In the private sector, the use of cloud technologies is rapidly expanding. State governments are slowly following suit, mostly with limited programs to support specific groups within each state. Ohio is proving to be an exception to that rule, rebuilding its entire infrastructure as part of a multiyear IT modernization project with a cloud-first mind-set. And, according to experts, other states should consider following that example.
“A lot of times moving big data applications to the cloud can save money” for a state, said Zack Nagaich, a cybersecurity analyst at Columbus Collaboratory who specializes in cloud deployments within Ohio and other states. “That is the main reason why cloud solutions are becoming so popular compared with running a traditional data center. Before, there were the costs of hardware, building up those servers and computers–and then maintaining all of it for years. It took many full-time employees.”
Cloud by contrast puts the burden of hardware and software maintenance on the vendors who provide the cloud, with the state responsible only for building out the interface to allow users to access necessary information stored there. Depending on the applications being deployed, this can amount to a lot of savings. For example, a recent study by Forbes found that over a three-year period, cloud deployments supporting e-commerce applications saved an average of 37 percent over similar programs running in a traditional data center.
The Federal government has been even more cautious than the states in utilizing cloud technology, mostly because of security concerns. But even there, with limited deployments, the Government Accountability Office estimated in 2015 that the government had saved about half a billion dollars using cloud technology over a four-year span.
Security should certainly be a concern for states looking to move some or all of their operations into the cloud. Nagaich said that while states could easily adopt most cloud providers from an operational standpoint, the devil is likely going to be in the details of the service agreement. States need to be especially insistent on the provider’s role in terms of helping to enforce security and compliance issues. That may mean paying a little more, or keeping certain items out of the cloud altogether even if the rest of the state’s data is transferring.
“For example, compliance issues mean that states couldn’t put health data into certain clouds unless they were brought up to standards,” Nagaich said, “Regulations such as HIPAA specifically clash with many cloud solution services.”
States also need to understand the relationships of their data once placed into the cloud. With everything virtualized, traditional lines of communication become less defined, so that unexpected security and operational issues can arise.
“States that quickly adopt a cloud solution without looking at all the aspects of their data might be adversely affected later,” Nagaich said. “This could be related to things like the visibility of cloud applications, what data they are putting into the cloud, how data is moving through and out of the cloud or even the classification and types of data.”
To avoid that, states may need to put more work into studying and classifying their data and workflows before breaking ground on new cloud initiatives. Ohio did its homework before upgrading its infrastructure, which minimized any problems.
The biggest two questions that state CIOs and other high-level IT decision-makers need to consider when looking at cloud deployments is first, if the cloud is going to be the most economical solution available, and then, if it can be done safely. The safety question may depend on the culture of the state, and the specific regulations that apply to its data.
“You have some organizations like Microsoft who have their entire email infrastructure in the cloud and they are able to maintain a pretty secure environment,” Nagaich said. “And then you have some organizations that only use on-site solutions and still get breached. Security isn’t going to be perfect on any platform, and there will never be a magic bullet.”
Security is always going to be a challenge, but with enough planning, most states can probably deploy their data and apps into the cloud safely. Ohio seems to have successfully accomplished that feat across the entire state, and could act as a road map for others to follow.