How To Choose a Public Sector Cloud: 6 Tips From The NIST

gartner govt in the clouds6x3Though cloud adoption is a high priority for public sector CIOs, choosing a cloud solution for a public sector organization can be a tricky endeavor. Government and public sector CIOs face all of the familiar concerns about cloud computing— security, service outages, and reliance on third party IT support— plus a host of concerns unique to organizations beholden to the public. Add to that the increased scrutiny applied to government contract awards processes and it’s easy to see what a daunting task government CIOs are facing.

That task becomes even more complicated when CIOs consider the wide range of options available. Public or private cloud? Hybrid? Which Provider?

An agency could get by with just one cloud service provider (CSP), or could require several vendors for different purposes (ie. infrastructure and software as a service (SaaS) CRM), depending on that agency’s user base and pre-existing IT infrastructure.

In a recent report, technology Analyst house Gartner suggested that “government CIOs should begin with the assumption that public cloud is the preferred deployment option and then, if necessary, work back from public cloud to the cloud, colocation, and on-premises option that provides the best fit for their business environment.” Agencies should make cloud computing decisions with cost, value and security as their top considerations, says Gartner.

That’s straight forward advice, but it’s a bit vague. I’d hope that most public sector CIOs know that security and cost should be top considerations… So, more specifically, where do public sector and government CIOs start when looking for a cloud solutions?

The folks at the National Institute of Standards and Technology (NIST) have some Ideas.

The NIST is the government body responsible for guiding the adoption of cloud computing throughout the federal government, and NIST researchers are the ones who wrote the widely recognized definition of cloud computing.

Recently, in an article for Fed Tech Magazine, NIST researchers offered six tips for those in the process of choosing cloud services for public sector organizations. You can view the article in full here, or read on for the list of tips.

1. Establish a Baseline

Compare any cloud service with NIST’s definition, which spells out five essential characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity or agility, and measured service.

The government also requires security, interoperability and portability protocols to be in place before an agency or department can move forward with the adoption of cloud-based services (check out the recently published Cloud Computing Roadmap to learn more).

 2. Identify Stakeholders

Remember that people play crucial roles in successful cloud adoption. Customers must develop the business and technical requirements. Procurement officials prepare the contract language and work with vendors to ensure that the proper enforcement mechanisms are in place. The IT security team should be involved too.

3. Choose Your Words Carefully

A common language and set of definitions for use by all participants is an absolute necessity. The language agreed upon in procurement is the ultimate arbiter for contract enforcement and deliverables — outlined in the 2011 “NIST Cloud Computing Reference Architecture.”

4. Compare Vendor Services

Obtain accurate comparisons of the services vendors provide. Any description of services requires verification. For instance, vendors may say that their cloud availability is 99.9 percent, but that could mean availability from 9 to 5 in your time zone, in the vendor’s time zone, or with the exception of downtime.

5. Fine-Tune the SLA

Service-level agreements inform the customer how much of a particular cloud service attribute will be delivered under the contract. Both the customer and vendor are responsible for producing a clear SLA. That requires use of the common language described in the cloud roadmap and attention to the most relevant services.

6. Devise an Exit Strategy

A critical but often ignored part of procuring cloud services is the discussion of how a customer will receive data back from the provider when a contract ends. The provider may not be able to return data in its original form or in any usable way. Have this discussion before any agreement is reached.

 

Researchers at the NIST are currently working on identifying measurable cloud service attributes “to assist in identifying key metrics for cloud services,” according to the article.

Follow Jeff

Jeff Edwards

Editor at Solutions Review
Jeff Edwards is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large.He holds a Bachelor of Arts Degree in Journalism from the University of Massachusetts Amherst, and previously worked as a reporter covering Boston City Hall.
Jeff Edwards
Follow Jeff