As various components of the Defense Department have begun to move their IT systems to cloud environments over the last several years, they’ve faced one at least one significant constraint: a lack of commercial cloud platforms authorized to host classified data.
But that’s expected to begin changing in a major way in 2018. By the end of the year, Defense customers are likely to have three or four commercial options to choose from when it comes to hosting secret-level data in the cloud.
Although the Defense Information Systems Agency already offers classified services via its government-operated milCloud offering, a commercially-operated 2.0 version is expected to be available for use by the end of the year. DoD is also likely to certify Microsoft and Amazon’s cloud offerings for secret data — or “impact level 6” — in a way that would make their products widely available for customers throughout the department to use by that time, said John Hale, DISA’s cloud portfolio chief.
In addition, DoD’s Cloud Executive Steering Group is working on its own acquisition strategy for a cloud offering that officials have made clear will need to include classified data capabilities.
“When a mission partner comes to us, whether they leverage an off-premises cloud capability such as Amazon or Microsoft Azure, Oracle, Salesforce, whoever it happens to be, or whether they leverage our on-premises capabilities such as milCloud, we’re good,” Hale said in an interview. “As long as they can meet their mission needs and we’re able to satisfy their needs and provide them services, we really don’t have a preference which way they go. I can be the honest broker in the room and and make sure mission partners and making good choices.”
Some of the key choices DISA is trying to help Defense customers make involve the timing of their migration of any particular application to a cloud environment.
Although it’s now widely accepted throughout the department that the benefits of cloud computing include greater mission assurance, agility, and improved capabilities to process and deliver information to the tactical edges of the military’s networks, some of its earliest migrations from legacy data centers were conducted primarily for cost reasons.
And in some cases where applications weren’t optimized for cloud environments, hosting them there wound up costing Defense organizations more, not less.
“What we’ve found is that as mission partners take legacy applications that were poorly designed to begin with — they have been running in traditional data centers and haven’t been modernized — they can be chatty, they have lots of interfaces with legacy systems, and so one of the things we push mission partners very, very strongly towards now is app rationalization,” Hale said. “The first step in moving to the cloud is app rationalization, doing a hard look at everything that you own and operate and making sure that these really do fit in the cloud model. If they don’t, then you need to make some key decisions. Do you modernize them, or do you kill them? And those are hard decisions that mission partners have to make between now and the time they move their stuff to the cloud.”
Application owners also must decide how they plan to meet DoD’s cybersecurity mandates once their systems are moved out of government data centers and into cloud environments. Although all of the department-approved cloud service providers have earned certifications attesting that they meet the requirements of DoD’s cloud security requirements guide, those authorizations generally only apply to the underlying infrastructure — not the security of individual applications and operating systems.
Security at that level still belongs to the DoD component that owns application, a set of responsibilities DISA has laid out via its Secure Cloud Computing Architecture (SCCA).
“SCCA is about putting the necessary pieces in place so that those mission owners can meet all the security requirements while also sending back critical information from a cyber perspective so that we can aggregate that data to find the tipping point information about an adversary and attacks,” Hale said. “Once that data comes back, we put it into our big data analytics system, which has a myriad of artificial intelligence tools and machine learning capabilities from lots of different commercial providers to look for potential attack vectors that might otherwise just look like noise. But in the grand scheme of things, we can take all that information and kind of pick out the pieces where we can see the adversary is attacking.”
And although SCCA prescribes the sorts of cyber information DoD wants to derive from its cloud-hosted systems, it leaves application owners a fair degree of flexibility about how to implement the architecture.
“We’ll have lots of options about how they want to meet their security requirements,” Hale said. “One option is they can ‘roll their own’ — we’ll give them the blueprint, all the artifacts about what capabilities they need and what, software and hardware packages meet those capabilities and they can build their own, or they can use ours, which is a set of shared services that DISA offers. And I think the you’re going to see the big guys start to offer their own suite of services — above and beyond their cloud service hosting capabilities — that allow DoD mission partners to meet those security requirements without necessarily having to go to another vendor. Likewise, I think you’ll see some third-party vendors who will get in that space also. It’s a space which a lot of vendors have worked inside DoD data centers in the past, it’s well-known to them. So simply transposing that into a commercial cloud environment is pretty straightforward.”