Everybody! Into the Cloud!
Come forth for the cattle call
Confront the evil river you can't control
Wicked ways and venomous eyes
Just human nature in disguise
— Devil Driver "Clouds over California”
I’ve been a fan of cloud computing since its beginning. I always saw the value in standardization and the “buy by capacity” model. When Marc Andressen, Ben Horowitz, Insik Rhee and Tim Howes left Netscape to found hosting business Loudcloud, I was all in and joined the team. Marc used to talk about the “compute grid” that would work much like power grids work. The vision of the four founders was much like what Amazon Web Services (AWS) delivers today. We were just a little too early — but the vision was sound.
Someday people would put their applications on other people’s computers. By doing so they would benefit from the economy of scale, and the standardization of the platforms that would breed a better, more consistent security model. Loudcloud was an amazing ride with lots of challenges. Ben does a good job summing them up in his book “The Hard Thing About Hard Things.” It wasn’t easy making the transition from a software mindset to a services mindset, but the two were married, as they should have been. It’s all about the applications. It’s always been about the applications.
All of the things that Marc, Ben, Insik and Tim envisioned have come to pass...sorta. While we definitely got the “buy by capacity” consumption model (with all its warts), the security model can still be a challenge.
Don’t get me wrong, Amazon, Microsoft and Google do a great job of racking and stacking and patching. But they aren’t the only “clouds” in town. Everyone is in the cloud and the security models can vary. Variability is the antithesis of security.
Basically what we’ve discovered is that, as the application owner, you cannot abdicate your security responsibilities. You own it. All of it. Now, you might inherit some security goodness from, say, Amazon (I’m sure you will) — but that doesn’t make you any less of an owner for the security of the “entire system” — all the way up through your application to the end user access. Soup to nuts, as we like to say.
The government has taken a little longer to get “on board” with cloud. We’ve had pockets of it here and there, but the security skepticism runs deep. And the security policies have been a little, shall we say, lacking. This is starting to change. Finally. For the better.
The Office of Management and Budget (OMB) Is on a Roll
This week, the Office of Management and Budget (OMB) released its long awaited updated guidance for the Trusted Internet Connection — or TIC as it’s commonly referred to — updating it to version 3.0. I wrote about this when the draft came out HERE — and now we have it in its final and glorious form.
Working with (and against) guidance that is over 10 years old can be problematic. So much change has happened over 10 years and almost all of it, while awesome, has been counter to the way cloud services were made to stand up, be consumed and secured. This new guidance from OMB takes a modern approach that throws in some future flexibility and adds a dash of help with pilots — much like their new identity guidance that came out earlier this year.
This gives federal agencies flexibility to do agile risk-based cloud deployments (cloud is agile by design) and stops requiring federal agencies to drag “outside to outside” traffic back through a DMZ. Outside to outside is a practice commonly referred to as “hair pinning.” This practice made sense in 2007 when it was mostly “outside to inside” traffic, but that has changed and now, thank goodness, the directives and guidance have too.
FedRAMP’s Standardized Approach to Cloud to the Rescue
It also helps to have some forward-thinkers driving cloud service providers (CSP) to adopt stricter government standards. The FedRAMP program is doing a great job with this and is open minded enough to keep improving the process because they know how critical it is for government agencies to be able to make these decisions and deploy their applications quickly and securely.
While there are still some cloud naysayers and skeptics in government, and I get it…. I really, really do. Cloud isn't the answer for every use case, but there are more people looking to move things to the cloud (or birthing new things on the cloud) than ever before in the government and public sector.
This is a truly Cloud Smart approach to a better future.