica Foundation I SLG Cloud Commission 25 2 Access to the Data Other Contract Considerations The single largest concern with moving to the cloud is fear Beyond these fi ve major areas, there are a number of specifi c of who will have access to the data and what controls will areas where the contract language must be specifi c and will be in place for ensuring protection of data. There are a determine the outcome of the solution. These areas include number of requirements that speak to access in terms of SLAs, (along with the monitoring and enforcement of same), public or private Internet but there are also control issues default triggers, security event handling, and a series of within the provider’s spaces. Terms and conditions would governance and communications related contract language include physical security (fenced off areas) to logical provisions. It is important to recognize that a cloud solution’s security (access rights management). success will be tied very closely to the language and terms and conditions of the contract that delivers the service. It 3 Terms of Disentanglement requires a mental paradigm shift from managing people to Disentanglement is the event that ends the agreement to managing outcomes. buy services. It can include termination for convenience (change of heart/strategy), termination for cause (breach or performance issues), or end of term. It is imperative Funding Streams to have contractual provisions that cover how those Despite a challenging economic environment, state separation activities will be handled. These provisions government ICT budgets are beginning to trend upwards, still would include everything from what happens to the down approximately 9% from pre-economic downturn numbers intellectual property that was used in performing the in 2011. services to how much support would be required in transitioning the services back in house or to another If adoption of the cloud is to be cost-effective, state and local vendor. This section of the contract is where the ability to governments need to think less about long-term budget cycles maintain continuous cloud services is ensured. and more about near-term savings. This process requires identifying existing applications that could be migrated to 4 Data and Asset Segregation cloud-based solutions. Potentially, the savings from adopting cloud solutions could be reinvested into other areas of This area has to do with whether the entity is willing mission critical need for the state and its residents. to have its assets shared with other entities. In some cases state and local government agencies want to have In its research, which included interviews with state CIO’s and dedicated hardware for some portion of their environment local government ICT managers, the SLG Cloud Commission (data base servers) and some portion on shared assets found various methods of how state governments are funding (web servers). The specifi cs of the segregation of assets cloud projects. Among the Commission’s best practices will affect the pricing. fi ndings and recommendations: 5 Pricing Model • A strong state central governing ICT body can be extremely In most cases entities are moving to the cloud to get a benefi cial for adopting a state-wide cloud initiative and more scalable capacity and are expecting the pricing to leveraging existing ICT budgets. be “pay as you go” versus a fi xed investment based • An identifi ed funding stream for enterprise cloud solutions on capital investments. There are a number of pricing was using funding out of existing data center budgets. models available, and the specifi c requirements need to A single vendor or integrator should be considered that be included in the contract provisions. • provides an overall solution which leverages best of breed sub-solutions and technologies from a variety of vendors. The SLG-CC Community Portal offers many tools and Cloud technology is changing too rapidly and deployments resources for pricing, business case justifi cations, technical are comprised of too many technologies and subsystems white papers and more to educate and advise on how to best to rely on a single vendor to provide them all. leverage the cloud for state and local government needs. • Each state should complete a cloud RFP leveraging all state requirements and awarding based on value and price. This new cloud state contract vehicle is then available for each sub-agency to leverage state government pricing and use individual budgets to procure. RFPs should be appropriately designed or divided to allow for vendor teaming.

26 The Cloud Imperative: Better Collaboration, Better Service, Better Cost ACQUIRING

• State government respondents believe it more likely that Key Takeaways an operating expense increase request is more likely to be Successful procurement of cloud services must address approved than a capital budget increase. Applications such • three key acquisition and contracting issues: procurement as VoIP can demonstrate a cloud-based cost improvement. vehicles, contractual terms and funding streams; As it relates to A.87 compliance, state and local • Procurement vehicles in use today may or may not be governments may want to consider a “Cost Allocation • specifi cally designed for cloud services. They may be Plan” where federal funding is being used to provide cloud- offered by multi-government consortia or by the federal based solutions. This plan should clearly defi ne the shared government; benefi ts and costs associated with migration to the cloud for both spending justifi cation and audit considerations. • Contract vehicles for cloud services are also offered by multi-government consortia and the federal government; • School districts should consider cloud-based solutions to deliver applications to students and staff. The consistency • To date private clouds have dominated state CIO of services to all schools, combined with the benefi t of re- discussions, factor in the need for varying application vectoring the savings to other school or educational needs requirements such as development and test environments, is a win-win for all. prototyping, collaboration and e-mail and the case for hybrid and virtual private clouds are gaining ground; The award-winning IlliniCloud for IaaS was developed by the • Private clouds offered by cloud vendors have the potential Bloomington, Illinois school district to deliver state-of-the-art to obviate the need for large capital expenditures by state computing resources for K–12 education. It is being adopted and local governments; statewide — a tribute to its innovation and cost effi ciencies. • Acquiring cloud architectural design services raises The University of Kentucky has deployed its enterprise specifi c procurement issues which must be addressed. business applications in a managed private cloud to increase the fl exibility and level of service to end users while Recommendations Recap simplifying the IT infrastructure. Initial tests have shown some impressive results, and expected customer benefi ts • Create a state RFP specifi cally tailored for cloud services include a reduced total cost of ownership of 25%. to support a variety of delivery models — and available for use by local governments; In summary, state and local government agencies and ICT • When using an existing, non-cloud specifi c procurement departments should collaborate and leverage their collective vehicle, use terms and conditions specifi c to cloud strengths when negotiating for cloud-based solutions. A new services; way of thinking and talking about the information utility from Develop and require specifi c terms and conditions for data both a technology and budgeting perspective is needed. This • portability, records management, security and privacy, and process will be greatly aided and the anxiety of risk-averse SLAs; offi cials greatly mitigated by adopting common terms and conditions language in areas like portability, security and • When addressing multijurisdictional clouds highlight and records management. With these new approaches in place, adjudicate governance issues; the benefi ts of a cloud-based solution should save money for • Create or leverage buyer’s guides, including those from state governments and taxpayers while delivering consistently Federal and commercial sources, to vet and prequalify better government services to end users. providers.

TechAmerica Foundation I SLG Cloud Commission 27 move fearlessly among the clouds it’s open, yet secure. agile, yet efficient. virtual, yet real. intelligent, yet simple. virtual, yet real. it builds on your current network, ©2011 Cisco Systems, Inc. All rights reserved combining servers, networking, storage and virtualization. so you can deploy applications in minutes, not weeks. move among the clouds. grow your productivity. and turn silos into new ways of working together. introducing the Cisco data center business advantage. cisco.com/go/slgcloud

BUILT FOR THE HUMAN NETWORK FEBRUARy 2012

Final Summary and Conclusion

State and local government agencies face a dramatic opportunity to shift the focus of their activity from the mechanics of ICT infrastructure to the delivery of enhanced government services. Cloud computing, based on new models for the ownership, location, pricing and maintenance of IT assets, sets the stage for this change.

Whether it’s Infrastructure as a Service for K–12 education in Illinois … a private cloud for enterprise management at the University of Kentucky … Platform as a Service for Minnesota economic development … Email as a Service for New Hanover County, North Carolina hurricane recovery … or Software as a Service for collaboration in Wyoming … cloud computing has become the imperative for state and local government.

The purpose, dimensions and construction of the cloud environment must be carefully planned, the cloud computing customer base must be well understood, and the benefits of cloud computing must be thoroughly articulated to builders, buyers and users.

The process of building begins with the technology itself. Hardware and software assets can be combined in different configurations or used in various ways to deliver very different services: discrete applications, development platforms, entire computing infrastructures. And the sharing of these services can likewise be very different, from none whatsoever to totally open and available.

Technology provides the elasticity necessary to shape clouds to their intended purpose and the seamlessness necessary to enable state and local government customers to move between competing cloud solutions with limited disruption to operations. Technology also provides the security and privacy safeguards needed so that cloud computing does not become a porous or corrupted resource, violating the trust and confidence of its users.

A structured approach to implementation can help eliminate false starts and blind alleys by considering all elements of the

TechAmerica Foundation I SLG Cloud Commission 29 equation: infrastructure, applications, people, processes and Finally, as discussed in the beginning, this paper and the dollars. Having the right roadmap — a map that addresses related web portal do not aim to answer all of the questions all of the appropriate technical and business issues — helps and/or issues around cloud computing for state and local cloud planners reach the right destination. Strong governance governments. While providing some framework knowledge and data classifi cation policies can help reduce risk, identify about cloud computing as a set of technologies and gaps, and set priorities. While cloud computing is a rapidly processes, from the start, the Commission collaborated with evolving fi eld, this paper identifi es a series of program, project the leading state and local government policy makers, ICT and operational best practices that can help state and local executives and leading vendors to create a platform for further government agencies tap into this exciting new mode of collaboration and idea exchange. The Commission believes service delivery. cloud computing and surrounding technologies around cloud computing will rapidly evolve in the near future. As needs Cloud computing can help state and local governments and requirements change, surrounding technologies and transform information services in a fl exible and affordable processes will evolve as well. The Commission is dedicated manner. The key is to get started. Multiple models exist for to further develop this paper and the web platform for future the multiplicity of cloud services. Understand the service needs. delivery models and best practices for their implementation. Whether the cloud model is private or public, software, While cloud computing is a rapidly evolving fi eld, this paper platform or infrastructure as a service, cloud is about delivers an end-to-end roadmap for program, project and aggregating demand and achieving economies of scale to operational best practices that can help state and local increase business agility and lower cost and overhead. Thus government agencies tap into the most exciting information the issue of how cloud computing is acquired comes to the technology wave since the Internet. forefront. A thorough understanding of procurement options and a mapping of procurement vehicles to cloud services will Welcome to the Cloud. Welcome to the Beginning. help assure a far better end result.

30 The Cloud Imperative: Better Collaboration, Better Service, Better Cost Appendix I State and Local Government Cloud Examples

There are many other examples of cloud computing helping state and local governments to improve service, foster collaboration and save taxpayer dollars. For a complete list of case studies and use case examples, visit the SLG-CC Community Portal (www.cloud4slg.org).

Why the need for speed? The storm drainage tax assessment Cloud Computing Helps Houston allows property owners to go online to view and, if necessary, Float over Storm Water System Woes challenge their assessment. With the drainage charge itself going into place quickly, the city needed the online system up and running quickly as well. Abstract

A city’s need to bring a new storm drainage tax assessment The Challenge and Solution application online fast for customers makes the move to Rather than make a best guess at the number of new servers cloud computing a natural, with environments that allow for that would be needed to develop, test and operate the new development, test and implementation without the need to application, planners elected IaaS solution from Amazon Web add servers or predict usage. Services. Selecting an IaaS for the storm water drainage charge application allows the city to gain the utility-like Customer Profile benefits of cloud computing with a service that can scale up as Houston residents open their assessment letters and to When the Houston City Council told the municipality’s IT scale back down when interest in storm water drains away. department that it needed a storm drainage tax assessment Assessment payers use the system to view and verify their system up and running on a very tight timeframe, planners property records and, if necessary, to challenge inaccurate opted for the cloud. The city operates two data centers and a assessments. full IT staff. What officials did not have was a good sense of how often city property owners would use such a system — The city’s IT team worked with a partner to implement its and the demand such an unpredictable usage would place on new application in the cloud and integrate back to the legacy their in-house servers. systems needed. Parallel environments running development, test, and production in the cloud all at the same time made Storm water drainage might not seem like the stuff of it easier to build and bring the new solution online. Only a innovative local government services. But Houston’s 6,000 cloud computing data center, with its unique scalability, could miles of streets, 3,300 miles of storm sewers and 2,800 dramatically shorten the time-to-implementation and make miles of roadside ditches need work well beyond the current this parallel approach much more cost-effective than working rate of rehabilitation and rebuilding. Proposition 1, passed by in an on-premise environment. voters in May 2011, imposes a drainage charge on residents to help fund repairs. Elected officials told the city to have the While adoption was well-received, there was some initial new charge-viewing utility in place by July 1, 2011 — eight skepticism on recognizing the need to re-skill the IT team to short weeks after passage of the measure. manage this new cloud deployment. Additionally, developing interfaces to the legacy applications’ on-premise environment

TechAmerica Foundation I SLG Cloud Commission 31 Dell Cloud

Dell provides a portfolio of secure Private, Public, and Hybrid Cloud offerings including consulting, application migration, and managed services. By leveraging core technologies from recent acquisitions we offer a comprehensive cloud solution that best meets your needs. For example, Dell SecureWorks processes over 13 billion security events on a daily basis and is a core component of the Dell Cloud. And Dell Boomi is helping customers bridge legacy and cloud applications.

Our commanding presence in many industry verticals, including Healthcare, Education and Government, brings the expertise necessary to ensure success. Whether you are looking for secure private clouds or vertically specific community clouds, we simplify the customer experience by being your single vendor of choice, offering hardware, software and services for your cloud solution.

Powered by a suite of IP and customized solutions.

Enterprise class Highly secure Additional data centers and compliant services Controllable & High availability High flexible performing

Visit us at www.dell.com/cloud or www.dellintheclouds.com

DellCloud_TechAmerica_Ad_FullPage.indd 1 1/26/2012 11:09:25 AM APPENDIX I proved to be a complex challenge. Nonetheless, the Customer Profile successful implementation of the project in only seven months convinced the IT team to look at moving other applications to Cook County, Illinois had a problem: The public simply did the cloud. not understand how its county government operates or how tax dollars were collected and spent. Because many county systems and processes were still paper-based, data were Results not readily available in digital format. This paper-based data contributed to the public’s lack of understanding by making While its capabilities may not make property owners happy information difficult to find and obtain. about paying their assessments, the service does allow the city to make a more cost efficient cap-ex versus op-ex tradeoff. The County Board made the clear connection between greater Using the cloud, Houston avoids upfront costs and accesses government transparency and a more informed, engaged and just the server power needed during the development and supportive citizenry, acting to open things up with a new law testing phases of application development, jettisoning this requiring County agencies to, among other mandates, make at capability when these aspects of the project are complete. least three “high value” data sets available on a new County website. Acquisition of the cloud solution has also proved to be as right as rain. Again responding to its tight timeframe, the city Prior to the ordinance, several departments of the Cook purchased the service from Amazon on a municipal credit County government, including the Clerk, Sheriff, Recorder and card. This portion of the acquisition proved sufficient for Treasurer and Public Health, either provided some information buying cloud services in the development and test phases to the public and/or had plans to make additional information of the project. When the application moved to production available. mode, the city acquired the additional service needed from Amazon through GTSI and the U.S. Communities Government These efforts, while significant and important, created less Purchasing Alliance, a non-profit cooperative that aggregates value for open government because datasets were scattered, the purchasing power of over 44,000 participating agencies. inconsistently formatted, presented in machine-readable formats, out of date, and limited to one record at a time. Organizational and staffing impacts have also been kept to a minimum. City of Houston IT staff developed the storm water In passing the measure in May 2011, the Board gave drainage charge application system. The decision to host fresh government-wide impetus to improve dramatically on the application in the cloud had no impact on current data information-sharing efforts that were otherwise uneven, center operations or personnel. Rather, the hand-off between disjointed, and downright unusable for County residents. application developers and service operators has gone smoothly, and, because the application is now in operation, city officials only need monitor its use and budget accordingly. The Challenge and the Solution

The pressure was on. The new ordinance required that the web site be operational within 90 days. The County working group debated whether to build an open data portal based Cook County Taps Cloud to on open government standards, or to use a hosted solution. Planners opted not to reinvent the wheel or slow the wheels Float powerful Idea: openness of progress. Since the County had already partnered with the State of Illinois and the City of Chicago on open government Contact: Greg Wass initiatives, the fact that both of those organizations had Email: [email protected] embraced the Socrata data portal solution, and given the lack of County staff familiarity with a possible alternative, the CKAN open source data portal software, the County entered into an Abstract agreement with Socrata to host the County’s open government website. The Cook County, IL Board passed the Cook County Open Government Ordinance (11-O-54) to establish and implement The Socrata platform has a number of prebuilt tools that an Open Government Plan to promote transparency, provide much of the functionality required by open data accountability, collaboration and public participation. To standards and principles in general, and the Cook County provide this information in a consistent, cost-effective ordinance in particular. For example, the platform provides manner, the ordinance mandated that a single web site be an opportunity for users to publicly comment on individual constructed. The ordinance mandated that the web site be datasets using the “discuss” feature. It allows users to established within 90 days. contact the dataset owner with questions or comments, or to

TechAmerica Foundation I SLG Cloud Commission 33 Refreshing advice.

www.deloitte.com

As used in this document, “Deloitte” means Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Tax LLP, and Deloitte Financial Advisory Services LLP, which are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.

Copyright © 2011 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited APPENDIX I suggest new dataset ideas. Social media (Facebook, Twitter) Customer Profile and email can be used to share a dataset or particular view with others. And the site provides a ranking feature so that Castle Rock, Colorado has been exploring ways to reduce datasets can be ranked by popularity (most viewed). IT costs and move applications off premise for a number of years. In 2009, when a new Finance Director updated their The deployment was completed within the three month legacy financial systems with something more contemporary schedule. Following the initial deployment of the County open to run payroll, budgeting, accounts payable/receivable, data portal, the County has continued to populate the portal reporting, and the like, Castle Rock embarked on its first with additional data. The open data site is currently populated major migration to an off-premise hosted vendor solution. with information from more than 40 County government departments and includes more than 75 data sets that reflect Castle Rock was one of the first customers to migrate to the most up-to-date information. the SunGard vendor’s shared infrastructure in their early steps to the cloud, and they gained significantly more finance functionality while cutting their IT support costs in half. Results and Benefits The savings were then re-invested to expand their Internet bandwidth so they could further migrate to other hosted or The Cook County open data website was launched on-time and cloud-based solutions going forward. it has been a reliable platform for the County to deliver data to citizens and for potential use by entrepreneurs developing applications. The shared platform with the State of Illinois The Challenge and the Solution and the City of Chicago keeps costs down and promotes consistent approaches for data sharing. Because of their small IT team and limited budget, Castle Rock seeks to strategically access cloud-based IT The County’s experience with its open data portal suggests solutions offered through larger jurisdictions in Colorado that there is substantial potential for having regional data and commercial Software as a Service solutions whenever platforms to host data from multiple political entities. While possible. some important work will still be necessary to validate the consistency of the data models, the hosted SaaS approach For example, their plans include moving common services allows new organizations and data sets to be brought online like credit card processing into the Statewide Internet Portal in a rapid and consistent fashion. Another consideration to Authority (SIPA) Portal, which is the state’s central hub for be addressed in the future is that other data (e.g., social delivery of e-Government services including Collaboration, services or homeland security data) will require increased Office Productivity, Email and more. security solutions. They use the Intuit QuickBase database Software as a Service for surety management and tracking of funds and plans for the construction of roads and sewage capacity to support new developments. Cloud Helps municipality They also access sister city Aurora’s COPLINK software in the Do more with Less cloud for comprehensive information sharing and collaboration among local, regional, state and national law enforcement and public safety agencies. Finally, they use the Innotas cloud Contact: Kevin Capp, Chief Technology Officer solution for project portfolio management of enterprise IT Email: [email protected] projects.

Abstract They are most recently investigating the replacement of desktops with tablets and VDI (virtual desktop) software in With a population of nearly 50,000 that has seen rapid the cloud, to mobilize their workforce more cost-effectively. growth in the last 15 years, the municipality of Castle Rock, Their goal is to eliminate the need to replace all desktops Colorado is sourcing more applications to the cloud to deliver every five years, which would free up a significant part of their a wide range of government services across public safety, infrastructure budget to invest in new applications for services utilities, GIS-mapping, IT operations and finance, mobility for innovation instead. the workforce and much more — innovating with an IT budget which is less than 2% of the town’s overall spend.

TechAmerica Foundation I SLG Cloud Commission 35 STATE & LOCAL IT TRANSFORMED Serve citizens and drive down costs. Transform IT with EMC.

EMC2, EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. © Copyright 2012 EMC Corporation. All rights reserved. 70039 APPENDIX I

Additional Abstracts

IlliniCloud: Community Cloud for Education Offering Property Tax Management Software as a Service for Both SaaS and IaaS Services Pueblo County, Colorado

Abstract: Amidst shrinking IT budgets, the IlliniCloud offers a Unable to afford a more expensive upgrade of property benchmark for how the State of Illinois can more affordably management software, Pueblo County spearheaded the provide student information systems, ERP applications, email creation of a Software as a Service model to deliver and even disaster recovery via a pool of software, hardware, multi-county access to property assessment and taxation services, and support that is shared across 150 K-12 school applications, with integrated GIS data warehouse, and web- districts. Launched as a non-profit consortium, IlliniCloud based information access for citizen queries. started at the grassroots level in one school district, and its adoption across many districts grew quickly because of its Not only are the seven participating counties saving on shared attractive cloud economics and cross-agency collaboration IT costs, but they now have access to more sophisticated model. functionality, like customized online parcel viewing, which was previously unaffordable for the smaller counties.

ITSM SaaS: Shared IT Services Cloud for the State of Montana Email and Collaboration Software as a Service for the “Best Run” State of Wyoming Abstract: The State of Montana is migrating its heavily customized central service desk operations and ITSM The State of Wyoming migrated all 10,000 state employees processes to a more industry standard SaaS cloud system to an email and collaboration solution in the cloud. The to achieve cost savings, conserve technical staff time, and consolidation will save the state $1M annually and is expand service delivery to a larger customer base. Montana providing all employees with modern, easy-to-use technologies requires an ITIL compliant system that supports more than a that enable them to collaborate anytime, anywhere and dozen ITIL processes for the state’s aggressive ITSM program. with any device. More than just a shift in email, the ability to collaborate in real time has made the employees more efficient and, according to Wyoming CIO Flint Waters as quoted e-Childcare Platform as a Service for the in Government Technology “given them a much greater toolset State of Oklahoma with which they can invest in themselves.”

Abstract: Oklahoma’s Department of Health and Human Services (OKDHS) needed to improve its subsidized childcare system with streamlined payment processing and better tracking. OKDHS contracted with a cloud hosting vendor to develop the e-Childcare Platform as a Service solution, which was built on the existing Electronic Payment Processing and Information Control (EPPIC) Software as a Service. The e-Childcare solution permits parents to check their children in and out of daycare with a convenient card. Account tracking and payments are automatic with no claims processing, and OKDHS re-invests the savings into additional children’s services.

TechAmerica Foundation I SLG Cloud Commission 37 No doubt cloud’s promise is appealing. Wary about the return on investments, risks and governance? Let HP experience guide you to cost effective, secure technology solutions. Learn how HP can assist you. hp.com/government/cloud Appendix II Follow Up Links and Resources

10 Things To Consider When Purchasing Cloud Computing How Do You Choose a Hypervisor? Andrew Buss Infrastructure www.theregister.co.uk/2010/08/26/server_management_ www.blog.gogrid.com/2011/02/28/10-things-to-consider-when- hypervisor_choice purchasing-cloud-computing-infrastructure Planning for Cloud 2.0 How Cloud Infrastructure-As-A-Service Will 2011 State CIO Survey, TechAmerica Change for the Better, Galen Schreck, June 22, 2011 www.techamerica.org/2011-state-cio-survey Securing Government Network Access While Reducing Costs in a Accelerate Cloud Performance with WAN Optimization, Jon Olstik, Post-9/11 World August 2010 www.wyse.com/sites/default/files/resources/whitepapers/ www.riverbed.com/us/assets/media/documents/analyst_reports/ Wyse-Government-WhitePaper.pdf AnalystReport-Riverbed-ESG-Riverbed-Accelerating-Cloud.pdf Selecting a Hypervisor Building a Solid Cloud Adoption Strategy: Success by Design, Drue www.docs.openstack.org/cactus/openstack-compute/admin/ content/selecting-a-hypervisor.html Reeves, Gartner Technical Professional Advice, 19 May 2010 Capitals in the Clouds Part III — Recommendations for Mitigating Six Best Practices for Gaining End-user Adoption of New Technology Risks: Jurisdictional, Contracting and Service Levels, December 2011 www.youtube.com/watch?v=Q7y5c8Xgbms www.nascio.org/publications Six Tips to Supercharge Your Cloud Deployment, Hamish McGovern Challenging Security Requirements for US Government Cloud www.netapp.com/us/communities/tech-ontap/tot-supercharge- cloud-computing-0909.html Computing Adoption (Draft), NIST www.collaborate.nist.gov/twiki-cloud-computing/pub/ Standards Roadmap, NIST CloudComputing/CloudSecurity/NIST_Security_Requirements_for_ www.collaborate.nist.gov/twiki-cloud-computing/bin/view/ US_Government_Cloud.pdf CloudComputing/StandardsRoadmap

Choosing a Hypervisor for Cloud: KVM, David Rokita The Forrester Wave: Platform-As-A-Service For App Dev and Delivery www.hexagrid.com/blog/?p=42 Professionals, John R. Rymer and Stefan Reid, May 19, 2022

Choosing a Virtualization Hypervisor: Eight Factors to Consider, Top 10 Hypervisors: Choosing the Best Hypervisor Technology, Eric Siebert Eric Siebert www.searchservervirtualization.techtarget.com/tip/Choosing-a- www.searchservervirtualization.techtarget.com/tip/Top-10- virtualization-hypervisor-Eight-factors-to-consider hypervisors-Choosing-the-best-hypervisor-technology

Cloud Computing Reference Architecture, NIST, Liu,Tong, Mao, Understanding the Cloud Computing Stack: SaaS, PaaS, IaaS Bohn, Messina, Badger, Leaf, NIST Special Publication 500–292, www.broadcast.rackspace.com/hosting_knowledge/whitepapers/ September, 2011 Understanding-the-Cloud-Computing-Stack.pdf

Cloud Computing Use Cases, NIST US Government Cloud Computing Technology Roadmap, NIST www.collaborate.nist.gov/twiki-cloud-computing/bin/view/ www.collaborate.nist.gov/twiki-cloud-computing/pub/ CloudComputing/CloudComputingUseCases CloudComputing/Documents/DRAFT_SP_500_293_volume_II.pdf

GRC Stack an Integrated Suite of Four Initiatives Project Management Institute www.cloudsecurityalliance.org/research/initiatives/grc-stack www.pmi.org

TechAmerica Foundation I SLG Cloud Commission 39 Making the Cloud Work for You Intel is working with leading IT organizations and systems and solutions providers across the industry to make your agency’s transition to cloud computing simpler, safer, and more cost-effective. intel.com/datacenter/cloud

30.01.2012 13:10 Twist 235 Deputy Commissioners

Steve Touw David Lieber Michael Malgeri 42six Solutions Google Morphlabs

Vance raeside Graeme Finley Timothy erlin 8x8, Inc. Grant Thornton LLP nCircle brad rich Prem Jadhwani Django DeGree ACS, A Xerox Company GTSI Oracle Corporation

Matthew blanchet braden Preston richard A. “rick” Martin AT&T Harris Corporation SAIC

Nishant Jadhav Larry Schmidt rod Massey Brocade HP SAP AG

Nathaniel “Nate” rushfinn brian Patt Jen Nowell CA Technologies Infosys Public Services Symantec Corporation

Larry Wright Sarah Kremsner Dan bezilla Capgemini Government Solutions IBM TransLattice, Inc

Michael Shepherd Paul Sathis Fred Dillman Cisco Systems, Inc. Intel Unisys Corporation

Terry Casparis John Skinner Shawn Henry CGI Intel Verizon

C. Douglass “Doug” Couto David Kirk, PhD Duane Flowers Dell KPMG LLP Virtustream

Mike bourgeois Scott O. Andersen Padma rao Deloitte Consulting LLP Lockheed Martin IS&GS Wyse Technology breck DeWitt Kim Nelson EMC Corporation Microsoft

Government Advisors

Kevin Acker Gary Lambert Dugan Petty IT Operations and Business Systems Assistant Secretary for Operational Services Chief Information Officer Manager Commonwealth of Massachusetts State of Oregon State of Wisconsin Investment Board Dan Lohrmann Dr. Alan r. Shark Tom Charkut Chief Technology Officer Executive Director Software Services Manager State of Michigan Public Technology Institute City of Lakewood, Colorado Sean McSpaden Gina C. Tomlinson Adrian Farley, PMP Deputy State Chief Information Officer Chief Technology Officer Chief Technology Officer & Assistant State of Oregon Department of Technology Secretary for Enterprise Architecture & City and County of San Francisco Technology Initiatives Hugh Miller California Technology Agency Chief Technology Officer Greg Wass City of San Antonio, TX Chief Information Officer Kyle Hilmer Cook County, Illinois State Information Technology Services Jim Peterson Division Director of Technology Department of Administration Bloomington, IL School District and State of Montana IlliniCloud

TechAmerica Foundation I SLG Cloud Commission TechAmerica Foundation 601 Pennsylvania Avenue, NW North Building Suite 600 Washington, DC 20004

techamericafoundation.org