U.S. Department of Defense is moving more data to the cloud and wants a closer partnership with commercial cloud providers.
Currently, the Defense Information Systems Agency (DISA) is providing these services, but cost savings considerations have the DoD assessing commercial alternatives for some types of data.
The DoD plans to use more commercial IT services and infrastructure on the whole where it makes sense. At a recent industry day, acting DoD CIO Terry Halvorsen revealed the DoD is considering a commercial solution for the next version of its unclassified enterprise email.
The move to cloud is driven by cost reductions, technical efficiencies, and security considerations. In the early stages of transitioning to the cloud, it’s important to communicate with defense industry partners, Halvorsen said in a recent DoD release.
He also said that it’s important to move all non-sensitive data, such as public-facing websites. to the commercial cloud as soon as possible.
Halvorsen has spoken extensively at conferences about the DoD and cloud. During a March MeriTalk event, the Navy's move to cloud was highlighted.
DISA is feeling pressure to reduce costs. Halvorsen praised the agency during a recent DoD Cloud Industry Day for reducing costs 10 percent, but said these reductions are not enough.
The event was the first in a series of planned Cloud Industry Days. The events are meant to create an open dialog on driving modernization and streamlining of government IT.
The DoD released a new security requirements guide several weeks ago, which outlines security demands specifically from cloud service providers. Those providers meeting FedRAMP standards are eligible to handle the DoD’s less sensitive data without any additional security.
FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Just this week, VMware was added to the short list of FedRAMP-certified IaaS providers, which also includes Amazon Web Services, Microsoft, IBM, and HP, among others.
Currently, the department is requiring a “FedRAMP Plus” certification that provides additional layers when dealing with more sensitive data. The goal is to get FedRAMP up to snuff in general as a national standard. This will involve dealing with different types of data differently, outlining vertical-specific needs.
Certain types of data will remain inside the government because of financial, technical, and political risk. This is where VMware has a special advantage, since it omnipresent in government data centers already and since its IaaS is specifically designed to make it easy for users to extend their in-house environments to a public cloud.
DISA has a cloud services product portfolio called milCloud. It combines commercial and government-built technologies for users to build and maintain DoD applications.
The agency opened the milCloud marketplace to Defense Department mission partners last October. It provides access to both classified and unclassified services.
DISA is not simply a cloud broker, as DoD Principal Deputy Alan Estevez pointed out at the industry day event. It develops tools to show the pluses and minuses of going to cloud. The biggest cost drivers are people and security. It’s also important to determine the right level of security for different types of data.
Security Remains a Top Concern
Recent surveys, such as MeriTalk’s “Cloud Without Commitment” and “Heart of the Network: Data Center Defense,” show security issues continue to be top-of-mind among agencies dealing with cloud and data center consolidation.
The surveys look at what types of applications are moving, and where concerns lie. They both reveal extreme interest but also apprehension in the very early days of the overhaul.
Less than 20 percent of federal agencies are delivering more than one quarter of the agency’s IT services either fully or partially via the cloud, according to one survey. The early movers are email, web hosting, storage, collaboration environments, and testing and development.
What hasn’t been moving is traditional business applications, custom applications, and disaster recovery, with only a third of those using cloud having moved these applications to cloud in some way.
Security's Big Role in FDCCI
While FedRAMP deals with security, the Federal Data Center Consolidation Initiative’s goal is to reduce the number of physical data centers.
In a MeriTalk survey, over 40 percent of respondents said integration will prove to be the top security challenge of FDCCI.
Nearly half say that cyber security is more challenging as they modernize, and 70 percent are concerned about security within the data center fabric. The study was underwritten by Palo Alto Networks.
Nearly three quarters give their agency a grade of “A “ or “B” for security efforts during modernization, but half say key security measures are still absent. Automation, mobile device management, and endpoint security management are at the top.
The report identifies advanced targeted attacks and advanced persistent threats, malware on host servers, and network viruses as the top three concerns.
“Many agencies have focused security efforts at the perimeter,” Steve Hoffman, a regional sales vice president at Palo Alto Networks, said. “But, as we consider increasingly sophisticated cyber security attacks, all government agencies need a platform approach to protect the heart of their network – the data center – while safely enabling business applications. They need to be able to correlate known and new threats and take preventative action, not just detect and remediate.”