The hidden complexities of cloud-based e-mail

William Corrington was formerly chief technology officer at the Interior Department and is now cloud strategy lead at Stony Point Enterprises in McLean, Va.

Let’s say you’re a federal CIO and you’re responding to the new “cloud first” policy. You and your team have analyzed and prioritized existing IT systems and determined that your agency’s e-mail system will be one of the first three to move to a cloud service provider. Great! Now you just need to identify a vendor, sign a contract, and sit back and relax, right?

Not so fast. E-mail is an excellent fit for cloud computing, but it’s important for agencies to recognize that delivery of e-mail services is a complex undertaking, regardless of whether those services are delivered via a cloud-based or on-premise model. A comprehensive 21st-century messaging infrastructure must augment basic mail, calendaring and scheduling functionality with instant messaging, anti-spam and antivirus filtering, data loss prevention, support for multiple types of mobile devices, message archiving, and e-discovery support. All that functionality must integrate with the agency’s network and security infrastructure, and don’t forget: It’s mission-critical.

The good news is that moving the messaging infrastructure to a cloud service provider transfers much of that operational responsibility to the vendor. The bad news is that I don’t believe agencies will be able to move 100 percent of their messaging infrastructure to an external provider. At a minimum, I expect that agencies will retain ownership of some responsibilities, such as identity federation so they can integrate directory information with the cloud service provider. Also, until all users have been migrated, a coexistence capability must allow in-house e-mail and cloud e-mail users to communicate with one another, which will increase the system’s overall complexity.

So how can agencies ensure success? The answer lies in the use of financially backed service-level agreements incorporated into the cloud vendor’s contract. Unfortunately, vendor-defined SLAs for messaging services typically focus on a single metric: system uptime. Although 99.9 percent uptime is nice, relying on a single metric fails to address many important aspects of this complex environment.

First, agencies need to ensure that they and the vendor have clear agreement on who will be responsible for which components of the messaging infrastructure. The contract should also clearly identify what is and is not included in the system uptime metric. For example, is e-mail delivery to mobile devices considered part of the metric? What about the message archive that supports e-discovery?

Second, agencies should negotiate for SLAs that address operational realities such as response times from the vendor help desk to the agency’s tier-one help desk. An agency might also want to establish response-time metrics specific to agency leaders and other VIPs. And agencies should have a clear understanding of how to make sure any problems are resolved quickly.

Third, agencies must ensure that SLAs address security requirements. Maintenance of Federal Information Security Management Act certification is obvious, but what about the one-hour reporting requirement in the event that personally identifiable information is released? What about allowing agency security personnel to access vendor incident logs and other information needed to support forensic analysis?

Cloud-based e-mail offers many benefits to federal agencies. But before embarking down that path, CIOs should consider the full scope of their e-mail operation and how it will translate into the cloud model. That analysis will inform the creation of high-value SLAs that will allow CIOs to effectively deliver cloud-based e-mail services to their users.