Moving to a cloud environment goes beyond just changing technology; it’s about transforming the way business is done to better align with agency missions and use advanced features. Beth Wisneski, the supervisory IT specialist and cloud engineering team lead at the Food and Drug Administration (FDA), highlighted this during a recent webinar hosted by REI. The event centered on the General Services Administration’s (GSA) new Cloud Operations Best Practices & Resource Guide, a tool aimed at helping agencies effectively develop, maintain, implement, and manage their cloud operations.
“We needed to adopt a new way of doing business and look at how we could best accomplish our goals in the cloud,” Wisneski said, referring to FDA’s move to a multicloud environment. This transition involved harnessing cloud agility, changing governance structures, and giving more control to application teams.
GSA’s new guide is designed to help federal agencies tackle these concepts for successful cloud operations. It brings together cloud experts from GSA and various other agencies, focusing on four key areas: Leadership, Business Management, Security, and Cloud Platform Engineering. The goal is to optimize cloud use in a way that best supports agency missions.
Agencies need to grasp the changes in IT responsibilities and investments when transitioning from on-premise infrastructure or data centers to the cloud. For example, they’ll take on full responsibility for the cloud’s system security and functionality. The guide details the management differences among the three cloud models – Infrastructure-as-a-Service, Platform-as-a-Service, and Software-as-a-Service – to help agencies navigate these changes.
The guide includes tips and best practices for effective leadership in cloud adoption, such as creating a solid strategy, understanding the agency’s existing IT setup, and implementing strong organizational change management.
Leaders must assess whether their agency requires a multi-cloud or hybrid architecture, and which operational structure and design best supports a growing cloud infrastructure. The guide may help leaders choose a secure and reliable service within budget that meets that meets quality and mission requirements with minimal operational risk.
Business management plays a key role in cloud operations, focusing on the backend tasks necessary to keep cloud environments running smoothly. The guide delves into important areas like managing finances and costs, tracking performance, handling capacity (like data processing needs), ensuring quality, overseeing vendors, governance, managing portfolios, and planning workforce needs.
During the webinar, Bill Kasenchar, a principal at REI and a subject matter expert in Technology, Business Management (TBM), and FINOPS for the governmentwide TBM Program Management Office in GSA’s Office of Government-Wide Policy, highlighted a key distinction: “You put something in the cloud and even if you’re not using it, you’re still paying for it. The idea that you can just set it and forget it, those days are over.”
Agencies need to be thoughtful about what they choose and buy for their cloud operations. According to Kasenchar, it’s key to adjust cloud resources as needed, either increasing or decreasing them based on immediate requirements.
This becomes even more important when thinking about an agency’s size and budget. Kasenchar stressed the importance of alignment: “Your forecast and your contracting for that cloud spend really aligns with the reality of what you’re going to spend,” he said. Cost considerations depend on storage needs, cloud service providers, capacity, and more.
To make the most of cloud management, GSA advises agencies to actively establish financial and operational transparency across different teams. This approach involves building a culture of openness, streamlining processes, and ensuring data sharing. Such measures allow agencies to better plan their funding needs, investments, and purchasing strategies.
Plus, having full insight into their resources helps agency leaders make informed decisions, buying just what’s needed for their specific environment. This strategy leads to better investment returns, more efficient performance, and improved capacity and quality management. The guide also walks agencies through various migration scenarios, each suited to different business management requirements.
On the security front, despite existing cloud security mandates from entities like the National Institute of Standards and Technology and the Cybersecurity and Infrastructure Security Agency, among others, agencies still need to proactively set up and follow their own policies and procedures.
The guide helps to identify security best practices, navigate through the various federal mandates, outline changing security team responsibilities as agencies migrate from on-prem to cloud and more. It also outlines the security benefits of bringing on the cloud — including robust monitoring, network boundaries, identity and access management, encryption and off-site data, zero trust, and automation and orchestration — and how best to plan for and leverage these capabilities.
Managing these new security capabilities, authorizations, and standards calls for a change in responsibilities, documentation, and frameworks. It also requires a fresh understanding of security for advanced features like APIs and automation. The guide covers these shifts and more.
Operating a cloud environment also means a change in engineering and technical considerations. This is truly where transformation comes in. The guide suggests focusing on requirements rather than replicating current processes and procedures in the cloud and provides a helpful migration map and lifecycle outline to do so.
This takes agencies through migration best practices from provisioning and design to deployment and operation. Even once deployed, the guide provides necessary considerations for sustainment, like monitoring, optimization and tuning, network considerations, software updates, and more.
For example, Wisneski said when FDA first adopted a cloud environment in 2015, it was configured in a way to emulate the on-premise architecture to keep business practices consistent. Yet, as technology evolved, there was a need to implement a more modern multicloud architecture that allowed for new functionalities.
FDA implemented a multicloud architecture, offering better functionality and control for application teams to use cloud capabilities. GSA’s new cloud operations guide helps agencies plan for innovation ahead of time.
“Don’t try to emulate exactly what is on-prem,” Wisneski said. “Focus on what the requirement is and then determine the best way to accomplish that requirement in the cloud, and that is not just for technical aspects . . . that’s also for reporting, governance, budget.”
This approach allowed Wisneski’s team to plan for requirements, rather than antiquated processes. They applied proper governance and guardrails while enabling application teams to self-service provisioning, control cost and security, and minimize risk.
Ultimately, planning is key to successfully integrating cloud, and the guide provides best practices, necessary considerations, and the proper mindset to do so throughout the entire cloud operations process.