pressmaster - Fotolia


Government agency puts cloud computing references to effective use

Free guides from cloud customer advocacy groups fit nicely into Pension Benefit Guaranty Corp.'s structured approach to cloud.

Pamela Wise-Martinez remembers a time, not so long ago, when cloud was the answer to everything.

"Oh, yeah. Everyone was going to cloud, they were going to use cloud -- cloud, cloud, cloud," said Wise-Martinez, chief cloud and enterprise data architect at Pension Benefit Guaranty Corp (PBGC). Just a few years ago, the U.S. government agency was among the droves of organizations eager to capture the vaunted cost savings of offloading IT operations onto someone else's servers -- without a formal process for adoption.

Today, with cloud computing the No. 3 investment priority for CIOs, according to Gartner's 2015 CIO Agenda Report, stakes are high for getting cloud adoption right. Reaping the business benefits of cloud requires cloud computing expertise in the IT department and an informed user community. Many organizations will have trouble clearing that bar, Wise-Martinez said.

That's where customer advocacy groups like the Cloud Standards Customer Council (CSCC) and the Cloud Security Alliance (CSA) come in. The organizations offer free-of-charge advice and insight on pressing cloud computing challenges, helping customers achieve promised benefits such as cost savings, flexibility and swifter time to market.

Pamela Wise-Martinez, chief cloud and enterprise data architect, Pension Benefit Guaranty Corp (PBGC)Pamela Wise-Martinez

For Wise-Martinez, these cloud computing references have been critical. After joining the agency earlier this year, she set up a "cloud advisory team" as part of a more disciplined approach to adopting cloud. The group is made up of people from all over the agency to research cloud computing projects, collect business requirements and evaluate providers. The purpose is to ensure that IT delivers what business departments need, but that will take time, as the team includes members who lack the technical knowledge to make sense of the finer points of implementing cloud.

"It's small steps with this team because this is a multidisciplinary team," she said. "It has the office of general counsel, the procurement department, the IT department, enterprise security, workspace management. It has a number of non-IT leaders, as it should, and subject matter experts."

One cloud computing resource Wise-Martinez uses to give team members the necessary background is the CSCC's "Practical Guide to Cloud Service Agreements" (see sidebar, "Stay resourceful on cloud"). The paper, first published in 2012 and updated in April 2015, aims to help IT and business leaders decipher the pacts that govern customer-provider relationships so organizations are aware of such fundamentals as where their data will be physically stored.

Stay resourceful on cloud

Here's a sampling of cloud computing resources that can help organizations as they begin transitions to the cloud.

  • The Cloud Standards Customer Council (CSCC) published "Practical Guide to Platform-as-a-Service" in September. The guide compares PaaS with other cloud offerings and lays out best practices for deploying and using it.
  • "Practical Guide to Cloud Service Agreements," also by the CSCC, is designed to help IT and business leaders analyze the documents that lay out expectations for service.
  • The Cloud Security Alliance released the third version of its Cloud Controls Matrix in 2014. The free downloadable document aims to help companies assess cloud providers and guide security efforts.
  • The Federal Risk and Authorization Management Program (FedRAMP) is the U.S. government's risk management approach for evaluating and monitoring cloud providers' services. FedRAMP offers a number of free documents, including a guide to the program.

"If you don't have the expertise and you're learning and you're growing and you're trying to figure this out for the benefit of your organization, why reinvent the wheel?" she said. "You have a practical guide that's right here, that gives you A through Z what you should consider."

Like other U.S. government agencies, PBGC is mandated to consider cloud computing in its IT strategies. The agency has just a few cloud services now but is undergoing "a huge modernization effort," Wise-Martinez said, weighing projects like building a customer relationship management application on top of its Microsoft Azure cloud platform. To get there, she follows the agency's strict guidelines on enterprise architecture, which aligns process, data and technology components to meet an organization's current and future objectives. Supplementary cloud computing references are important in helping to keep that structure in place, she said.

Another cloud computing resource is the CSA's Cloud Controls Matrix, a set of security safeguards to help determine how secure a cloud services provider is. It's a sprawling Excel spreadsheet that helps Wise-Martinez's cloud team in vendor evaluations. It maps 16 security areas, or domains, such as identity, encryption and application security, to industry standards and regulations that organizations need to follow, such as the Payment Card Industry Data Security Standard for credit card information and Health Insurance Portability and Accountability Act for healthcare data.

"[The CSA is] creating a really good -- we can't call it a standard yet -- but they're starting to normalize this," Wise-Martinez said. "A quite useful tool."

The U.S. government offers its own cloud computing resources that public and private sectors alike can use to their benefit. The PBGC, for example, uses a handy definition of cloud by the National Institute of Standards and Technology (NIST) to determine whether a vendor's "cloud" offering is actually cloud (see graphic, "How NIST defines cloud computing").

The National Institute of Standards and Technology criteria to qualify as cloud computing
How NIST defines cloud computing

For example, if a vendor doesn't allow for measuring or monitoring an organization's usage of cloud resources -- one of the five NIST cloud computing characteristics -- then it won't get the process improvements and efficiencies it signed up for, Wise-Martinez said.

Small businesses, federal agencies and big corporations starting off on cloud journeys should take note, and add links to NIST, CSCC and CSA to their Favorites toolbars -- or they could be in for some nasty surprises.

"The government and these organizations like the Cloud Standards Customer Council are really their only hope," Wise-Martinez said. "It's their lifeline, if you will."

Next Steps

Another cloud computing resource: A management guide for CIOs

What drives cloud economics?

Cloud computing resources for cloud architects: Analysts provide guidance

Dig Deeper on Small-business IT strategy