Federal agencies have largely touted the importance of cloud migration in their IT modernization efforts, but there are a number of important steps that they need to take to make that migration important.
One of the first steps is looking at business value, said General Services Administration Director of IT Modernization Thomas Santucci at an ATARC event Tuesday.
“We use the application rationalization process to emphasize that holistic approach to calculate total cost of ownership and the total customer experience,” Santucci said. “It’s the only way you know what is working and what it actually costs you to run that system. And then the risk framework — understanding where the risk is with regards to the mission, business and people.”
From there, other key pre-migration efforts that an agency should make include evaluating procurement strategies, as well as ensuring that the workforce is trained and prepared for the cloud migration.
“We find our people aren’t buying [cloud] right or not utilizing it right, so we take you through that whole process of what are the different contract types and the payment models,” Santucci said. "Then part of [it] is the workforce. That is a key strategy that’s been the success or failure of many cloud initiatives. It starts with strategy, coordination at the c-suite level, to have them fully understand what they’re getting themselves into. … You need to ensure that your existing workforce has the skills, knowledge and ability needed to maintain or migrate to the cloud.”
Throughout the cloud adoption process, security needs and federal mandates are also important elements. Santucci recommend DevSecOps approaches for security management, as well as service-level agreements, and he also said that following TIC 3.0 and the recent executive order on bolstering federal cybersecurity will fold in good security standards amid the migration.
With the cybersecurity executive order and recent significant cybersecurity incidents, zero trust adoption is another critical component of cloud adoption. Santucci added that zero trust architecture that agencies form should ideally work in an IPv6 environment, which IT experts have previously advocated for as an enabler of zero trust.
On top of security, Santucci underscored that implementing proper governance and financial structure in place are important as well.
“The governance structure is really important, to utilize the cloud agency experts in the cloud governance policy control policies, and then the finance — which is really important and probably deficient in the government today — which focuses on common cost considerations and tagging strategy to track costs,” Santucci said.
Once an agency has procured its cloud solutions and formed security, governance and financial frameworks, adopting a cloud exit strategy is a critical step avoid vendor lock-in, Santucci said. One of these exit strategy steps is application rationalization.
“Application rationalization is basically just collecting information that you will use to understand where your money is going, how much it cost you year to year, how much technical debt do you have on the books and how you can reduce it and be able to look at it literally in one view,” Santucci said.
Although Santucci hit on the end-to-end requirements of a successful cloud adoption process, he acknowledged that it takes a variety of components and added that GSA has several resources that can help, including Login.gov and Cloud.gov.
“Login.gov and Cloud.gov make cloud migrations really easy,” Santucci said. “There's another group within GSA — the Unified Shared Services division — which is implementing four key strategies on providing shared services. And then they can also create what’s called an M3 playbook on how agencies can easily migrate to the shared services, and it’s a lot of upfront work as well,” Santucci said.