While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
The Defense Department is working on ways to ease the migration of sensitive data to the cloud, which could spur data center consolidation, according to its acting IT chief.
The Pentagon is exploring whether commercial cloud providers could be the conduit that connects sensitive DOD data to the cloud, according to John Zangardi, DOD’s acting CIO. Being able to move data more easily to the cloud would allow the department to shutter data centers more quickly, saving money and resources.
However, it will not be an easy lift, and the DOD is still exploring its options.
The department is behind schedule on data center closures, and said in August 2016 that it would launch a “data center closure team to assess and recommend closures of the costliest and least efficient facilities beginning in the first quarter of fiscal year 2017.” That work began in November 2016 and has continued.
However, according to a May 2017 Government Accountability Office report, as of August 2016, DOD had 3,758 data centers (37.6 percent of the government’s total 9,995) and had closed only 708 of them, or 19 percent. By the end of fiscal year 2019, the Pentagon plans to close 1,598 data centers, or 43 percent of its total.
Moving data from on-premises servers to the cloud has proved difficult. Federal News Radio reports:
That’s partially because for impact levels 4 and above, not only do providers have to earn authorizations that go above-and-beyond the governmentwide FedRAMP process, any data they process also has to make its way through a DoD-provided Cloud Access Point (CAP).
What is the CAP? FCW notes that it is “the security conduit through which” the Pentagon connects to the commercial cloud, and the DOD has been using it for more than two years. “The CAP serves as a demarcation between the DOD Information Network and commercial cloud providers; the CAP’s sensors allow [the Defense Information Systems Agency] to monitor traffic passing through it.”
Zangardi said he has asked his office to revisit CAP policies, potentially allowing commercial cloud providers to offer something similar to the CAP.
“It’s my job to ensure the most effective IT support to the warfighter and to make best use of resources, so the question to my staff is, ‘How can we do CAP better?” Zangardi said last week at the Defense Cyber Operations Summit in Baltimore, according to Federal News Radio. “Specifically, can it be provided as a service? It’s a significant question, but if it is resolved, it should open opportunities for services and components to move more quickly to commercial cloud providers.”
The report notes that current Pentagon rules require “all network traffic that’s making its way between DOD systems and a commercial cloud provider to pass through government-operated monitoring systems — firewalls and other intrusion prevention systems — even when the cloud provider’s system is operating entirely within a DOD facility.”
The issue has clearly been on Zangardi’s mind. Earlier this month at the AFCEA Army IT day, he noted that “there are a lot of barriers” to data center consolidation but “they are not unreasonable,” according to FCW.
Some of those are related to the age of the data that is being stored, the age of the systems and data migration in general. Modernization of legacy systems is also major factor. “That drives cost, that drives schedule,” he said.
However, Zangardi noted that the CAP is an issue. “We have met with several vendors over the last couple of months, and I've tasked my team to look at the policy for the cloud. And right now, industry and some folks view [Cloud Access Point] as a bottleneck,” he said. “Can CAP be provided as a service?”
Even if a cloud service provider is certified for level four or 5 data, most of them “still have a back door to the internet,” Zangardi said.
“We have to make sure that our data is protected from that back door to the internet,” he added. “That was the purpose of the CAP in the simplest terms.”
DOD might be able to set a standard for vendors, so that they can then provide “the same data invisibility as the current CAP.”
Another barrier to data center consolidation: figuring out where to move data center workers. Military members can be moved relatively easily with new orders, but civilian workers are tougher.
“Civilians are a little bit more challenging because every civilian has a particular position description so you have to find a way to move them into a different occupation,” he said, according to FCW. “It’s a doable thing, but repurposing takes a little longer there.”
Zangardi said there is often a cultural resistance to consolidation because people want their servers nearby. “They like to have their control of whatever it is they have,” he said.