Cloud services: A cloudy forecast for state and local governments

Cloud services continues to grow exponentially making it flourish into a multi-billion-dollar industry. According to a survey by Synergy Research Group, the global cloud infrastructure services market grew by 35 percent in 2020, with the top five cloud providers (Amazon Web Services, Microsoft, Google, Alibaba and IBM) capturing more than 70 percent of the market share. In a soon-to-be-published “2023 CompTIA Public Technology Institute (PTI) State of City and County IT National Survey,” 69 percent moved to on-premises infrastructure (storage, virtual machines, etc.) to a private cloud. Similarly, 71 percent shifted from using a local version of an application to a cloud application (SaaS). About 30 percent stated they are using a managed services provider, and another 25 percent are considering doing so this year. Outside of the survey, many local government IT leaders have expressed frustration toward many leading vendors who are no longer offering on-premises solutions thus forcing them into the cloud.

Cloud services was not always on IT managers agendas and some 15 years ago, many strongly opposed even the concept. They feared loss of control, added cyber risk and data loss responsibility, to name just a few concerns. Adding to some of the fog, here appears to be some confusion in labeling a cloud service vs. a managed service provider. There are differences but the common denominator is that they all rely upon a third-party providing remote or cloud-based services.

The federal government got its first cloud strategy jolt with the presidential Federal Cloud Computing Strategy in 2011, commonly referred to as “Cloud First.” This was the first big push to consolidate services and move data processing to the cloud. In 2017, the “Cloud Smart” Initiative was born. Building upon the former initiative, Cloud Smart’s strategy was founded on three key pillars of successful cloud adoption: security, procurement and workforce. States and localities benefited from the earlier experiences of their federal counterparts and soon cloud became the offering of choice. More recently, the pandemic relied on cloud services, thus providing superior access, security and speed at getting to the communications and or data needed in real-time.

While there is little doubt as to the advantages of cloud services, there is growing concern about the accountability of cloud service providers, including a lack of best practices and many one-sided contracts. One IT leader who had recently moved to a new and larger government jurisdiction was shocked to find a previous cloud contract that did little to protect them from moving to a new service provider. In fact, they were told that while the data could be returned, it would be in an unreadable format and if they were to take the time to make it readable and easy to migrate to another service provider, it would cost nearly $2 million.

Adding to the growing list of concerns are rapidly growing cybersecurity incidents to both cloud service providers and their customers. In May 2022, the federal government took the extraordinary step of issuing an advisory with the headline, CISA, NSA, FBI and International Cyber Authorities Issue Cybersecurity Advisory to Protect Managed Service Providers (MSP) and Customers. The advisory focused on what they see as an increasing collective vulnerability threat regarding cyber-attacks to managed service providers and their customers. The advisory went on to list five suggested best practices but, being advisory, there were no requirements to do so—at least for now.

Despite the many benefits of cloud services, security remains a major concern for state and local governments. Cloud security effects both the public and private sectors and according to a survey by the Cloud Security Alliance, the top security concerns for companies include data privacy, data sovereignty, and the security of the cloud service provider.

The list of concerns is nothing new, but some find it surprising that after a decade they remain fresh, the list includes:

Security and privacy concerns: Governments are responsible for safeguarding sensitive information, such as citizens’ personal data and classified information. This raises concerns about the security of information stored in the cloud, as well as access and the privacy of that information.

Regulation and compliance: Governments are subject to a number of regulations, such as data protection laws, that must be complied with when using cloud services. This can be challenging, as cloud service providers may not have the same regulatory requirements as governments. And some lack the ability to comply due in part to local capacity and limitations on software offerings.

Interoperability: Governments need to ensure that cloud services are compatible with their existing systems and processes. This can be difficult, as cloud services may use different technologies and standards.

Cost: Cloud services can be expensive, particularly for government agencies that require large amounts of storage and computing resources. Governments need to weigh the cost savings of using cloud services against the potential long-term costs of migration and maintenance.

Vendor lock-in: Governments may become dependent on a single cloud service provider, which can make it difficult to switch to a different provider if necessary.

Lack of control: When using cloud services, governments may have limited control over the infrastructure and services they are using. This can make it difficult to address issues, such as downtime or performance problems, in a timely manner.

There is no doubt, cloud and managed service providers are here to stay and will continue to grow. But more needs to be done to protect state and local governments from being taken advantage of. This means there needs to be a new standard for cloud and managed service provider contracts that provide fair and balanced consideration for all parties. Local government managers will need to be ever more careful before signing any agreement. Second, state and local governments need to be assured that the vendors they choose are adhering to best practices, required federal and state regulations, and offer remediation in case of breach or failure. Today, the growth of the nonprofit StateRamp fills a key need by essentially certifying cloud and managed service providers. In addition, CompTIA has announced a comprehensive in-depth Cybersecurity Trustmark for MSPs. Customers can be assured that these certification and badges will help them choose the best MSP for them because they will be following the very best practices to help safeguard all parties.

Finally, the weather outlook for cloud computing and managed services remains optimistic—but storm clouds have raised their ugly head. We need to always be prepared and always carry our digital umbrellas for protection.

Dr. Alan R. Shark is the executive director of the CompTIA Public Technology Institute (PTI) in Washington D.C., and associate professor for the Schar School of Policy and Government, George Mason University. He is a fellow of the National Academy for Public Administration and co-chair of the Standing Panel on Technology Leadership. A noted author, his most recent textbook, the second edition, “Technology and Public Management” was published earlier this year. He is also the host of the popular bi-monthly podcast, Sharkbytes.net.