My PC (private cloud) conversation with .@mitchwagner

Mitch Wagner has held a number of tech journalism jobs, and is currently the editor-in-chief of Internet Evolution. He also maintains an active Google+ presence, and threw this into his stream yesterday (on the first day of the Obamacard insurance exchanges).

Problems on the launch day of a big system like this are predictable. But if the technical glitches don't get resolved fast, they'll badly hurt Obamacare politically.

The comments that Wagner received were generally from a technical perspective, noting that this was a technical problem that could easily be solved. For example, Chris Lau asked, "How hard is it to forecast the volume?" My reply touched upon the business issues that go beyond the technical issues.

Forecasting the volume is the easy part. The hard part is getting corporate approval to build a system to support peak loads rather than average loads - CFOs balk at those kind of so-called "unnecessary" expenses, especially when they are orders of magnitude above a non-peak load system.

Think about it. Go to your Chief Financial Officer and say that for most of the six month period, and thereafter, the requirements can be handled by a $10 million system, but because of peak load at the beginning of the six months and at the end of the six months, you need a $100 million system. The chances of your CFO saying, "Wow, let's spend all of that money and handle the peak loads properly!" is nil. (Which is why many technologists make lousy CFOs, and vice versa.)

Anticipating the possible next question - why not use cloud technology to scale to meet the peak load? - I continued my comment on Wagner's feed:

And before you reply "cloud cloud cloud cloud cloud cloud cloud," remember that the sites are dealing with medical data, and therefore the site managers will want ironclad assurances from the cloud provider that they are completely compliant with every sub-paragraph of HIPAA. They'd rather risk a site shutdown than a lawsuit.

In my day job I mostly deal with law enforcement customers, and many of those customers in my home country have to deal with something known as the CJIS Security Policy. It's not HIPAA, but it has its own set of regulations. Can a cloud provider be expected to effectively handle HIPAA AND the CJIS Security Policy AND the hundreds of other government regulations?

That's where Mitch Wagner entered the conversation. He began:

Private cloud private cloud private cloud private cloud private cloud private cloud private cloud.

Then Wagner continued:

We're talking about the US government here-- hardly a startup. It would make sense to build elasticity to handle extraordinary loads that would be available to any federal agency that needs it. One day it's used for a rush in demand at healthcare.gov. On April 15 it would be used for last-minute tax filers. And so forth.

Wagner has a point. And IBM's Sujatha Perepa recently talked about government cloud use:

While cloud deployments are mainly considered to contain costs by sharing services and infrastructures, government agencies have also devised innovative means of ensuring compliance across the enterprise (FedRAMP, for example). They’ve also been able to lower barriers to new business creation. Additionally, cloud adoption is helping governments to improve business flexibility despite their back-end silo systems. The U.S. Army, Air Force, Navy, DOJ, USDA, Department of Education and more have been early cloud adopters, setting the trend and direction for others to follow.

The federal government isn’t solely relying on the same cloud computing model that hosts some of your favorite consumer applications delivered via the cloud like Netflix or Instagram. The private cloud environments they operate in definitely leverage some of the characteristics of elasticity in those public clouds but they need to be more reliable to handle mission critical workloads. That’s why IDC says that by FY 2014 U.S. Federal government spending on private cloud will be $1.7 billion vs. just $118.3 million on public cloud.

Now I'll certainly admit that there are challenges in allowing the IRS to use cloud services one day, and allowing Health & Human Services to allow it the next - you may know how I feel about the chances of bureaucracies working together - but there's admittedly a better chance of having U.S. government agencies share a private cloud than to share services on, say, Amazon.

And I may even be wrong about that:

AWS GovCloud (US) is an isolated AWS Region designed to allow US government agencies and customers to move sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements. The AWS GovCloud (US) framework adheres to U.S. International Traffic in Arms Regulations (ITAR) regulations as well as the Federal Risk and Authorization Management Program (FedRAMPSM) requirements. FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. AWS GovCloud (US) has received an Agency Authorization to Operate (ATO) from the US Department of Health and Human Services (HHS) utilizing a FedRAMP accredited Third Party Assessment Organization (3PAO).

Leveraging the HHS authorization, U.S. government agencies can evaluate AWS GovCloud (US) for their applications and workloads, complete their own authorizations to use AWS, and deploy systems into the AWS environment.

Hmm...wonder if they support the CJIS security requirements?