Good Governance Practices at the Core of Cloud Services

Implementing cloud computing at a federal agency starts with good governance policies, according to members of a panel at Amazon Web Services’ government symposium last month.

“Governance is a [nuisance], but absolutely required,” said Samy Bouhaouala, senior associate with Booz Allen Hamilton. In cybersecurity, governance is about policies and mission, not applications, he said. “Why is it I’m issuing privileges to certain people? The big question is why, and governance drives” the answer.

One of the largest departments, Health and Human Services (HHS), has 12 operational divisions and runs a federated environment, said Jennifer Gray, lead cloud architect for the enterprise.

“Because we are federated, we want to make sure we are providing a baseline that fits,” Gray said.

HHS is taking a collaborative approach to governance. The 12 divisions – including such major agencies as the Food and Drug Administration (FDA), National Institutes of Health (NIH), and the Centers for Disease Control and Prevention(CDC) – have formed a Cloud Computing Advisory Committee, to develop the policies and guidance that will help them have a common operating environment.

“By the end of the calendar year we should have a framework that all of HHS can agree on,” Gray said.

Karen Petraska, the service executive for data centers in the NASA Office of the CIO, said NASA has spent a lot of time defining best practices, such as how to manage data and who’s going to track those accessing the networks.

“Governance is a scary word,” she said. “We’re not trying to be restrictive so much as being able to track and manage the things we’re supposed to. We’ve attempted to do as little reinvention as possible.”

NASA was an early adopter of a private cloud. “The power of the cloud is a very natural thing for NASA, [given] the size of our data sets and the complexity of our calculations,” she said. Around 2011, the agency did a performance comparison of its private cloud versus commercial offerings. “We found we’d been lapped by commercial,” she said.

As a result, NASA is working to put everything in a commercial cloud that’s appropriate. The cloud computing landscape is changing so rapidly, Petraska said the agency “[doesn’t] even know what capabilities will come next.”

The General Services Administration’s Federal Risk and Authorization Management Program (FedRAMP), which offers a government-wide standardized approach to cybersecurity, is valuable, “but it’s still a lot of work,” Petraska said.