One year after Cloud First, federal agencies are embracing the cloud. But they want it to be safer and more transparent. Above all, they don’t want to be locked into just one kind of cloud or a nothing-but-cloud approach.

That’s what we found in an exclusive survey conducted for SafeGov.org by the Ponemon Institute. The survey found that federal managers are working diligently to comply with the Office of Management and Budget’s Cloud First initiative, but are not yet convinced cloud applications are safe enough or will lead to significant cost savings.

________________________________________________
This article originally appeared on Safegov. The study was completed in September 2011 and released earlier this month. For more news and insights on innovations at work in government, please sign up for the AOL Gov newsletter. For the quickest updates, follow us on Twitter @AOLgov.
_________________________________________________

Federal IT managers in particular have a greater awareness of cloud’s risks than their non-IT counterparts and are sometimes pushing back against OMB’s aggressive migration objectives. Agency IT managers accept that many of their applications will eventually migrate to the cloud. But they believe some applications must remain on premises. They don’t want to be locked into one particular type of cloud, and they want more control over the pace of their migration to cloud.

Cloud First is an important step on the road to more cost-effective government. But to improve confidence, the lead federal agencies such as OMB and GSA should work with the user agencies and the vendors to provide greater transparency about cloud security and more credible data about the true cost of cloud services.

Among the study’s major findings:

The survey notes significant push back from federal agencies on the transition as reflected by the following migration statistics:

• 83% of respondents have fully or partially identified the first three applications they intend to migrate;
• 25% have fully migrated at least one legacy application to the cloud;
• 47% say their first migration is in progress;
• The majority of IT managers reported that the delay was due to concerns about the tight timelines imposed by Cloud First;
• 69% say the Cloud First framework is too fast;
• 71% say that pressure to move to the cloud is inadvertently creating greater security risks for their agency.

Concerns also remain high about the actual cost savings and overall security associated with cloud computing. A clear preference for using private clouds among survey respondents reflected ongoing apprehension about keeping sensitive data secure:

• 38% expect that their agency will be using a federal-only cloud in the coming year;
• 28%expect to use a broader government cloud (open to all levels of government);
• 20% expect to use a private cloud limited to their own agency;
• 73% want their servers to be physically isolated from those used by non-government customers;
• 70% want all cloud provider personnel who have access to their agency’s servers or data to pass rigorous background checks.

We know the transition to the cloud is going to happen. But this survey’s findings show that agencies are still in need of education on the cloud and how they will transition effectively. The key is for agencies to gather as much information as possible and work closely with their vendors to find the most cost-effective and secure option for their respective organizations.

Taking stock of Cloud First

In December 2010 then Federal CIO Vivek Kundra announced that the Federal government would adopt a “Cloud First” IT strategy “beginning immediately.”

The goals were compelling: replace costly, underutilized, and inflexible Federal IT systems with the same cost-efficient, easy-to-deploy, pay-as-you-go cloud solutions that are being widely adopted in the private sector. Kundra made it clear that when he said “immediately”, he meant it.

Each Federal CIO would be required to identify at least three legacy systems that could be replaced by cloud solutions. At least one of the three would have to be fully migrated within 12 months, with the remaining two to follow within 18 months. In an exhaustive 43 page document published in February 2011, Kundra justified the new policy with a detailed explanation of cloud computing’s benefits, which in his view boil down to greater efficiency, agility and innovation.

Six months after the publication of this highly influential vision statement, Kundra left government service. Although his successor, Steven VanRoekel, has not yet provided a similarly detailed statement of his own, he has indicated that he remains committed to Kundra’s cloud strategy.

As Kundra’s deadline for the first mandatory migrations of Federal applications to the cloud approaches, it is relevant to ask what the status is of Cloud First today. Are Federal agencies meeting Kundra’s aggressive timeline for completing early cloud migrations? Have Federal managers embraced Kundra’s vision of the cost savings to be gained from the cloud? Are they confident that the cloud solutions their agencies deploy will be safe and secure? SafeGov.org sponsored an in-depth survey of Federal managers by the Ponemon Institute to shed light on these questions. In what follows we review the most significant findings of the survey.

Conducted in September, the Ponemon Institute survey had 432 respondents from over 20 Federal agencies that already use or expect to use cloud solutions within 12 months. 71% of the respondents were agency managers or executives. 51% worked in IT-related jobs, 49% were non-IT.

Meeting the Cloud First mandate: a work in progress

The Federal CIO’s original Cloud First mandate was that Federal agencies should migrate at least one existing application to the cloud by the end of 2011 and two additional applications by mid-2012. We found that early compliance with the mandate is high, but incomplete. 83% of respondents have fully or partially identified the first three applications they intend to migrate. However, only 25% have fully migrated at least one legacy application to the cloud, while a further 47% say their first migration is in progress.

Cloud still has to prove its cost advantages

The main sales argument of cloud vendors to date has been that cloud solutions will cost less than the on-premises IT systems they replace. However, our survey shows that Federal managers are divided about this claim: 42% of respondents agree that cloud computing will result in some degree of cost savings for their agency (though only 12% believe the savings will be “significant”). But a surprising 25% believe that cloud will actually cause costs to go up, while 33% say its impact will be neutral.

Federal managers aren’t yet persuaded that cloud will be a significant money saver, because they don’t have enough experience with cloud solutions to know what the true long-term costs will be. While cloud’s subscription-based pricing model offers predictability, implementation and migration costs can produce nasty surprises. Lower upfront “sticker” prices don’t automatically translate into lower total cost of ownership, and the respondents know this. Only 11% say they are “very confident” they understand the “true long-term cost of migrating on-premise applications and data to the cloud”. The burden of proof remains on the vendors.

IT and business managers don’t see eye-to-eye on cloud security

Our survey reveals that IT managers in the federal agencies are more skeptical about the safety of cloud solutions than their non-IT colleagues.

About half, 54%, of IT managers believe their own agency is likely to suffer a cloud security breach in the next 12 months compared to only 38% of non-IT managers. Remarkably, while 20% of IT managers acknowledge that their agency has already suffered a cloud-related breach, only 1% of non-IT managers are aware of this fact.

However, IT and non-IT managers do agree on one thing, namely that other Federal agencies are more at risk for cloud security than their own: 61% of IT and 66% of non-IT managers believe that one or more agencies other than their own will suffer a cloud-related breach in the next 12 months.

Cloud is seen as more vulnerable to insider attacks

While media reports tend to focus on outside hacker attacks carried out by foreign governments or groups such as Anonymous, our survey respondents believe that insiders – whether malicious or merely negligent – are a greater threat. They also believe that cloud services may be more vulnerable to such attacks than on-premises IT systems: 51% believe cloud services are more vulnerable to negligent insiders than on-premises systems (15% believe the contrary), while 50% believe cloud is more vulnerable to malicious insiders (18% believe the contrary). However, the perceived gap is much less for the risk of external cyber attacks: 34% believe these are more likely with cloud services vs. 29% who believe they are more likely with on-premises systems.

When a cloud solution is deployed, the circle of “insiders” who have access to the system – and who therefore represent a potential security threat – expands from the agency’s internal IT staff to include the cloud provider’s own personnel.

Our survey results show a low level of trust in cloud provider personnel among federal managers. One can certainly argue that this mistrust is unjustified and perhaps largely a matter of perception rather than reality. Nevertheless, it suggests that cloud providers have to work much harder to demonstrate to Federal customers that their personnel have been rigorously vetted.

Federal IT managers still see a vital role for on-premises IT

The federal agencies we surveyed are working diligently to comply with OMB’s Cloud First mandate. However, this does not mean that they are ready to give up their on-premises IT systems. On the contrary, our survey found strong resistance to this notion, especially (though not exclusively) among agency IT managers. Among the latter, only 22% believe that cloud solutions have achieved the same level of security as on-premises applications.

Some 62% of all respondents say that certain applications and data are just too sensitive to move to the cloud. This sentiment is more pronounced among IT managers (73%), but is still shared by a majority of non-IT managers (51%). These concerns are understandably strongest for law enforcement and national security applications, which are rated as unsuitable for cloud migration by 75% and 83% of respondents respectively.

When we consider applications outside of these two high security domains, we again observe a significant gap between IT and non-IT perceptions.

Nearly a third of IT managers (30%) believe that even seemingly routine applications such as email are too sensitive for the cloud. Non-IT managers are much more likely (80%) to consider email as suitable for cloud migration.

IT and non-IT also disagree about their agencies’ core domain-specific applications: 58% of IT respondents believe that such applications should stay on-premises, but only 39% of non-IT respondents share this perception. While the views of non-IT managers are important, the reality is that agency IT strategy is going to be implemented by IT managers, who are closest to the practical realities of delivering IT services to agency end-users.

Our survey results suggest that few federal agencies will embrace an all-cloud approach in the foreseeable future.

IT wants a more measured migration to cloud

Federal IT managers recognize that cloud solutions will be an important part of their future. But many of them are pushing back against the tight timelines imposed by Cloud First. The study found 69% of IT managers say the Cloud First framework is too fast; 71% say that pressure to move to the cloud is inadvertently creating greater security risks for their agency.

IT’s doubts about cloud security and the accelerated pace of cloud migration feed a belief that this issue is driven in part by politics. 69% of IT managers say one of the most important reasons their agency is moving to cloud is to comply with the political mandate, while only 35% cite cost savings. When we consider responses from non-IT managers, these views are exactly reversed. 76% of non-IT managers say cost reduction is a primary reason for moving to cloud, compared to only 48% who cite the political mandate.

Agencies prefer Private or federal community clouds

Respondents indicated a clear preference for private clouds or a Federal community cloud over cloud solutions that are also open to state and local government or to the general public: 38% expect that their agency will be using a Federal-only cloud in the coming year; 28% expect to use a broader government cloud (open to all levels of government), while 20% expect to use a private cloud limited to their own agency. Only 14% of respondents expect to use a public cloud service.

Respondents also rated the safety of the four different types of cloud services as follows:

• private clouds limited to a single agency were rated “very safe” or “somewhat safe” by 64% of all respondents (52% IT, 77% non-IT);
• community clouds shared only with other federal agencies were rated safe by 61% (50% IT, 73% non-IT);
• community clouds open to State and Local as well as Federal agencies were rated safe by 54% (42% IT, 67% non-IT);
• public clouds open to all were rated safe by only 35% (30% IT, 41% non-IT)

Although the gap between IT and non-IT perceptions remains significant, the trend is identical for both groups: private clouds and Federal-only community clouds are the preferred architectures.

IT wants U.S. based, government-only servers; staff background checks

What will it take to convince federal IT managers that cloud services are safe and secure?
Most, some 78%, say that cloud servers used by their agency must be located in the U.S.; 73% want these servers to be physically isolated from those used by non-government customers. Finally, 70% want all cloud provider personnel who have access to their agency’s servers or data to pass rigorous background checks.

Cloud vendors need to work harder to earn IT’s trust

Federal IT managers not only fear security breaches caused by negligent or malicious cloud provider staff, they also aren’t entirely confident that the providers will inform them when breaches occur.

Only 34% of IT managers in our survey are “confident” their cloud provider would inform them in the event of a security breach. Only 37% are confident they know the identity of “all privileged users who have access to the servers and data storage devices operated by [their] cloud service providers”. Only 34% have full confidence in the “data protection and security features” of their cloud providers.

While these fears are arguably more a matter of perception than reality, they nevertheless underscore the need for cloud vendors to be more transparent about their security features. The vendors naturally want to retain the flexibility to evolve their offerings quickly.

Accordingly they may see strict security incident disclosure and reporting requirements as an additional burden that will slow them down in a fast moving market. But federal IT managers see things differently. Confronted with rapidly evolving cloud offerings that are not yet fully mature, they want more rather than less transparency about what happens when things go wrong. SafeGov.org believes that the cloud providers will have to bend to meet the users’ requirements on these issues.

Conclusion: Cloud First needs to be more pragmatic

Our survey reveals a fair degree skepticism in the federal agencies about the costs and risks of cloud computing. An easy response to this finding would be to call for watering down or delaying the Cloud First initiative. SafeGov.org doesn’t believe this is the right response. The concerns of federal managers about cloud can be addressed if cloud’s supporters adopt a more pragmatic and transparent approach.

Cloud First was launched a year ago as a top-down political mandate from OMB to the user agencies. Imposing a timeline with ambitious early objectives was an effective way to show agency managers (as well as Congress and the media) that the Obama administration was serious about making federal IT cheaper and more responsive.

But now that the agencies have embraced the basic concept of cloud, the time has come to adopt a more flexible approach. Federal agencies want to choose which applications are ready for the cloud and which kinds of cloud are most appropriate for their needs. They also want the option of adopting hybrid architectures that combine cloud and on-premises solutions.

The enthusiasm for cloud is motivated in part by alluring sticker prices and a tendency to underplay security concerns or migration costs. Lead agencies such as GSA and the cloud vendors should provide Federal managers with more realistic scenarios for managing the costs and risks of migrating to the cloud. They should also shift their focus from upfront acquisition costs to the long-term total cost of ownership. TCO includes not just the purchase price of cloud services, but the costs of migration, training, business process reengineering, customization, unplanned implementation delays, and the mitigation of unexpected security threats.

Greater transparency and pragmatism are the prerequisites for insuring the long-term success of Federal cloud initiatives. SafeGov.org believes that the lead and user agencies together with the cloud provider community will meet these challenges energetically.F

Jeff Gould, CEO and Director of Research at Peerstone Research and SafeGov.org expert.

Dr. Larry Ponemon is the Chairman and Founder of the Ponemon Institute, a research “think tank” dedicated to advancing privacy and data protection practices.