DOD strives to match military applications to commercial clouds

As the military reduces its number of data centers and consolidates data and applications, it is looking to move some of these functions to private commercial clouds. Collaboration tools, e-mail, administrative applications, conferencing software, mission applications and those applications used for program or project management are the key applications considered eligible for moving to the cloud. However, according to 108 federal government CIOs and IT managers polled in a spring 2012 MeriTalk Survey, different apps have different needs.

Not one mission-critical DOD application will go into a public commercially hosted cloud because the security is not sufficient. Even so, commercial vendors are setting up private cloud environments specifically for the military’s sole use, totally separate from those used by their other customers. Vendors hope to encourage the government to deploy their apps in those environments, which have been tailored to meet the military’s needs.

Security, Communication and Lifecycle

“DOD directives say any commercial entity working for us has to meet security standards. Vendors need to provide assurance and evidence that they can,” said Ray Letteer, chief of the Cybersecurity Division of the Command, Control, Communications, and Computer (C4) Department at Marine Corps Headquarters. His goal is to look at the ramifications of moving applications to the cloud and find the most secure way to meet mission needs while ensuring that data is protected.

“For applications involving unclassified data that is totally publicly releasable, a public cloud is great. When applications deal with more sensitive data, protection, encryption and extra steps that a private cloud offers are required,” Letteer said. For example, the Marine Corp has recruiting and public affairs data and its interface on private commercial space.

“In a commercial cloud, we wouldn’t know where in the world the data resides," he said. "We wouldn’t know which server it’s in or who could have access, and we would want to know that. Different from the Open Systems Interconnection model, we’re concerned about the physical model. Are there protections at that physical location? Are people properly vetted? Can we be sure it isn’t tapped or accessed inappropriately?"

“We also are concerned about the actual network connections themselves – the pipes, IP ranges, logical ranges, and the physical reality of managing the app’s data, not only where the data flow goes. Where does the data reside when it’s at rest? Is it on a virtual machine? An appropriate hypervisor? Who can access it? It is appropriately protected and layered?” Letteer said the Federal Risk and Authorization Management Program (FedRAMP) is establishing standards for vendors to meet and an assessment process to demonstrate that protections are in place.

The ability to communicate is also a key factor in determining which applications are suitable for cloud use. “Our military is very tactical and deployable at any time. We may need to carry the network with us and need responsiveness in a deployed environment whenever we go. The cloud may not be the model to use for some applications used in certain tactical situations,” he said.

“We also rationalize an application’s location by where it is in its lifecycle. An app may be old or hard-coded. It may take testing to know if or how to transition current versions, or if the next version should take advantage of the cloud. We’re all struggling with this question,” Letteer said.

Vendors that provide cloud services for applications such as financial, government, and health care information must be able to assure that they have rigorously verified security and the required protections.

“Some commercial vendors meet or exceed the physical DOD security standards, and I have no problems putting data in those cloud environments,” said Letteer. “But, some have locations in foreign lands to keep costs down, and I’m not convinced the standards are met. Along with not having the same wage scale requirements as in the U.S., the locations may have less security rigor as well, we just don’t know. FedRAMP is there to measure and prove that data doesn’t accidentally go somewhere it shouldn’t, such as during a recovery schema.”

Verification may include a software code review, said Letteer. “The Marine Corps uses tools during code development that shows you’ve reduced problems of bad code development. Over the next few years, we are taking the strategy of linking these tools with the acquisition process to build safely and smartly from the beginning.”

Eliminating Redundancies

A recent assessment of the total number applications used by the Army alone puts the count at around 200,000. Nick Combs, chief technology officer of EMC’s Federal Division, thinks many of those are redundant, including many versions of the same operating system and other software.

Combs, who serves as CTO and a senior corporate evangelist on cloud computing, big data, and information security issues at EMC, said the first step in moving applications to a private cloud is to consolidate and eliminate as many redundancies as possible.

“From a security and threat profile, you want to have the same version of all of your applications. If you have 30 different versions of Adobe, you have 30 different security postures. Standardizing limits the security posture and makes patching that environment easier.”

Standardization and consolidation has improved, but much more needs to be done. “Every base and company in the Army had their own exchange servers in the 1990s. Consolidation on enterprise-wide email and collaboration tools has significantly improved the service and security of these environments. With business or mission applications, there are still a lot of redundancies, but not as many as previously,” he said. “There are some instances [where there are] reasons to maintain redundancy, such as in disconnected entities like Navy ships or military vehicles, or with financial and human resource applications across some classified federal agencies.”

Virtualize First

The first part of the assessment process to determine whether an app can move into a private cloud is to ask “Can I virtualize that app?” “Virtualization first” is EMC’s approach to implementing app migration. The company is involved in military data center consolidation and cloud migration, and Combs said the majority of its federal customers use virtualization. Many services have already standardized on virtualization, and EMC’s own transformation took a 100 percent virtualization approach.

Combs said, “Virtualization is the tectonic shift that’s allowed this transformation to take place.” Virtualization provides many of the advantages of the cloud. “When virtualized, apps run the same way in different environments. It’s easy to move apps from one environment to another, and we can bundle applications together, making testing easy.

“If apps can be easily virtualized, they’re the prime candidates for moving into the cloud first. Some apps can’t be virtualized, and they’ll be put on the back burner. It makes migration toward the private cloud environment and transformation easier,” said Combs.

Before Migration

After determining which apps are involved, Combs said that the process for moving to a cloud begins with an operational risk assessment of the data. This process looks at factors such as privacy and legal or regulatory issues to determine if the transformation has to occur into a private cloud. Also, it is critical to assess if sensitive government information is involved. Afterward, the migration process entails:

• Taking a business approach to migrating data and applications.
• Examining the interdependencies of the applications and data to get a true understanding of what it would take to migrate, and then looking at data sources, whether they reside in structured or unstructured data repositories, if they will have a web presence, or will require a entire different back-end user database.
• Virtualizing the apps in the new environment and testing to ensure they can meet operational and performance targets, verifying interdependencies, and looking for those that may be disconnected.
• Bundling apps into groups of operational machines, testing in new locations and validating their performance.
• Aligning the bundles to a migration strategy, ensuring there’s no downtime or high unavailability.