The Department of Defense’s vision for cloud computing is about more than hosting public websites and data in commercial facilities.
DOD is pursuing several opportunities for migrating sensitive military data to the cloud to reduce costs and boost performance. Options include cloud hosting in facilities outside the United States, moving defense enterprise cloud services such as email to a commercial environment, and modernizing milCloud, the Defense Information Systems Agency’s (DISA) private cloud offering.
“As we work through using commercial providers, DOD CIO is going to make a determination as to whether or not those commercial providers can be used for all unclassified workloads, even national security systems,” DISA’s Chief Technology Officer David Mihelcic, told FedTech during the Federal Cloud Computing Summit in Washington, D.C., last week. “National security systems are things that, even if unclassified, are defined as mission critical. They are things that DOD needs to go to war.”
“So that balance is going to be examined and reexamined,” he said of the decision to move national security systems to the cloud.
Until now, DOD required any sensitive unclassified data be hosted in a private cloud dedicated to the department. Last week, DOD released updated security requirements for hosting military data in the cloud.
“This SRG [Security Requirements Guide] really modifies that concept, so now sensitive but unclassified data can be processed in a[n] external cloud, a government cloud or potentially even a public cloud that meets our requirements,” Mihelcic explained.
Modernizing DISA’s milCloud
One of the features that makes DISA’s milCloud an attractive option is that can be used for classified workloads and for hosting national security systems at the unclassified level. DISA plans to analyze how best to evolve milCloud in the future, Mihelcic said. “Do we want to sunset that capability? Do we want to acquire an integrated cloud stack that will be government operated in the future? Or do we want to do something like the CIA has done — let a managed services contract to a cloud provider and have them bring their capability on our premise? Or potentially for us to extend our network into their premise and for them to operate that in a dedicated fashion.”
The only way a commercial vendor would be able to provide classified capabilities for DOD is in a private cloud, Mihelcic said. They would have to set aside dedicated infrastructure and meet DOD security requirements for physical, personnel and communications security. One example is the CIA’s commercial cloud services contract award to Amazon.
This is not a competition between DISA and commercial cloud offerings, Mihelcic said. In fact, milCloud is based on servers from HP, networking gear from Cisco and virtualization capabilities from VMware, all of which are vendors that DISA had been working with.
“There is plenty of business for everyone,” he said.
DISA is in the final phases of a pilot with the Air Force and U.S. Strategic Command to determine the feasibility of offering services such as Defense Enterprise Email in a commercial cloud space.
“That will be one of the things in our kit bag moving forward,” Mihelcic said. “So for unclassified users in the continental United States, it may be that we’ll leverage commercial cloud for provisioning email in the future. And for classified users or for our deployed users, we may still have a dedicated DOD cloud for that.”
Connecting Cloud Workloads to DOD’s Network
For military data hosted in government or public clouds, DISA has a methodology for connecting those clouds into the DOD network through what is called a cloud access point.
Mihelcic defines cloud access points as the security functionality that enables the department to inspect traffic coming to and from workloads in the cloud. The capability enables DOD to detect and mitigate malware, hostile attacks and other malicious activity. “So we have government-purpose-built technology to do that that has been actually operational at the boundaries to the DOD network for more than 10 years at this point, and now it’s being applied to this cloud access point,” he noted. “The other piece that it’s going to do moving forward, it’s going to give us a way to rapidly provision cloud providers onto the DOD network.”
For Mihelcic, seconds, minutes or even a day would be a big improvement compared with the weeks or months it takes DOD users to place a call order against an existing contract and get cloud capacity.
DISA Eyes the Navy’s Partnership with IBM
As the entity charged with tracking how DOD operates cloud connection points and what technology is operating across the network, DISA is exploring private cloud deployment models that would put commercial cloud technologies in DOD data centers or adjacent to them.
One option could be a path the Navy is charting with IBM at the Allegany Ballistics Laboratory (ABL) in Rocket Center, W. Va. IBM has a contract to operate a data center there and is standing up a cloud capability at the sensitive but unclassified level that will potentially be able to host level 4 data and level 5 national systems, Mihelcic said.
“That may be a pathfinder for how we want to do cloud computing in the future,” he added.
DISA is also exploring arrangements where providers would lease space in a DOD facility and provide cloud capabilities.
Currently, the requirement is to keep military data in U.S.-based data centers so DOD maintains data sovereignty, meaning a government in a foreign country can’t take possession of the data. Through enhanced leased agreements, DOD could maintain data sovereignty by allowing industry to rent or build space on its properties overseas.
“We’re just looking at the best trade-off in terms of security, cost and performance,” Mihelcic said.
To learn more about how cloud computing solutions can help your organization get ahead, visit cdw.com/cloud.