Post summary: We’re not ready yet culturally.
What spurred this blog post into being is this announcement from ServerVault and Apptis about a Federal Computing Cloud. I think it’s a pretty ballsy move, and I’ll be watching to see if it works out.
Disclaimer being that at one time I managed security for something similar in a managed services world, only it was built by account with everything being a one-off. And yeah, we didn’t start our organization the right way, so we had a ton of legacy concepts that we could never shake off, more than anything else about our commercial background and ways of doing things.
Current Theory on Cloud Computing photo by cote.
The way you make money in the managed services world is on standardization and economy-of-scale. To us mere mortals, it means the following:
- Standardized OS builds
- Shared services where it makes sense
- Shared services as the option of choice
- Split your people’s time between clients
- Up-charge for non-standard configurations
- Refuse one-off configurations on a case-by-case basis
The last 2 were our downfall. Always eager to please our clients, our senior leadership would agree to whatever one-offs that they felt were necessary for client relationship purposes but without regard to the increased costs and inefficiency when it came time to implement.
Now for those of you out in the non-Government world, let me bring you to the conundrum of the managed services world: shared services only works in limited amounts. Yes, you can manage your infrastructure better than the Government does, but they’ll still not like most of it because culturally, they expect a custom-built solution that they own. Yes, it’s as simple as managing the client’s expectations of ownership v/s their cost savings, and I don’t think we’re over that hurdle yet.
And this is the reason: when it comes to security and cloud computing, the problem is that you’re only as technically literate as your auditors are. If they don’t understand what the solution is and what the controls are around it, you do not have a viable solution for the public sector.
A “long time ago” (9000 years at least), I created the 2 golden rules for shared infrastructure:
- One customer cannot see another customer.
- One customer cannot affect another customer’s level of service.
And the side-rules for shared infrastructure in the public sector:
- We have a huge set of common controls that you get the documentation to. It will have my name on it, but you don’t have to spend the money to get it done.
- It’s to my benefit to provide you with transparency in how my cloud operates because otherwise, my solution is invalidated by the auditors.
- Come to us to design a solution, it’s cheaper for you that way. I know how to do it effectively and more cheaply because it’s my business to know the economics of my cloud.
- You have to give up control in some ways in order to get cost savings.
- There is a line beyond which you cannot change or view because of the 2 golden rules. The only exception is that I tell you how it’s made, but you can’t see any of the data that goes into my infrastructure.
- If I let you audit my infrastructure, you’ll want to make changes, which can’t happen because of the 2 golden rules.
- I’ll be very careful where I put your data because if your mission data spills into my infrastructure, I put myself at extreme risk.
So, are ServerVault and Apptis able to win in their cloud computing venture? Honestly, I don’t know. I do think that when somebody finally figures out how to do cloud computing with the Federal Government, it will pay off nicely.
I think Apptis might be spreading themselves fairly thin at this point, rumor has it they were having some problems last year. I think ServerVault is in their comfort space and didn’t have to do too much for this service offering.
I can’t help but think that there’s something missing in all of this, and that something is a partnering with the a sponsoring agency on a Line of Business. FEA comes to mind.
Posted in What Doesn't Work, What Works | 1 Comment »
Tags: auditor • catalogofcontrols • cloudcomputing • compliance • datacentric • fisma • government • infosec • management • risk • scalability • security