It's easy to see why an IT leader would be attracted to cloud computing - a mode of computing where users subscribe to services, like data storage, applications and other operational functions that they access over the Internet. Technology heavyweights like Google and Amazon host these services "in the cloud," which means on the Web, so users don't have to spend their own time, money and manpower managing these services themselves.
Many people find the idea of saving in the cloud downright heavenly. In fall 2008, analysts from research company IDC forecast that spending on cloud services would reach $42 billion by 2012, largely because of organizations' desire to shed operational costs. Another major reason is the speed of implementation. CIOs who use cloud services report that they like how fast they can offer a service or application to their end-users, according to IDC.
But sometimes these mainstream, shared "public clouds" aren't what organizations - and government in particular - want when the subjects of privacy and security are raised.
"They want to keep their data and information within their firewall. They want their own people to manage this data," said Sajai Krishnan, CEO of ParaScale, a company that provides cloud computing solutions. "And those are additional levels of comfort that you get when you have it in your own environment."
This brings us to the "private cloud," a type of cloud that companies like ParaScale help customers create. Agencies that want cloud capability without relying on a third party can purchase technology to build clouds on private networks that they own and manage.
According to Shawn McCarthy, an IDC research analyst, many IT leaders perceive that their organizational assets are safer inside their clouds instead of drifting inside one of the giant vendor-operated clouds on the Internet. "There's a certain unknown when you go through a secure provider," he said.
Missouri is working on a virtual desktop initiative that will let the IT department provide application services remotely to various departments in a pay-per-use scenario. In this case, it's an internal, virtual cloud that users access on remote desktops. State CIO Bill Bryan said people adopt the cloud model for simplicity and ease of support, but security is also factored into the equation.
"States have obligations to their taxpayers to protect and secure data," Bryan said, "and we're still uneasy about allowing the data to be stored on a remote server or the service to be provided from a remote server that's outside of the state."
When agencies migrate to the cloud, they're essentially handing off the management of important data and processes to third parties they don't know and can't control. There are contracts and agreements, of course, but also leaps of faith.
"I think that some missions will never be done in a public cloud. There may be security reasons; there may be capability reasons; and there may be public policy reasons. There are all sorts of reasons why you would not want some types of information in a public cloud. And those reasons will trump any financial advantage," said Kevin Jackson, vice president of Dataline, an integrator that helps the federal government adopt cloud systems, and editor of the Government Cloud Computing e-zine.
Jackson's forte is federal technology, and he said there are times when government customers want to know more about what's happening with their data than some public cloud providers will divulge.
"They can't just take the offerer's word that anything's secure, so they need visibility. That may be difficult for the commercial offerer because their competitive advantage is in how they put their infrastructure together so they can provide this service at a low cost," he said. "They want to make sure that anything they show to the government is not going to somehow wind up at their competitors."
Public CIOs must ask themselves if they want to build a private cloud. The size of their agencies might determine whether they want to have a vendor-hosted or internal cloud.
"It comes to economy of scale. If I have five salespeople sitting in my organization, it's not going to be cost-effective for me to build my own system and have it customized for those five people to use it. So I would go and outsource what I need for sales management to Salesforce," McCarthy said of the on-demand customer relationship management software. But a larger organization might choose otherwise. "At a certain point, you have to say, 'I would rather build my own because the price I'm paying on a per-seat basis is more.'"
Thomas Bittman, an analyst for IT research firm Gartner, also thinks smaller organizations would be better served going public.
"It doesn't make any sense, especially for a small organization or local government," Bittman said. "For a school district, it doesn't make a lot of sense to build even your own e-mail. Why should I manage my own e-mail environment when I could either get it free or buy it cheaply through Google?"
It's not like no one has heard of pilot projects. After all, many believe there's nothing wrong with starting out small with a private solution before going for a larger deployment.
"When people think about these clouds, one of the constant misconceptions is that it's so difficult. It's some über-globe spanning thing that somehow, unless it's Amazon, we would not be able to do it - that's completely false," Krishnan said. "You can start small, and you can try it out."
Krishnan said it wouldn't be problematic for a group to take some Linux servers and divide resources in a shared-access environment for multiple end-users, either for storage or computing functions. If an organization has the resources, its IT strategists could look at public-vendor clouds and say, "If they can do that, so can I."
"People got interested in what Google was doing and what Amazon was doing and asked the obvious question, 'How come they can do it in-house? I've got 200 IT guys,' or 'I've got a community of 70,000 people. Why can't I do what they're doing?'" Krishnan said.
When organizations decide to go private, it may be because public cloud services don't have what they need.
"There are quite a few services that just aren't there yet, or aren't mature, or aren't secure," Bittman said. It's also possible that the service-level agreements just don't provide the functionality that's required, like what may be found in the health industry. "The regulations they're required to follow are stringent, and it makes it very difficult for them to leverage cloud computing and fulfill regulatory requirements."
So it's possible that organizations will build their own clouds to handle unique processes while they weigh their options.
"We will host our services in-house, but that's not to say that that won't change," Bryan said of Missouri's virtual desktop initiative. "I'm sure next year we won't go to a private solution for everything, that's for sure."
Bittman foresees the private cloud as a steppingstone to the public cloud for some users. The public cloud is the final destination, and the private cloud is a precursor. But as cloud computing in general evolves, people aren't sure what that destination will look like.