Ohio Digital Government Summit:

Cloud-Based Provisioning
September 16th, 2015

2015 IBM Corporation

Cloud and government

Cloud computing offers limitless

vistas of
Cheap, utility computing
Low capital needs
Rapid application development
Happy users
and therefore even happier
CIOs!

Well, not quite!!.

While cloud is undoubtedly a powerful tool for governments, a number of significant
constraints apply. But, these can be addressed so lets explore them.
2

2015 IBM Corporation

Certainly, governments are

under continuous pressure to
do more with less, and cloud
can play a big role

..and certainly, cloud is a major

enabler of mobile computing,
big data and many other
buzzwords

Speed and agility faster service

delivery.

Systems of engagement for citizens

and workforce.

Scalability.

Targeted services that engage

citizens as individuals, based on
analysis of needs.

Efficiency, automation.
Pay in line with usage.
Opex replacing capex.

Seamless experience joined up

government.

Mobile

Gentlemen, we have run

out of money. Now we have
to think.
(Ernest Rutherford or Winston Churchill)
3

Social

Analytics
Mobile

CloudCloud

Big Data

Social
Analytics
2015 IBM Corporation

So governments are becoming highly creative in how they use cloud

Cost reduction
Canadian
provinces, many
others

Hurricane
resilience
Caribbean
nations

IaaS platform for

public sector
entities - California

Economic and skills

development engine
Singapore, Taiwan

Community
enablement engine
Norfolk (UK)

Shared services
Group of NY state
townships

Mainframe skills
replacement
(US State)

E-government
platform - Estonia

Revenue source
New South
Wales, Australia

Local infrastructure
(for NGOs, private
sector) Catalonia,
Sunderland (UK),
WuXi (China)
2015 IBM Corporation

A shared services model?

Business Process as a Service

Public

Complex Workflows
(Example - emergency response)

Data Models and Integration

(Single view of the student/tax
parcel/citizen/asset/criminal.)

(Multiple vendors)

Software as a Service

Public

Infrastructure/Platform as a Service

Businesses?

Collaboration tools
Billing and metering
Security
etc

Internal
Operations

Application Catalog

Businesses?

(Example - property tax

transaction)

High speed communications for all users

Simple Workflows

Customer Portal

Lead Entity
(State?)

Internal
Operations

User
Counties,
Cities

5
2015 IBM Corporation

But there are decisions to be made

Opex vs Capex
Data residency
Compliance
Public vs Private vs Hybrid
Management and Cyber-Security

2015 IBM Corporation

Opex vs capex: the need isnt always clear cut

Many governments are attracted to
converting capital expense to
operating or revenue expense.
But not all. Some governments are
not capital constrained:
Example US State X, and UK
Water Utility Y. Both have tight
revenue budget constraints, but
still find it easy to raise debt.
But they still want to pay by
usagethey just want a way to
aggregate cloud expenses into a
capital payment.

Capex

Opex

Also, many cloud users are wary of

sudden cost surges if payment is
driven purely by usage.
They prefer a fixed (or at least
predictable) monthly cost.
7
2015 IBM Corporation

Data residency and local content requirements are common world

wide. Phillip Snowden and the NSA made them more so.
Many governments have
geographically-defined data
residency requirements.
May be a legal requirement - or
just a tacit preference.
Some countries are data resident
but not support resident.
Some have local employment
conditions, to boost economies by
creating skills and jobs.
Restrictions also exist on sharing
public clouds between specific
countries.
Even in the US, some states want
data to stay within their borders,
while others work with US
borders.

Data residency fundamentally breaks the original

economic model for cloud, of utility computing at
enormous scale. So it implies trade-offs:
Is there a public cloud vendor in your desired
territory, or do you need a private cloud option?
How close can you get to cloud benefits with a
private cloud?
Are all workloads data resident, or just some?

8
2015 IBM Corporation

The appliance of compliance

Compliance with privacy and security
standards such as FISMA/FedRamp,
HIPAA, CJIS and FFIEC imposes
constraints (and costs) on cloud:
Premises;
Staff vetting;
Hardware/control stack;
Applications especially if multi-tenant;
Procedural risk analysis, process
design, attestation, documentation,
audit.
CJIS is a particular issue. DoJs position is
that CJIS data may not co-exist on
hardware with non-CJIS data period.

Most compliance standards are based

at least to some extent on the same
core ISO and NIST standards.
This may mean that ISO 27000 series
is a good base camp from which to
additionally comply with the other
standards required.
There is a superset of compliance
requirements that once met will apply
to other standards. For example:
FIPS 140-2 encryption
HIPAA procedural superstructure
CJIS staff vetting

IBM clients increasingly want compliance

with ISO 27000 series, even for otherwise
non-compliant data, just to demonstrate due
care and stewardship.
9

2015 IBM Corporation

Public vs Private vs Hybrid Cloud

+Ve:
Low costs
Flexibility and elasticity
Opex payments
Back-up capability
Economies of scale
also apply to security!
-Ve:
Data residency
Support for compliance
Some legacy apps and
workloads are not
cloud-suited
Visibility of security
provisions

10

Public

Private

Hybrid

+Ve:
Optimizes workloads to the best
locations may be unavoidable
Retains economics of public cloud
where applicable
Retains existing investments where
applicable

+Ve:
On or off-prem options
Enables data residency
May be best option for
legacy workloads
May be easier to
ensure compliance
Accountability
Optimizes return on
existing investments
-Ve:
Skills availability
Costs
Access to public cloud
ecosystem and
development tools

-Ve:
Potentially, organizational and
technical complexity in achieving
required integration (but see
over).
2015 IBM Corporation

Management and Cyber-Security - in a hybrid environment, the key

word is integration

Development environment
Orchestration (Often multiple cloud environments)

Public

Hybrid

Private
(Traditional IT)

Integrated Security and Compliance Management

Management - Visibility, Performance, Usage Reporting

11
2015 IBM Corporation