Cloud Now, Straight Talk from a State Digital Summit

Like most people, I have gotten comfortable meeting over Microsoft Teams, but nothing beats the idea exchange and dialogue of a face-to-face panel discussion. After two years of hosting virtual meetings from my home office with my dog on my lap, I was thrilled to talk with our government customers and technology colleagues in person at the recent Kentucky Digital Summit. Not surprisingly, moving to the cloud was a hot topic. Stop reading if I have to convince you of the benefits of moving to the cloud. Cloud Services ranks #4 on NASCIO’s state CIO’s top priorities list. For good reasons. Controlling costs, security, flexibility, scalability, collaboration, modernization, and mobility all happen with cloud implementation, yet still many states are not there yet. What is the holdup?

We dove into this topic and some of the challenges, such as broadband connectivity, with our panel discussion featuring myself, Rick Woodruff, Executive Director, Office of Infrastructure Services, Commonwealth Office of Technology, Commonwealth of Kentucky, and Brent Legg, Executive Vice President, Government Affairs, Connected Nation.

We started the conversation with a close look at tools and mechanisms government agencies use to modernize and move applications to the cloud. At NTT DATA, we have found that the most successful cloud adoption programs begin with an assessment that aligns with the cloud adoption frameworks published by the three major public cloud providers. The first phase starts with discovering the digital estate to understand the organizational requirements for all applications across the enterprise. This information is used to create a Cloud Landing Zone that automates the provisioning of controls for key areas, including security and compliance, creating environments to include development, test and production, and the enforcement of identity and access management and networking policies.

Next, most organizations will review the applications being considered for the cloud to see which can be re-hosted/ lifted and shifted, re-architected or re-engineered into a cloud-native application. While re-architecting applications to be containerized and cloud-native is often the initial goal of most cloud programs, in many cases, organizations identify large, monolithic mainframe systems that they have a priority to get into the cloud; however, this may not be feasible from a risk, time or cost perspective. For this reason, many government organizations opt to start with re-hosting.

Many states have old Cobol applications sitting on a mainframe, and it might take 3 – 5 years to re-architect the application thoroughly. Conversely, re-hosting can be accomplished in as little as 6 – 8 months. In cases like these, organizations can see significant cost savings, take advantage of the scaling capabilities, and add new features like DevOps.

Once applications are in the cloud, some organizations may begin a re-architecture project. In contrast, others leave the backend of the application running in the re-hosted service and use low-code/no-code SaaS tools. This choice creates a new user-facing experience while allowing the heavy lifting to be done by the legacy system.

Government IT professionals at the digital summit considering moving to the cloud were interested in their colleagues' actions. Specifically, are they adopting single or multi-cloud strategies?

Most of the organizations NTT DATA works with are adopting a hybrid-cloud strategy. Some applications might run on AWS, while others are on Azure or GCP. Data security concerns or the need for extremely low latency may necessitate a private cloud. One common theme is that many states are looking to get out of running their own data centers. Adopting a hybrid cloud model frees state resources up to focus on building new engaging experiences for their citizens.

The last question I received did not have a short answer. It was: “How can the CIO's office encourage agencies to adopt the cloud while also maintaining a level of control to ensure that best practices and cybersecurity policies are being followed?”

Adopting hybrid cloud strategies means also adopting supporting tools and processes. One of the most common setups is creating a cloud foundation template within each environment that works for all agencies or departments. Typically, this involves a master or parent account with the cloud provider that allows hardened child accounts or VMs to be set up. This cloud template allows for cross billing, logging rules, allowable regions, and rules for production deployment and non-production environments.

More mature organizations have added processes and tooling that use AI to manage things like autoscaling and provide continuous monitoring against cybersecurity standards such as NISTH 800-53. Autoscaling processes become essential, especially with larger applications. The ability to scale services with business requirements is one of the most significant advantages of the cloud.

I like to use the example of Black Friday for retailers. In the old on-premises process, a retailer would need to purchase enough racks and servers to run the organization on their busiest day of the year, which would remain dormant for most other days. The beauty of the cloud is that you can track utilization and stress on the environment in real-time and then adjust accordingly.

We have found that organizations manually crank up the dials on peak periods if processes are not automated. But they then neglect to turn them back down as demand levels off — in some cases, organizations are paying millions of dollars for services they are not consuming.

For example, my team built and now manages a cloud-native application that collects highly sensitive healthcare information about employee COVID-19 testing and vaccination status. The application is hosted on the cloud and has an AI tool that manages my team’s configuration settings against the NIST, HIPAA and HITRUST technical standards. With this, if one of my developers tries to set up a port that is open to the world and not encrypt the data both in transit and at rest or even neglects to rotate keypairs promptly, the system will send up an alert and automate the remediation.

I thoroughly enjoyed talking cloud in person at the digital summit in Kentucky, but I am always available for a Teams or Zoom call on the topic, too.

Ready to move to the cloud? Get started.