Thursday, November 01, 2012

The other hybrid: Community clouds

Community clouds were included in the original NIST definition of cloud computing, which has come to be seen as more or less the definitive taxonomy. NIST defined community clouds as cloud infrastructure "provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). However, as recently as a couple of years ago, it remained something of a theoretical construct--an intriguing possibility with only limited evidence to suggest it would actually happen anytime soon.  

That's changed.

It's not that community clouds are everywhere, but we now see concrete commercial examples in pretty much the places where you'd expect. Where there are specific rules and regulations that have to be adhered to and where there are entities that can step up to some sort of supervisory or overseeing role. 

Unsurprisingly, the federal government is one of the most fertile grounds for the community cloud idea. Government, well, "thrives" may not be quite the right word. But certainly government procurement is rife with a veritable alphabet soup of rules, standards, and regulations that must be adhered to. Indeed, government procurement was one of the driving forces behind the aforementioned NIST definition in the first place. And, in many cases, the policies and process associated with these rules have relatively little overlap with how businesses operate outside of the government sphere.


Furthermore, government agencies aren't wholly independent entities. They've often acted as if they were to be sure. And one of the big issues with government IT costs historically is that purchases often get made project-by-project, agency-by-agency. That said, initiatives like the 2010 Cloud First Mandate have the federal government towards more centralized and shared IT functions. The Cloud First Mandate may not have progressed as quickly as then-US CIO Vivek Kundra initially intended. Nonetheless, it's helped push things along in that direction. (As, no doubt, budget pressures have overall.)

The result is that many agencies are rapidly moving towards a cloud computing model--often using a hybrid approach that bridges internal resources with external GSA providers. I discuss one such agency in a session at the Cloud Computing Bootcamp in Santa Clara next week.

One public cloud specifically catering to the federal government is Amazon with their GovCloud which:

is an AWS Region designed to allow US government agencies and customers to move more sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements. The AWS GovCloud (US) framework adheres to U.S. International Traffic in Arms Regulations (ITAR) requirements. Workloads that are appropriate for the AWS GovCloud (US) region include all categories of Controlled Unclassified Information (CUI), including ITAR, as well as Government oriented publically available data. Because AWS GovCloud is physically and logically accessible by US persons only, and also supports FIPS 140-2 compliant end points, customers can manage more heavily regulated data in AWS while remaining compliant with federal requirements. In other respects the GovCloud Region offers the same high level of security as other AWS Regions and supports existing AWS security controls and certifications such as FISMA, SSAE 16/SOC1 (formerly SAS-70 Type 2), ISO/IEC 27001, and PCI DSS Level 1. AWS also provides an environment that enables customers to comply with HIPAA regulations. (See the AWS Security page for more details.) The customer community utilizing AWS GovCloud (US) includes U.S. Federal, State, and Local Government organizations as well as U.S. Corporate and Educational entities.

As discussed by Brandon Butler in Network World, however, community clouds aren't limited to government. 

Given the data privacy standards imposed by the HIPAA regulation, healthcare providers also have some specific requirements and concerns when it comes to cloud computing--or, really, IT in general. Nor are these concerns purely academic. In 2011, the Department of Health and Human Services fined two different organizations a total of $5.3 million for data breaches even though those breaches were, arguably, relatively minor.

Optum, the technology division of the UnitedHealth Group, is an example of a healthcare community cloud from the Network World article. Butler writes that:

[Optum] released its Optum Health Cloud in February as a way for those in the healthcare industry to take advantage of cloud resources. Strict data protection standards regulated by HIPAA, plus a constant pressure to reduce costs and find efficiencies in healthcare management has made community cloud services seem like a natural fit for the industry, says Ted Hoy, senior vice president and general manager of Optum Cloud Solutions. Powered by two data centers owned by Optum, Hoy hopes the community cloud will eventually be able to offer Iaas, SaaS, PaaS for customers.

The service, Hoy says, has differentiating features tailored specifically for the healthcare industry. HIPAA regulations, for example, regulate how secure certain information must be depending on what it is. An e-mail exchange between two doctors about the latest in medical trends needs a different level of protection compared to a communication between a doctor and a patient. Optum worked with Cisco to create security provisions tailor-made for the system that identifies who is entering information, what type of information it is and who has access to it.

 It's still early days for community clouds and it's reasonable to question the degree to which they'll expand beyond fairly specific (and relatively obvious) uses such as we're mostly seeing to date. At another level though, I see this as another example of how it's hard to call exactly where workloads are going to end up running. Which is why industry analysts such as Gartner are making such a big deal about concepts such as Hybrid IT.

No comments: