Response of Red Hat, Inc. (“Red Hat”)
to the
Federal Cloud Computing Strategy 1 (“Cloud Smart”)
October 24, 2018
Red Hat appreciates the opportunity to provide comments on the above-referenced
matter. We commend the release of Cloud Smart to assist agencies “to make
informative technology decisions in accordance with their mission needs, and leverages
private sector solutions to provide the best services to the American people .”
Red Hat is a leading provider of open source software solutions, using a
community-powered approach to deliver resilient and high-performing cloud, Linux,
middleware, storage, and virtualization technologies. An S&P 500 index member, Red
Hat provides high-quality, trusted and affordable technology solutions that are found
throughout mission-critical systems in the financial, transportation, telecommunication
and, government (civilian and defense) sectors in the United States and around the
world. Red Hat is recognized as one of the world's most innovative companies.2
To effectuate the goals of Cloud Smart, the Administration has appropriately
acknowledged the essential role that open source technology contributes to the
adoption paths and services that make up effective cloud computing infrastructures.
Cloud Smart recognizes that, to successfully carry out the objectives of the policy, the
focus on hybrid and multi-cloud environments, as well as technology-neutral
vendor-based solutions, should be front and center in agency plans. Private clouds
offer control, predictability, and a clear migration path that can be attractive to
government departments. Public clouds can, in some cases, offer economies of scale,
availability, and potential ease of use.
“Hybrid clouds” is the reality of the current and foreseeable IT infrastructure. At one
level, it represents the best of both public and private cloud computing, coupling the
power and elasticity of public clouds with the security and control of private. More
strategically, organizations are moving workloads among various cloud environments,
as needed. Migration (or, better said, remigration) of workloads and data from public
clouds back to on-premises is an increasingly common phenomenon.
This evolving dynamic requires a new level of transparency, coordination, and flexibility
that can be very challenging to execute. When developing a cloud strategy, it is
1 https://cloud.cio.gov/strategy/#cloud-smart
2 See Forbes , “The World’s Most Innovative Companies”, 2017, found at: https://www.forbes.com/companies/red-hat/ .
tempting to focus solely on either public or private providers. In truth, the vast majority of
agencies, reflecting trends in the commercial sector, will opt for a hybrid model, and
government policies, procedures, and recommendations should anticipate and promote
this.
We offer the following suggestions to improve Cloud Smart:
● Cloud Smart currently says very little about the importance of an agency first
creating a 'strategy/plan' for its cloud adoption . Cloud Smart should recommend
that agencies develop a comprehensive plan that includes consideration of potential
future needs to evolve the infrastructure.
○ Cloud Smart should encourage cloud providers to use open standards to enable
interoperability, prevent vendor lock-in, and mitigate security risk or functionality
limits.
Use of open standards in software interoperability promotes a level
playing field between software vendors, and is consistent with the reality of
hybrid cloud. In data, it affords greater portability among vendors and
applications. In both cases, it creates an environment where innovation can
progress without future technology lock-in.
Open standards and fully disclosed application interfaces -- central to
interoperability and portability of software and data -- are both very important to
realize the full value of cloud computing. The Internet itself would never have
been possible without the TCP/IP networking standards, which allow any and all
computers to connect to each other, much like any telephone in the world is
capable of connecting to any other telephone. With the multitude of vendors
offering cloud platforms, open standards, and fully disclosed interfaces will
continue to grow in importance as agencies turn to cloud services.
○ Cloud Smart should advise agencies that a “cloud exit strategy” must be a key
early-decision component of IT modernization, and their cloud migration efforts
must preserve future ability to shift cloud workloads, when necessary. Avoiding
the pitfalls of cloud lock-in will ensure that efforts to enable the next generation of
government IT do not ultimately lead to a future problem of lock-in to ‘legacy
clouds’ that prove more expensive or less effective than available alternatives.
There has been significant guidance about the adoption of cloud for government
use.3 4 5 However, little has been said about the need to have an appropriate exit
plan for shifting use of cloud services -- whether it be to bring workloads back
into government data centers or to realize the financial value of moving
workloads to more cost-effective cloud offerings.
3 See “FedRAMP Tips” https://www.fedramp.gov/tips-cues/
4 https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2016/m_16_19_1.pdf
5 See “Federal Cloud Computing Strategy”, February 2011
https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/federal-cloud-computing-strategy.pdf
○ Cloud Smart strategy would be enhanced by acknowledging the emerging
technology approaches ( e.g. , containers, microservices) that provide the ability
for data and applications to be migrated to a cloud provider in a way that allows
them to be migrated again in the future, when necessary.
○ Cloud Smart should recommend that agencies create policies or contractual
requirements that prevent a service provider from locking in data or applications,
or engaging in actions such as charging low rates for initially using a particularly
cloud service and then raising rates for existing service.
● Cloud Smart should promote a multi-cloud approach explicitly, consistent with
its recognition of the importance of hybrid and private cloud implementations.
Agencies should ensure that cloud procurements do not: limit access functionality
improvements in the future offered by providers, preclude security and practical
benefits of using different cloud providers for different use cases, or create risk of
being charged monopoly rents in the future as cloud providers are crowded out.
● Cloud Smart should direct agencies to take a risk-based approach to cloud
security. The focus of the security section on custodial data by agencies is
important. However, Cloud Smart makes no mention of agencies taking a
risk-based management approach.6 Indeed, much of the guidance seems to be
overly narrow than might otherwise be appropriate for consideration of cloud
(especially public cloud). Understanding where data is, on which particular
systems, and assessing the sensitivities of that data, all relate to the risk and threat
analyses that one might expect in the guidance. It is not just "transit[ing] various
networks and com[ing] to rest in various locations", but how it is being processed on
various systems, and whether they are appropriate for that data.
● Cloud Smart should heighten its emphasis on IT modernization or ‘digital
transformation’ as an enabler of innovation and creativity in agency domains ,
rather than simply incrementally enhancing and supporting the traditional methods.
As noted by Gartner7, digital business transformation is about “exploiting digital
technologies and supporting capabilities to create a robust new digital business
model.” In the government, it is fundamentally about enabling government to operate
like an innovative and efficient digital ‘business’ for delivering citizen services.
We urge that Cloud Smart highlight that digital transformation requires: agile,
commoditized, modular approaches to enterprise and end-user Federal IT, and that
cloud strategies (particularly the reality and strategic positions of hybrid and private)
in the commercial sector illustrate the essential role of open source software:
“Enterprise-grade open source software has become ubiquitous across
enterprise IT architectures ... used by most, if not all, enterprises to
support a broad range of mission-critical applications and business
services. … [open source] often provide the basis of critical new
6 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure , May 2017
7 Gartner IT Glossary, found at: https://www.gartner.com/it-glossary/digital-business-transformation/ .
technologies … open source is more likely to lead the charge toward
innovation.”8
● Cloud Smart should recognize that it builds on, rather than replaces, the Cloud
First goals, including data center consolidation. The Federal government's
approach on cloud is, inevitably, one of evolution, not just to consolidate data
centers, but more broadly to transition to more efficient infrastructure, optimize
existing resources and leverage technology advancements to modernize
infrastructure.
Conclusion
Cloud Smart is, in many ways, forward-looking and an important step to fulfill the
Administration’s IT Modernization9 objectives. Effective utilization of flexible hybrid and
private cloud environments, and not just public cloud, is essential to meaningful IT
modernization. The updated Strategy should recognize this fact, build on existing
policies and point to its key role in private sector digital transformation.
Contact:
Mark Bohannon
Vice President,
Global Public Policy and
Government Affairs
Red Hat
Matt Krupnick
Public Policy Director
Red Hat
David Egts
Chief Technologist
North America Public Sector
Red Hat
8 IDC report, Enterprise-Grade Open Source: An Imperative for Modern IT, April 2016.
9 See “Report to the President on IT Modernization”, 2017 https://itmodernization.cio.gov/
Response of Red Hat, Inc. (“Red Hat”) to the Federal Cloud Computing Strategy 1 (“Cloud Smart”)
October 24, 2018 Red Hat appreciates the opportunity to provide comments on the above-referenced matter. We commend the release of Cloud Smart to assist agencies “to make informative technology decisions in accordance with their mission needs, and leverages private sector solutions to provide the best services to the American people .” Red Hat is a leading provider of open source software solutions, using a community-powered approach to deliver resilient and high-performing cloud, Linux, middleware, storage, and virtualization technologies. An S&P 500 index member, Red Hat provides high-quality, trusted and affordable technology solutions that are found throughout mission-critical systems in the financial, transportation, telecommunication and, government (civilian and defense) sectors in the United States and around the world. Red Hat is recognized as one of the world's most innovative companies.2 To effectuate the goals of Cloud Smart, the Administration has appropriately acknowledged the essential role that open source technology contributes to the adoption paths and services that make up effective cloud computing infrastructures. Cloud Smart recognizes that, to successfully carry out the objectives of the policy, the focus on hybrid and multi-cloud environments, as well as technology-neutral vendor-based solutions, should be front and center in agency plans. Private clouds offer control, predictability, and a clear migration path that can be attractive to government departments. Public clouds can, in some cases, offer economies of scale, availability, and potential ease of use. “Hybrid clouds” is the reality of the current and foreseeable IT infrastructure. At one level, it represents the best of both public and private cloud computing, coupling the power and elasticity of public clouds with the security and control of private. More strategically, organizations are moving workloads among various cloud environments, as needed. Migration (or, better said, remigration) of workloads and data from public clouds back to on-premises is an increasingly common phenomenon. This evolving dynamic requires a new level of transparency, coordination, and flexibility that can be very challenging to execute. When developing a cloud strategy, it is 1 https://cloud.cio.gov/strategy/#cloud-smart 2 See Forbes , “The World’s Most Innovative Companies”, 2017, found at: https://www.forbes.com/companies/red-hat/ . tempting to focus solely on either public or private providers. In truth, the vast majority of agencies, reflecting trends in the commercial sector, will opt for a hybrid model, and government policies, procedures, and recommendations should anticipate and promote this. We offer the following suggestions to improve Cloud Smart: ● Cloud Smart currently says very little about the importance of an agency first creating a 'strategy/plan' for its cloud adoption . Cloud Smart should recommend that agencies develop a comprehensive plan that includes consideration of potential future needs to evolve the infrastructure. ○ Cloud Smart should encourage cloud providers to use open standards to enable interoperability, prevent vendor lock-in, and mitigate security risk or functionality limits. Use of open standards in software interoperability promotes a level playing field between software vendors, and is consistent with the reality of hybrid cloud. In data, it affords greater portability among vendors and applications. In both cases, it creates an environment where innovation can progress without future technology lock-in. Open standards and fully disclosed application interfaces -- central to interoperability and portability of software and data -- are both very important to realize the full value of cloud computing. The Internet itself would never have been possible without the TCP/IP networking standards, which allow any and all computers to connect to each other, much like any telephone in the world is capable of connecting to any other telephone. With the multitude of vendors offering cloud platforms, open standards, and fully disclosed interfaces will continue to grow in importance as agencies turn to cloud services. ○ Cloud Smart should advise agencies that a “cloud exit strategy” must be a key early-decision component of IT modernization, and their cloud migration efforts must preserve future ability to shift cloud workloads, when necessary. Avoiding the pitfalls of cloud lock-in will ensure that efforts to enable the next generation of government IT do not ultimately lead to a future problem of lock-in to ‘legacy clouds’ that prove more expensive or less effective than available alternatives. There has been significant guidance about the adoption of cloud for government use.3 4 5 However, little has been said about the need to have an appropriate exit plan for shifting use of cloud services -- whether it be to bring workloads back into government data centers or to realize the financial value of moving workloads to more cost-effective cloud offerings. 3 See “FedRAMP Tips” https://www.fedramp.gov/tips-cues/ 4 https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2016/m_16_19_1.pdf 5 See “Federal Cloud Computing Strategy”, February 2011 https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/federal-cloud-computing-strategy.pdf ○ Cloud Smart strategy would be enhanced by acknowledging the emerging technology approaches ( e.g. , containers, microservices) that provide the ability for data and applications to be migrated to a cloud provider in a way that allows them to be migrated again in the future, when necessary. ○ Cloud Smart should recommend that agencies create policies or contractual requirements that prevent a service provider from locking in data or applications, or engaging in actions such as charging low rates for initially using a particularly cloud service and then raising rates for existing service. ● Cloud Smart should promote a multi-cloud approach explicitly, consistent with its recognition of the importance of hybrid and private cloud implementations. Agencies should ensure that cloud procurements do not: limit access functionality improvements in the future offered by providers, preclude security and practical benefits of using different cloud providers for different use cases, or create risk of being charged monopoly rents in the future as cloud providers are crowded out. ● Cloud Smart should direct agencies to take a risk-based approach to cloud security. The focus of the security section on custodial data by agencies is important. However, Cloud Smart makes no mention of agencies taking a risk-based management approach.6 Indeed, much of the guidance seems to be overly narrow than might otherwise be appropriate for consideration of cloud (especially public cloud). Understanding where data is, on which particular systems, and assessing the sensitivities of that data, all relate to the risk and threat analyses that one might expect in the guidance. It is not just "transit[ing] various networks and com[ing] to rest in various locations", but how it is being processed on various systems, and whether they are appropriate for that data. ● Cloud Smart should heighten its emphasis on IT modernization or ‘digital transformation’ as an enabler of innovation and creativity in agency domains , rather than simply incrementally enhancing and supporting the traditional methods. As noted by Gartner7, digital business transformation is about “exploiting digital technologies and supporting capabilities to create a robust new digital business model.” In the government, it is fundamentally about enabling government to operate like an innovative and efficient digital ‘business’ for delivering citizen services. We urge that Cloud Smart highlight that digital transformation requires: agile, commoditized, modular approaches to enterprise and end-user Federal IT, and that cloud strategies (particularly the reality and strategic positions of hybrid and private) in the commercial sector illustrate the essential role of open source software: “Enterprise-grade open source software has become ubiquitous across enterprise IT architectures ... used by most, if not all, enterprises to support a broad range of mission-critical applications and business services. … [open source] often provide the basis of critical new 6 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure , May 2017 7 Gartner IT Glossary, found at: https://www.gartner.com/it-glossary/digital-business-transformation/ . technologies … open source is more likely to lead the charge toward innovation.”8 ● Cloud Smart should recognize that it builds on, rather than replaces, the Cloud First goals, including data center consolidation. The Federal government's approach on cloud is, inevitably, one of evolution, not just to consolidate data centers, but more broadly to transition to more efficient infrastructure, optimize existing resources and leverage technology advancements to modernize infrastructure. Conclusion Cloud Smart is, in many ways, forward-looking and an important step to fulfill the Administration’s IT Modernization9 objectives. Effective utilization of flexible hybrid and private cloud environments, and not just public cloud, is essential to meaningful IT modernization. The updated Strategy should recognize this fact, build on existing policies and point to its key role in private sector digital transformation.
Contact: Mark Bohannon Vice President, Global Public Policy and Government Affairs Red Hat
Matt Krupnick Public Policy Director Red Hat
David Egts Chief Technologist North America Public Sector Red Hat
8 IDC report, Enterprise-Grade Open Source: An Imperative for Modern IT, April 2016. 9 See “Report to the President on IT Modernization”, 2017 https://itmodernization.cio.gov/