, ,

The Navy’s Approach to Developing Cloud Requirements

This blog post is an excerpt from GovLoop’s recent guide, Mapping Government’s Journey to the Cloud: 8 Success Stories. The guide includes interviews with federal, state and local officials who have overcome common barriers to cloud adoption, including procurement and security. Download the full guide here to get their insights and tips for success. 

The Defense Department has been slower than most government agencies to adopt cloud services. Addressing security concerns in the cloud took some time, but that wasn’t the only holdup.

One of the criticisms early on was that all DoD cloud procurements had to go through the Defense Information Systems Agency (DISA), a combat support agency that provides IT and communications support for the department, including warfighters.

But restrictions on how DoD components buy commercial cloud changed in December 2014, when department CIO Terry Halvorsen gave component agencies the green light to work directly with commercial vendors, rather than coordinating procurements with DISA.

“One of the things that we’re going to change, to give us more opportunities to move faster, is to let the military departments do their own acquisitions of the cloud services and not have to funnel that through one agency — in this case, DISA,” Halvorsen said a few months before issuing the memo.Navy tips

Since then, the military services have charted paths forward into the cloud while adhering to overarching DoD requirements. But even before the memo’s release, the Department of the Navy (DoN) had already begun testing low-risk data in the cloud.

“This early pilot activity added to and informed the follow-on innovative engineering techniques and dedicated time spent working through complex security requirements to arrive at the current  approach to getting the job done,” said Susan Shuryn, a Technical Adviser and Cloud Lead for the DoN CIO.

The DoN, which is composed of both the Navy and Marine Corps, used those lessons to launch a cloud store in March 2016 as the department’s official resource for buying cloud services. Vital to the store’s success is an understanding of internal customers’ requirements.

For now, the focus is on providing IaaS for two distinct user groups: “The first level is the application owners, who are responsible for the day-to-day operations and security of the application, as they would be in traditional hosting environments,” Shuryn said.

“The difference is that they are operating from within the commercial environment, are paying only for the amount of service they need, can turn the service off when they don’t need it and have access to performance and availability metrics as part of monitoring the service,” she said. “The second level is the end user of the application. For that user group, the biggest change is the broad internet access that is provided by the commercial offering.”

Application owners who are interested in moving apps to the cloud must first undergo an initial interview to determine if the application is a good candidate for the service being offered. The DoN’s current IaaS offering can host publicly releasable data, or Level 2 data, and Level 4 data, which is sensitive data that requires greater security.

There’s a Managed Service Organization that assists application owners through- out the process and also manages the business side of the service for them once they’ve migrated to the commercial cloud environment, Shuryn said.

Her team also had to address security requirements. As required by DoD, the DoN had to build and accredit a cloud access point to the DoD Information Net- work for sensitive Level 4 data.

“The cloud access point is an interface, a set of security capabilities — both protection devices and sensors — that allows DISA to monitor traffic and apply security policies,” said Dave Mihelcic, DISA’s Chief Technology Officer. “It is a DoD-controlled demarcation point between the DoDIN, which is under direct DoD control, and the commercially hosted component that is a shared responsibility between the system owner and the cloud provider.

“The idea is to make sure that if a vulnerability exists and is exploited on a commercially hosted site, it cannot be exploited to the point of endangering others on the DoDIN,” he said.

Shuryn and her team aren’t just concerned about meeting current requirements. They are also considering future security requirements. The plan is to incorporate more commercial cloud offerings in version 2.0 of the store, which is set to launch in early 2017.

“There is plenty of opportunity for continued innovation in the engineering designs that will take us to the next level in leveraging what the [cloud] providers have to offer,” she said.

All photos licensed for use under Creative Commons 2.0.
Photo credit: U.S. Navy

Leave a Comment

Leave a comment

Leave a Reply