In response to recent trends in federal information management to move towards cloud computing the Intelligence and National Security Alliance convened a working group to study the mission impacts of cloud computing on the Intelligence Community (IC). The Cloud Computing Task Force collected and analyzed data through a concerted effort in which two groups conducted over 50 interviews with thought leaders and policy makers in the public and private sectors.
Cloud computing provides information technology (IT) capacity in elastic ways that can expand to meet user needs, and shrink when demand decreases. It enables far more agility in support of operational missions, and expands access to computational power while potentially reducing operations and sustainment costs. Throughout our analysis, we found that in their adoption of cloud computing, organizations had to take responsibility of new roles and functions and revise their policies and processes. Cloud computing’s primary value does not lie in being a new technology; instead, it represents a business model change whose rapid adoption is driven by the transformative nature of its integration.
Within the IC, cloud computing uniquely addresses critical defense and intelligence mission needs by locating data and applying it to the mission at hand. As a bonus, cloud computing offers DoD and IC agencies the ability to increase efficiencies and potentially realize cost savings during their lifecycles to alleviate some of the pressure of budget reductions. Still, there is a significant gap in understanding cloud computing at all levels, which could impact the success of a cloud solution deployment.
The most fundamental change that needs to occur is in the organization cultures of the IC. While in the past, federal funding has been allocated based on what information and capabilities an organization controlled, there is a vital need to change this mindset to encourage information sharing across the IC. In order to take full advantage of a cloud model, it also will be necessary to update the Federal Acquisition Regulation.
If successfully implemented and managed, cloud computing approaches and technologies can transform the IC’s computing capabilities by more efficiently and effectively enabling the majority of IC functions. As cloud computing innovations are adopted, we expect to see improvements in security and IT efficiency, but only if end-to-end requirements, designs and architectures are carefully considered. The IC must pilot new ways of partnering across government, academia and industry to ensure continuous and productive cooperation.
Based on information collected from nearly 50 interviews, the Cloud Computing Task Force drew the following conclusions:
- Decision makers in the IC are appropriately focusing on the business model implications of cloud computing. Cloud computing is not just a new technology, but a significant shift in the consumption of IT resources and allocation of IT funding.
- Within the IC, the decision to adopt a cloud model is focused on mission enablement and must be determined on a case-by-case basis. The evaluation of cost savings must bear I mind costs over the complete lifecycle, rather than a periodic budget cycle.
- Information security can be enhanced through a cloud computing approach, but only when it is built into the model’s design. If security is not part of the design, cloud computing architectures dramatically increase risk.
- The type of cloud deployment model adopted will be determined by the sensitivity of the data hosted.
- Those looking to migrate to the cloud must consider impacts on organizational culture.
- Improvements to how agencies acquire services, software and hardware are strongly desired by most personnel involved in the implementation of cloud computing, and many believe that the adoption of a cloud solution may catalyze these changes.
- As standards for cloud computing emerge, thoughtful federal input can contribute to greater security and cost efficiencies. Any organization contemplating adopting a cloud architecture, including those within the IC, should include the ability to support multiple standards.
- Lessons learned from the IT industry, the private sector and academia must inform IC decision making. Sharing lessons learned is essential to reducing risk.