Almost every government agency is moving some part of its infrastructure, platforms, or software onto the cloud. But that job is tougher for some agencies than others. For instance, if you’re an especially large agency, with staff operating in every environment across every part of the world, and you’re dealing with massive amounts of incredibly sensitive information, you might have a tougher go of it.
Yes, I’m talking about the Department of Defense—the oldest and largest government agency, which is also trying to move many of its services to the cloud.
At today’s GovLoop event, Evolution of the Cloud, Rob Vietmeyer, Chief Information Officer within the Enterprise and Integration Directorate at DoD, described the evolution of cloud strategies within the department.
Upfront, Vietmeyer admitted that the cloud transition is a challenge laden with misunderstanding. Just last week, he said, someone called the Inspector General of DoD asking simply for a definition of cloud computing. Even though DoD adopted the NIST definition of cloud in 2012, Vietmeyer said the question wasn’t surprising. “There is still a lot of conclusion. It’s still a grey area,” he said.
“But whether we define it or not, it’s still going to happen,” Vietmeyer continued. He said two big trends have pushed the department towards cloud, even as some remain unclear on its intricacies:
1. Technology is getting more and more complex. As technology becomes increasingly specialized in its functionality and operation, the department’s traditional approach of local installation and management has become impossible. What’s more, system integrators are less willing to take on the risk attached to this complexity.
2. Cloud-based networks are becoming more reliable and dependable. For a department that has to be fully operational 24/7, this technology reliability is an advantage that can’t be ignored.
Having accepted this necessity to transition, DoD is working on a cloud strategy. However, this strategy is very much a work in progress.
Initially, department administrators attempted to own the entire cloud process. “We looked at our networks and we decided couldn’t outsource it,” said Vietmeyer. “So we decided to build our own cloud. We thought it would be easy. You add some software and some hardware, and we’ll make a cloud.”
Unfortunately, that task of creating one, homegrown enterprise cloud system proved harder to execute than the team imagined. Vietmeyer listed a number of challenges that prevented an effective transition:
- Current data center operations and culture: The siloed nature of teams and operations within the data center made it difficult to build an enterprise solution, and even harder to convince data administrators to integrate.
- Technology and skill set gaps: While the technology was available to build a cloud in-house, the department lacked the experience and best practices to effectively implement it.
- Transition to agile development and DevOps: To remain up-to-date and ensure maximum operability, cloud services (especially software-as-a-service) requires constant iteration. Yet as Vietmeyer said, “A provider like Amazon pushes updates every 12 seconds, but our department is lucky to push one every 12 weeks.”
- Transition to "customer" focused operations: Administrators were reticent to allow internal departments to bring in their own technology and systems, to be hosted in the new cloud infrastructure
- Are you "customers" ready? Because they were building so many different systems, maintaining control of pricing models, and then scaling onto more and more servers, the cloud-based system that was supposed to produce cost saving actually turned out to be the exact same cost as a physical machine. Therefore, there was no incentive for their customers to transition their services to the cloud
Ultimately, the attempt failed and the department decided that it needed to outsource its cloud strategy. Now, DoD is focusing on making it as easy and safe as possible for private cloud service providers (CSPs) to provide their cloud services to the department.
The largest initiative within this new strategy is the creation of the Cloud Computing Security Requirements Guide (SRG), which is based on standard recommendations from NIST but specifically applied to DoD needs. The document, released earlier in 2015, differentiates levels of risk for DoD data, systems, and use cases. It also provides methods for assessing that risk and evaluating CSPs according to that risk level.
Finally, as the name suggests, the document provides requirements guidelines for CSPs. So far, almost 30 CSPs have been approved at the lowest impact, or risk, level. Only one CSP has been approved for the moderate to high levels on unclassified data, however, because more time is required to approve high-level vendors. Nevertheless, progress is being made. Vietmeyer said one more high-level CSP will be announced this week, and about five more are in the pipeline for approval.
As these CSPs integrate with DoD IT, Vietmeyer’s team is also looking at ways to tie in CSP security with DoD cyber operations. “How do we get incident report? How do they notify us when an incident occurs, and how do we let them know?” are just some questions Vietmeyer said they are asking. Implementation of these communication protocols is already underway, and Vietmeyer expects more plans to be announced across the next year.
With CSP security authorization well underway, the next big focus for DoD cloud strategists is getting agency systems onto these new service providers. Vietmeyer said they’re seeing increased demands from department “customers” for cloud computing, but many of these customers want comprehensive functionality and services within that environment environment—as they traditionally saw in custom-built local environments.
“Right now, each application is bringing its own functionality, but that’s not effective,” said Vietmeyer. “It’s expensive, it’s cumbersome, and it’s not sustainable.”
As the department works through this and other challenges associated with the transition to cloud, Vietmeyer assured the audience that it will continue to evolve its strategy accordingly. No option is off the table, as DoD continues to move its technology forward. He even joked, “Who knows? Maybe we’ll even go back to building our own cloud!”
Vietmeyer's presentation slides can be accessed here.