The United States government has gotten some cloud providers to bend. How far will they go?
Is it possible to overstate the importance of Apps.gov to the cloud computing landscape? In one fell swoop, U.S. CIO Vivek Kundra transformed a not-ready-for-primetime paradigm into a government-ready delivery model. However, it might not come up all roses for providers. If they’re willing to bend over backward for the government, enterprise users might start demanding the same treatment.
Google, for example, has begun certifying Google Apps with the Federal Information Security Management Act (FISMA), and plans by next year to build and/or carve out a FISMA-compliant cloud. Judging from Werner Vogels’ comments, Amazon intends to get into the federal-government game, too. The problem is that, thus far, cloud providers (these two in particular) have been unwilling to make similar sacrifices in the name of enterprise customers. Public multi-tenancy and opaque transaction environments have been considered necessary tradeoffs to obtain the benefits of Amazon- or Google-style cloud computing, despite the fact that regulations like Sarbanes-Oxley and HIPAA have significantly limited the ways in which businesses manage their data and conduct their IT operations.
Enter cloud providers like Terremark and Savvis. While less dynamic and flexible than “true” clouds, these hosting-rooted clouds offer dedicated resources and geographical insights off the bat, as well as SAS 70 Type II audits, PCI compliance, etc. It is no surprise that Apps.gov (and USA.gov and Data.gov) are housed on Savvis’ and Terremark’s infrastructures, respectively. Now, in attempts to secure their slices of D.C.’s $75 billion IT pie, Amazon and Google are emulating Terremark and Savvis by hardening portions of their clouds and giving the government visibility into how and where jobs are running.
Going forward, what is to stop enterprise customers from demanding that Amazon and Google treat them comparably to the federal government? Certainly, entire industries – financial services, health care, law – have the money and the clout to make legitimate claims for special treatment. Some individual corporations might even have IT budgets enabling them to make compelling claims in the same vein. Now that enterprises know it’s possible to get off the public parts of the Amazon and Google infrastructures, and to have their strict regulatory needs met, I expect the pressure will starting mounting for these providers to capitulate – at least on an industry-wide level. If they can but do not, potential customers might be willing to forgo the flexibility of these platforms for the compliant nature of the Terremark and Savvis platforms.