“If at first you don’t succeed, try, try again.” This appears to be the new motto of the Office of Management and Budget (OMB), which recently announced a new cloud initiative titled “Cloud Smart.” This follows on the heels of a marginally successful attempt called “Cloud First” several years ago. If OMB wants to successfully move agencies to the cloud, a quantum leap in philosophy is needed this time. With “Cloud Smart,” OMB cannot do the same thing over again and expect the results it wants.
Federal agencies have struggled to adopt modern, cloud-based computing architectures for a decade or more. A multitude of CIOs have created strategies, spoken about plans and developed roadmaps to “get to the cloud” to lower the tremendous IT spend governmentwide. With estimates of an IT spend of more than $90 billion annually, with 75 percent of that just keeping the lights on, there is unanimous agreement that something must be done to lower the costs.
Within each agency and department, there hasn’t been a lack of effort to reduce costs; however, the very elements of government that make it secure and reliable (in most cases) also make it incredibly slow to change and pivot to adopt new and emerging technologies that are rapidly changing the information technology and operational technology landscapes in the private sector.
Agencies struggle to overcome institutional rigor mortis. The federal government has developed an iron clad series of security controls and operational requirements that were designed, tested and have been in use to help CIOs and CISOs understand, manage and defend incredibly complex heterogeneous environments. These architectures were designed around a philosophy of application management to avoid vendor lock-in. This philosophy, along with the type of architectural complexity resulting from focusing on applications individually, drives behaviors and techniques that are absolutely required and in use in almost all federally hosted computing environments today.
However; this is not the type of philosophy or environment that exists in the commercial clouds that are operating in the private sector today. Today’s commercial cloud service providers (CSPs) operate in a very platform-centric environment that allows for rapid technology adoption and transparent controls. CSPs are aware of all the assets that make up their computing environment and then they offer the benefit of shared costs by hosting customers at either the Platform-as-a-Service (PaaS) or Software-as-a-Service (SaaS) levels. Very few still offer Infrastructure-as-a-Service (IaaS) as the cost-benefit of IaaS over on-premise deployments are minimal.
Private sector customers purchase subscriptions from CSPs for either PaaS to host their application suite in, or SaaS capabilities wherein they adopt industry-leading applications and configure them, and they inherit the security protocols, controls and service level agreements (SLAs) of the CSP. This allows them to avoid the costs of doing that themselves and focus only on what they are good at: the application and business management outcomes of IT applications. The result is constantly refreshed technology (by the CSP) that is covered by the subscription price and a great reduction in operating costs for the customer. This model is the dominant computing model in business today, and what OMB needs to push the government towards.
Governments (and other highly regulated industries) struggle with this new model. Because they have written the legacy processes, control requirements and mandated techniques into regulations, they are requiring CSPs to adhere to legacy controls in a modern, innovative environment to do business. This is like attempting to put a square peg into a round hole. The result is twofold: the CSPs stifle or stunt innovation and new technology insertion into the regulated environment and the government, even when the CSP meets the required controls, struggles to shift to the cloud provider. Why is that?
The problem lies in the nature of PaaS and SaaS offerings when an organization is moving legacy workloads into the cloud. If PaaS is the choice, then the customer (agency) must rewrite the application to meet the requirements of the host platform data model. A “lift and shift” approach rarely works and results in huge service costs to rewrite code and recreate the application in the CSP PaaS environment. In addition, the customer is responsible to certify that the application meets the security controls to operate on the CSP PaaS platform. This greatly reduces the cost-benefit of moving to the cloud to begin with.
If the choice is SaaS, the government struggles even more trying to choose applications a la cart to mimic the capabilities of the legacy environment, and let’s not forget those pesky federally mandated security controls that the applications in a CSP SaaS offering may have never been designed for.
These very daunting challenges have driven yet more innovation into the commercial CSP offerings and has shifted the landscape from PaaS and SaaS to the adoption of platform-based cloud services or “Enterprise Cloud Services.” Private sector companies have made the philosophical shift from application management to platform management.
Where many companies may have managed hundreds or thousands of individual applications in the legacy environment, they now manage four to six platforms in a SaaS offering. This allows for all the great promises of cloud computing to come into play and it is critical for the adoption of new and emerging technologies to function, such as machine learning and artificial intelligence.
The government has yet (in most cases) to make the philosophical switch from attempting to manage individual applications to managing platforms that offer fully integrated applications in suites of business lines. As a result, their attempts to move individual applications push them towards the PaaS approach of rewriting old apps onto a new platform. While this can be done, and is being done successfully, it is at great cost for services to do so. Additionally, it will be extremely difficult to apply machine learning and artificial intelligence, and other new technologies into this PaaS environment.
OMB’s new attempt to move agencies from expensive legacy on-premise deployments into the cloud should be commended. But without a philosophical leap to platform management in the SaaS subscription model, the desired outcomes will never be achieved.
Bob Osborn is ServiceNow CTO and former U.S. Transportation Comman CIO.