The Economic Benefit of Cloud Computing

Cloud computing, as defined by the National Institute of Standards and Technology, is a model for enabling “… convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” NIST is implying the economies of scale that go with cloud computing when it refers to a pool of configurable computing resources.

Cloud computing is often referred to as a technology. However, it is actually a significant shift in the business and economic models for provisioning and consuming information technology (IT) that can lead to a significant cost savings. This cost savings can only be realized through the use of significant pooling of these “configurable computing resources” (from NIST definition of cloud computing) or resource pooling. According to NIST, this capability is an essential characteristic of cloud computing. Resource pooling is the ability of a cloud to serve multiple customers using a multi-tenant model with different physical and virtual resources dynamically assigned and reassigned according to demand.

Cloud computing economics depends on four customer population metrics:
1.    Number of Unique Customer Sets (n)
2.    Customer Set Duty Cycles (λ,f)
3.    Relative Duty Cycle Displacement (t)
4.    Customer Set Load (L)

These metrics drive the cloud provider’s ability to use the minimum amount of physical IT resources to service a maximum level of IT resource demand. Properly balancing these factors across a well characterized user group can lead to approximately 30-percent savings in IT resources, and enables the near real-time modification of the underlying physical infrastructure required for the delivery of the desired illusion of infinite resources synonymous with a cloud computing user’s experience.

When implemented properly, the cloud computing economic model can drastically reduce the operations and maintenance cost of IT infrastructures. A 2009 Booz Allen Hamilton (BAH) study concluded that a cloud computing approach could save 50 to 67 percent of the lifecycle cost for a 1,000-server deployment. Another Deloitte study confirmed that cloud deployments delivered greater investment returns with a shorter payback period when compared to the traditional on-premise delivery option.

In considering cloud computing for the Intelligence Community, security is an obvious concern. Given the legal and operational concerns, classified information should always be processed in properly protected and certified IC private or community clouds. If a secure cloud model can be designed, economic savings can certainly be realized.

When used to process unclassified information, sharing cloud computing resources can nominally provide the operational advantages of a private cloud with a cost closer to that of a public cloud due to the expected economies of scale from combined user communities.

The federal government is currently deploying a federal community cloud. Officially referred to as the General Services Administration Infrastructure as a Service Blanket Purchase Agreement GSA IaaS; item #4 in the White House CIO’s “25 Point Implementation Plan to Reform Federal Information Technology Management”), this Government Wide Acquisition Contract vehicle is designed to implement a community cloud economic model to support the federal government. The Office of Management and Budget expects this community to provide approximately $20 billion in cloud computing services to a community made up of more than 25 agencies.

Using the BAH study as a guide, and assuming that community cloud economies mimic those expected from a hybrid cloud, transitioning IT services from an agency-owned IT infrastructure to the GSA IaaS platform should deliver benefit cost ratios of approximately 7:1.

Cloud computing provides some strong benefits and economic incentives. Selecting a public, private, hybrid or community cloud implementation will depend on a customer’s specific application, performance, security and compliance requirements. Proper deployment can provide significant savings, better IT services and a higher level of reliability.

1.    Lower Costs
2.    Cap-Ex Free Computing
3.    Deploy Projects Faster, Foster Innovation
4.    Scale as Needed
5.    Lower Maintenance Costs
6.    Resiliency and Redundancy

Implementation of Cloud Computing Solutions in Federal Agencies

Cloud computing is a game changer. The value of the new approach of cloud computing to the provisioning and consuming information technology lies within its ability to enable more efficient and effective information sharing. Its merit is not just in cost savings, but in enhanced mission and business enhancements and improved allocation of resources. Its characteristics not only dramatically transform how an information technology infrastructure is managed, but also the traditional roles of enterprise IT professionals to a more service management orientation—as they become responsible for helping their internal customers better use the externally provided IT services. Building a cloud computing roadmap is essential to unlocking the value of the cloud in a predictable fashion with acceptable risk. This paper outlines the essential steps to constructing a solid cloud computing roadmap.

As a young approach, cloud computing is not without its challenges. Few established tools, procedures and formats, potential risks exist. Primary challenges exist in security controls—particularly related to the protection of sensitive data—lack of federal regulations and compliance standards, and data sovereignty.

The benefits of cloud computing are recognized by the federal government, including the defense and intelligence communities. Dialogue on cloud computing has been ongoing within the government for years, but agencies are still in the early stages of implementing and adopting this new IT approach. The Obama administration has publicly identified cloud computing as a viable solution to help cut the federal budget. The administration adopted a “cloud-first policy” as part of its 25-point IT reform plan, which mandates all federal agencies to develop and implement one cloud-based solution by December 2011 and three such solutions by June 2012. For the federal government, the evolution to the cloud is not something to consider in the future—it is something to put into operation today.

The government can learn many lessons from the private sector pertaining to the implementation of cloud computing solutions, as the private sector embarked on the journey to the cloud some time ago. These valuable lessons include the need to expect a multi-year transition to the cloud, use a consistent cloud opportunity identification process to reduce the risk of project failure and formulate appropriate metrics (economic, operational and service) that are directly tied to mission. Use of a gate-driven cloud adoption process designed to terminate failed projects early in the project lifecycle and deliver measurable capabilities within a quick timeframe is recommended.

The defense and intelligence communities require utility computing methods that scale on demand and enable self discovery and self-service access to secure, timely and relevant information in support of mission. Designing software independence from the hardware through the use of cloud computing solutions allows an operating system, applications and data to “live” across the enterprise and is fundamental to the transformation of compute, storage and network functionality.

Facing an estimated $178 billion in budget cuts during the next several years, the Department of Defense is exploring a number of administrative and structural cost-cutting measures—and IT is one of the first areas for consideration. Defense Secretary Robert Gates recently stated that the agency is reviewing how to reform how it currently uses IT, which costs the agency approximately $37 billion annually. DoD is in the process of consolidating hundreds of data centers and utilizing cloud computing in this shift, and the fact that the defense community is beginning to explore cloud computing through various smaller-scale projects is promising to proponents.

For intelligence professionals, the use of cloud computing can not only make the automation of the interpretation of documents and translation of data into operationally relevant entities and events possible, but it enables real-time continuous processing of the now digital document flow of our adversaries. This commodity also removes the human from this tedious task, allowing intelligence professionals to apply higher order professional analysis and insight.

The human-based documentation exploitation process has led to a reliance on “operationally proven” processes and filters. Instantiated by the use of multi-page structure query language (e.g., Boolean) and the ubiquitous goal of obtaining an appropriate “working set” of data, these processes were born from the need to meet critical decision timelines within a computationally inadequate environment. Cloud techniques and technologies can now be used to work on all the data. And with an ability to leverage the power of a supercomputer at will, the working set requirement is now an anachronism and critical decision timelines can now be more easily met.

Cloud computing can uniquely address important issues associated with mission support—particularly related to its ability to remove information silos among various organizations that have joined forces on the same mission. Moving IT operations to the cloud assists in enhanced collaboration to meet mission needs. It is critical to our national defense. As a bonus, cloud computing also can improve IT enterprise efficiencies and incur marked cost savings during project lifecycles to alleviate some of the pressure of budget reductions for the defense and intelligence agencies.

Cloud Computing: Risks, Benefits and Mission Enhancement for the Intelligence Community

In response to recent trends in federal information management to move towards cloud computing the Intelligence and National Security Alliance convened a working group to study the mission impacts of cloud computing on the Intelligence Community (IC). The Cloud Computing Task Force collected and analyzed data through a concerted effort in which two groups conducted over 50 interviews with thought leaders and policy makers in the public and private sectors.

Cloud computing provides information technology (IT) capacity in elastic ways that can expand to meet user needs, and shrink when demand decreases. It enables far more agility in support of operational missions, and expands access to computational power while potentially reducing operations and sustainment costs. Throughout our analysis, we found that in their adoption of cloud computing, organizations had to take responsibility of new roles and functions and revise their policies and processes. Cloud computing’s primary value does not lie in being a new technology; instead, it represents a business model change whose rapid adoption is driven by the transformative nature of its integration.

Within the IC, cloud computing uniquely addresses critical defense and intelligence mission needs by locating data and applying it to the mission at hand. As a bonus, cloud computing offers DoD and IC agencies the ability to increase efficiencies and potentially realize cost savings during their lifecycles to alleviate some of the pressure of budget reductions. Still, there is a significant gap in understanding cloud computing at all levels, which could impact the success of a cloud solution deployment.

The most fundamental change that needs to occur is in the organization cultures of the IC. While in the past, federal funding has been allocated based on what information and capabilities an organization controlled, there is a vital need to change this mindset to encourage information sharing across the IC. In order to take full advantage of a cloud model, it also will be necessary to update the Federal Acquisition Regulation.

If successfully implemented and managed, cloud computing approaches and technologies can transform the IC’s computing capabilities by more efficiently and effectively enabling the majority of IC functions. As cloud computing innovations are adopted, we expect to see improvements in security and IT efficiency, but only if end-to-end requirements, designs and architectures are carefully considered. The IC must pilot new ways of partnering across government, academia and industry to ensure continuous and productive cooperation.

Based on information collected from nearly 50 interviews, the Cloud Computing Task Force drew the following conclusions:

  1. Decision makers in the IC are appropriately focusing on the business model implications of cloud computing. Cloud computing is not just a new technology, but a significant shift in the consumption of IT resources and allocation of IT funding.
  2. Within the IC, the decision to adopt a cloud model is focused on mission enablement and must be determined on a case-by-case basis. The evaluation of cost savings must bear I mind costs over the complete lifecycle, rather than a periodic budget cycle.
  3. Information security can be enhanced through a cloud computing approach, but only when it is built into the model’s design. If security is not part of the design, cloud computing architectures dramatically increase risk.
  4. The type of cloud deployment model adopted will be determined by the sensitivity of the data hosted.
  5. Those looking to migrate to the cloud must consider impacts on organizational culture.
  6. Improvements to how agencies acquire services, software and hardware are strongly desired by most personnel involved in the implementation of cloud computing, and many believe that the adoption of a cloud solution may catalyze these changes.
  7. As standards for cloud computing emerge, thoughtful federal input can contribute to greater security and cost efficiencies. Any organization contemplating adopting a cloud architecture, including those within the IC, should include the ability to support multiple standards.
  8. Lessons learned from the IT industry, the private sector and academia must inform IC decision making. Sharing lessons learned is essential to reducing risk.

IPv6: Essential Background, Business Value and Best Practices for Implementation

The entire Internet protocol version four address space provides approximately 4.3 billion unique IP addresses. With a current world population of more than 7 billion, that is not enough for even one IP address per person. Since individuals today use multiple methods, such as mobile phones, iPads and laptops, to access Internet content, the number of unique IP addresses required per person has increased significantly. Even more compelling, however, is the proliferation of IP addresses for ubiquitous use in mobile devices, household appliances, automobiles and sensors. Internet protocol version six (IPv6) is the next-generation protocol, designed to support the continued exponential growth in user devices, services and applications that require unique IP addresses to communicate on the Internet.

This white paper is intended to help readers avoid common misconceptions associated with IPv6, identify key areas that require up front monetary investment and determine key concepts that should be captured in an enterprise-wide strategic plan. Lastly, as one of the first to deploy an enterprise Internet protocol address management solution in the defense and intelligence communities, NJVC shares benefits realized from the successful deployment and provides recommendations to maximize the IPAM return on investment

Managed Desktop Infrastructure: A Complete Virtual Desktop Infrastructure Solution

The benefits that a Virtual Desktop Infrastructure offers an organization cannot be realized by simply building virtual machines. As with managing traditional desktops the overall sophistication of management of the VDI environmentdetermines the savings. NJVC has constructed a holistic VDI offer: the Managed Desktop Infrastructure (MDI)—a combination of VDI and the management of the VDI environment that enables a streamlined process for migrating and maintaining the operating system, applications and the user persona between devices in this environment. With VDI delivering the benefits of mobility, security and rapid scalability, user experience is improved.

VDI empowers end users to securely perform work whenever and wherever they are located, while allowing organizations to dynamically scale to meet new demands and capabilities. A centralized computing approach is a major change to how an organization delivers and performs business, and will require a shift to information technology as a commodity to maximize return on investment and improve business value. The NJVC VDI solution delivers a secure and scalable computing approach, while embracing the individuality that IT consumerization brings. Our tiered approach and IT automation enables the achievement of IT as a commodity—meaning simplified and standardized. VDI provides the centralized infrastructure to foster simplification and standardization by using the same resources and solutions across organizations rather than separate stovepipe solutions to solve individual business area needs.VDI provides the common infrastructure and with the proper approach and implementation an organization can realize its full benefits.

The Importance of Cybersecurity Analytics

The current state of cybersecurity has been largely defined by two major factors—an evolving threat landscape, and the various regulations that have been put in place to combat those threats. The amount of sensitive information that is currently available has been increasing exponentially, and will probably continue to do so. The best way to combat the potential for unauthorized access to such information is to know what is going on in your information technology (IT) enterprise systems—how much data there is, how many machines there are, who is using the machines and whether or not there have been any attempts by unauthorized persons to retrieve your data or attack your system. The various types of information referred to above are known as security metrics. The more metrics you have, the better able you will be to discover system anomalies and other unusual activity before it can adversely affect your system. Securing an entire enterprise requires careful planning and execution. The following five steps are involved in the process: Step One: Inventory Step Two: Assessment Step Three: Establish security framework Step Four: Cyber analytics Step Five: Deployment The ability to analyze their past and present operations allows an organization to look forward and reduce future risk—which is the main goal of cyber analytics

Protecting Digital Health Information—Where to Start? (Part 1 of 3)

Healthcare provider organizations everywhere are evolving patient health data access and management, making personally identifiable information (PII) more digital, mobile and available. With this move comes a quantum increase in the exposure of individually identifiable information within the enterprise and across the extended value chain. The balancing act is to address the need to be agile and responsive to stakeholders, and therefore more competitive, while managing the risk of compromised security with consistently dwindling budgets.

We ask healthcare leaders, “What could someone do with your health record?” With the black market value of a patient health record at $50, or five times that of other PII the answer is “a lot.” According to the Third Annual Benchmark Study on Patient Privacy & Data Security (Ponemon Institute, 2012), only four in 10 healthcare organizations feel that they can prevent a data breach. Breaches of PII are increasing, are frequently in the millions of records, and make billions of dollars for black marketers. Ponemon asserts that fewer than half of all health providers conduct annual security assessments. Cyber attacks on health provider organizations are increasing, and becoming harder to control, with breaches costing healthcare organizations an average of $2.4 million per year (Ponemon, 2012). This comes at a time when U.S. health providers are expecting reductions in topline revenue beginning in 2014, relying on an associated reduction in operating budgets to combat these security vulnerabilities.

Health providers understand that before they can make a diagnosis they must assess the patient. This applies equally to cyber security in health IT. From there, a health provider can set the plan to manage care with the patient and his or her caregivers. “An ounce of prevention is worth a pound of cure.” Assessing the security of the health enterprise for cyber threats and vulnerabilities can identify issues before they become overwhelming problems. Partnering with a vendor who understands managed security architectures provides a safety net that assures your stakeholders that you are protecting and securing sensitive information.

Protecting Digital Health Information — What Is at Stake? (Part 2 of 3)

As healthcare organizations transition from paper to electronic health records, an enormous opportunity exists to improve healthcare delivery through greater data transparency. For instance, cross-referencing prescriptions can identify potential drug interactions and improve patient outcomes. Such advances, however, bring along an enormous increase in the possibilities for breaches in privacy and security—particularly with unsecured end-user devices, such as smart phones. Health IT leaders must balance the needs of their stakeholders for relevant and timely information with mandated compliance requirements and the total cost of operating and sustaining their systems securely.

How do you make smart, cost-effective, and prioritized decisions that protect the security and privacy of your patients? Before you can make a prognosis, you need to assess the situation by running diagnostic tests. In the case of privacy and security, you need to determine your critical cyber security vulnerabilities, and mitigate against those attack vectors. Consider the entire enterprise as having a potential attack surface. Risk management is about quantifying that risk and minimizing the potential for harm.

In many respects, this is no different than a general practitioner providing medical advice. Many behaviors (such as smoking, overeating and lack of exercise) provide avenues through which other health issues can arise. Reducing risky behavior reduces health risks; a similar situation also exists for electronic health records.

Cyber security protects the generation, usage and storage of all electronic records, whether at rest or in transit. Applying cyber security best practices will ensure compliance with an increasingly regulated environment focused on privacy and security. As a result, the objective of enhanced healthcare through the common usage of electronic health records can in fact be achieved.

Protecting and Defending Digital Health Information— What to Do?

Protecting all forms of digital health information, including personal health information (PHI), wherever it is contained across an enterprise, is one of the fundamental objectives of every healthcare organization. As mandated by the Health Insurance Portability & Accountability Act of 1996 (HIPAA) privacy and security rules, appropriate physical and logical safeguards must be in place to effectively enforce controls on PHI at rest, in transit or in use.

Healthcare security leaders face an immense amount of complexity in their IT infrastructures. These systems have matured over time and been integrated with countless vendor software products and hardware devices, which have resulted in a mashup of technologies and resulting system vulnerabilities. In many organizations, this has created varying silos—particularly when looking at the electronic medical record systems implemented to meet Meaningful Use Stage 1 requirements.

By commissioning a comprehensive, third-party IT security assessment, leaders can assure their stakeholders that PHI is protected. A comprehensive external assessment accepts the structure and organization in place and does not seek to alter an organization, but instead looks for enhancements to better protect the valuable electronic assets a healthcare organization produces and utilizes: patient health data.

Being compliant with HIPAA checklists is not sufficient to enable sound cyber security. HIPAA is very non prescriptive, and organizations must then implement sound practices and ensure the protection of all sensitive information. Compliance and security are really two complementary components that reflect different stages of an enterprise security posture.

The lack of a data breach does not mean sufficient security protections are in place. Chief information security officers know that they cannot correlate the scanning of their systems with the vast amounts of system log data generated into a single dashboard of security intelligence. The impact of these challenges is clear: the attack surface is growing, the value of patient electronic records is increasing and the gaps in security intelligence—preventing misuse of data before an actual breach occurs—are growing larger.

Smaller organizations should not assume they are safe and will not become a target because of their size. The theft and sale of PHI for medical identity theft and financial fraud have no restrictions with regards to size. In fact, ease of unauthorized access may make smaller institutions more susceptible to an intrusion and exploitation.

Conducting a comprehensive IT security assessment provides insights into how to address any existing vulnerabilities. Performing a high-quality inventory audit, which seeks to uncover each and every connected device in a network, is the crucial first step to securing PHI. While this will certainly uncover inadequacies in the current infrastructure and procedures, IT security assessments are intended to make process changes and should not be used as a means of punishment for current IT personnel. Instead, assessments should be thought of as an opportunity to improve the overall security posture of an organization before a security breach occurs.

Raising Cybersecurity Awareness in Healthcare Professionals

Healthcare professionals should rightly be focused on providing quality healthcare services to patients. Does that mean that the industry should ignore a non-related technical topic, such as cybersecurity? Hardly, if the data breach history captured by the U.S. Department of Health and Human Services (HHS) is any indication. Data breaches are rampant and increasing in size and frequency.

A large percentage of the reported breaches can be traced back to human error. Physical security controls break down because a door is left open. Technical controls break down because a user ID or password is posted via a sticky note on a computer monitor or because account credentials are shared and the task at hand absolutely positively need to be done right now.

Professionals working in the healthcare industry possess a zeal for protecting the health of their patients and improving how that support is provided. No legitimate employee wants to intentionally do something to adversely impact the health of a patient.

Health IT is about promoting the use of IT to support the healthcare mission. Health IT is all about providing high-quality care more efficiently, faster and cost effectively by using software and hardware technologies that have transformed countless other industries. However, these technologies cannot be deployed without considering the potential new cyber risks introduced to an organization.

An obvious manifestation of healthcare IT is the continuing transition from paper-based records to digital health records. But it does not end there, as wireless technologies have enabled medical devices to become extended diagnostic and reporting nodes on an increasingly networked IT infrastructure that shares patient medical records, billing records, financial records, and burgeoning software applications—all accessing databases housed in common server structures.

How can this extended enterprise be protected? One approach can be extracted from the “Stop. Think. Connect” campaign administered by the U.S. Department of Homeland Security (DHS). The intent is not to make everyone a cybersecurity expert or to unduly raise fear, uncertainty and doubt—the intent is to bring some sense of awareness of cybersecurity to the general population. The goal of this campaign is to make someone think—even for half a second—before they take action online.

Do you have a secure connection to the server where you are about to input your credit card information? Are you authorized to access the data records you are about to request? Should you post personal information online for anyone to see? Simply hesitating to consider your actions before blindly clicking on that link can help prevent obvious human errors from occurring.

The board of directors of a healthcare organization has a myriad of concerns—providing sound patient care, maintaining financial viability and leveraging IT to enhance their operations. Just like healthcare professionals run their departments, the IT infrastructure should utilize cyber security experts cognizant of the constantly evolving threats and mitigating the resultant risks to the organization. As there is never enough budget or staff to throw at a non- mission essential, yet critical, area such as cybersecurity—how can the board cope?

Raise the cybersecurity awareness of the overall organization with role-appropriate cognizance of the consequences of individual actions and how easily one click on an inappropriate link can compromise an entire network—ultimately leading to the compromise of personal health records.

What is one effective way to overcome this challenge? Establish a cyber security awareness program.

Creating and operating a cybersecurity awareness program does not mean transforming staff into cyber engineers able to reverse engineer malware samples. Instead, the intent, like the DHS “Stop. Think. Connect.” campaign, is to have individuals realize that they play key roles in protecting the digital health of patients—just as they play direct roles in protecting the physical health of patients.