by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : January and February 2017
PHOTOCREDITHERE CLOUD for having vague or incomplete SLAs, it’s important to hold a vendor account- able by documenting meaningful per- formance measures that are driven by an IT organization’s key performance indicators. Federal agencies are ex- pected to have project- and application- specific SLAs, as detailed by a Gov- ernment Accountability Office report covering essential practices for cloud computing. GAO specified 10 key practices to be included in an SLA (see “10 guidelines for cloud SLAs,” Page 21), which in- clude “identifying the roles and respon- sibilities of major stakeholders, defining performance objectives and specifying security metrics. The key practices, if properly implemented, can help agen- cies ensure services are performed ef- fectively, efficiently and securely.” After examining 21 cloud service contracts at five agencies, GAO audi- tors found that only seven fulfilled all 10 of the guidelines. Jamie Tischart, McAfee’s CTO for cloud and security as a service, de- tailed a set of questions cloud buyers should ask that echoed many of GAO’s guidelines. Essentially, he said being a wise cloud consumer requires devel- oping a sophisticated understanding of a vendor’s operational and security policies and controls. That understand- ing comes from studying the available documentation and service agreements and asking the right questions when those resources fail to provide enough detail. A HOLISTIC APPROACH TO INNOVATION With cloud migrations, government IT organizations should avoid reinventing the wheel. Exploiting the expertise of cloud pioneers and other resources can dramatically simplify migration plan- ning. For federal agencies especially, there are now communities of interest around FedRAMP, the Trusted Internet Connections mandate and the Data Center Optimization Initiative. Agencies should also draw on exist- ing standards and guidelines. As the GPO IG’s audit points out, the federal CIO Council and the Chief Acquisi- tion Officers Council have published best practices for acquiring IT services. Their joint report, “Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service,” includes guidelines for selecting cloud services, writing contracts and SLAs, delineating responsibilities between providers and agencies, and establishing standards for security, privacy, e-discovery and Freedom of Information Act requests. However, agencies at all levels of government should take care not to in- terpret government standards too liber- ally and extend them to situations and technologies they couldn’t anticipate. “The government IT landscape is made up of policies and accreditations that keep it locked in the past,” Hudzi- ak said. “Many of these standards were created years ago when things were very different — not just the technol- ogy, but entire development processes and languages, as well as how we lever- age modern solutions like virtual ma- chines and containerization.” Standards and frameworks like FedRAMP are a step in the right direc- tion, he added, “but for government to move to the cloud, the notion of inno- vation needs to be holistic, and regula- tions need to keep up with the technol- ogy developments.” Again, leave the big bang to physics because starting too large is a common mistake. Cloud migration is a journey that should begin with small, relatively low-risk applications and data, and add more complex systems as agencies gain experience and refine their governance processes. Other tips for planning a cloud mi- gration include: • Don’t underestimate the costs in- volved. As a Congressional Research Service report on the Federal Cloud Computing Strategy points out, “If a user needs to move resources such as data from its own local facilities to those of the cloud provider, there will be a cost for such migration. That cost will depend on several factors, such as the size of the resources being moved, the method by which they are moved and whether the resources will need to be modified. Such costs are also a consideration with respect to a poten- tial move from one cloud provider to another.” • Analyze resource use to manage costs. Have a complete cost model that accurately reflects service use and that can be used to lower spending by op- portunistically using discounts for re- served instances (for steady-state work- loads) and spot instances (for batch or asynchronous workloads that aren’t time-critical). • Make sure you have adequate staff- ing for migration projects. Plan for training in cloud technologies, and don’t assume IT employees can quickly transfer existing skills and expertise to the cloud as their roles change from op- erations and administration to systems integration and capacity management. • Think about automation and or- chestration upfront, before doing the first application migrations. Tools such as Amazon Web Services’ CloudForma- tion and OpsWorks, Microsoft’s Azure templates and third-party software such as Ansible, Chef, Puppet and Salt can streamline migration tasks, main- tain consistency and reduce ongoing operations overhead. • Don’t put cloud deployments on autopilot. Define cloud-specific man- agement processes and associated tools and assign employees to actively moni- tor cloud deployments, resource use and application performance. • When using the cloud for disaster re- covery or continuity of operations, en- sure that plans rely on multiple cloud services or independent regions at the same provider. You do not want a primary and backup site taken out by the same infrastructure failure. • 22 GCN JANUARY/FEBRUARY 2017 • GCN.COM 0217gcn_018-022.indd 22 2/1/17 3:07 PM
October and November 2016