Posts Tagged ‘ DoD ’

DoD Business Applications and the Cloud

The current cloud spending is less than 5% of total IT spending, but with an optimistic 25% growth rate, cloud computing is poised to become one of the dominant types for organizing information systems—which is why it is important for the Department of Defense Business Mission to begin organizing the path to cloud operations in order to migrate from its current low performance/high cost environment. 

The DoD Fiscal Year (FY) 2010 IT cost of the Business Mission—excluding payroll costs for uniformed and civilian personnel—is $5.2 billion, in addition to 1/3 of the costs of the communications and computing infrastructure tacking on an additional $5.4 billion to total costs.

The average IT budgets of the largest US corporate organizations are exceeded by the scope of DoD Business Applications by a multiple of three. As a result, DoD Business Operations need to think about its future IT directions as operating a secure and private cloud that is managed organically by the DoD Business Mission in order to squeeze the cost benefits out of the cloud.

There are many forms of cloud computing, ranging from Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) to Software-as-a-Service (SaaS), but when it comes to the Department of Defense, offerings that can offer support of over 2,000 applications need apply. Business Operations cannot be linked to “public” clouds that are proprietary.

The DoD, for example, can’t rely on the largest cloud service like the Amazon Elastic Cloud, which offers computing capacity completely managed by the customer and is thus a “public cloud.” Because compute processing is purchased on demand, Amazon is an IaaS service. Once your applications are placed in the proprietary Amazon cloud, however, it is difficult to transfer the workload into a different environment.

Google, however, offers a PaaS service as a public cloud (read: accessible to all) via the Google App Engine. Google allows developers to build, host and run web applications on Google’s mature infrastructure with its own operating system; Google only provides a few Google-managed applications.

Salesforce.com’s enterprise level computing currently operates at $1.4 billion revenue rate per year, with 2 million subscribers signed up for SaaS application services running in a proprietary PaaS environment. Because Salesforce offers only proprietary solutions and can’t be considered by DoD, although Salesforce’s recent partnership with VMware might change all that.

Other cloud providers offer IaaS services, but they all leave it to customers to manage their own applications; they qualify for DoD applications provided that would meet open source and security criteria.

Open Platform and Open Source
Microsoft’s Windows Azure platform offers a PaaS environment for developers to create cloud applications and offers services running in Microsoft’s data centers on a proprietary .Net environment. These preferentially .Net applications are integrated into a Microsoft controlled software environment but can be defined as a “closed” platform.

Currently, DoD Business Mission applications are running largely in a Microsoft .Net environment. What remains to be seen is if DoD will pursue cloud migration into a multi-vendor “open platform” and “open source” programming environment or continue sticking to a restrictive Microsoft .Net?

The largest share of the DoD IT budget goes towards the Defense Information Systems Agency (DISA), which has advocated the adoption of the open source SourceForge library in April 2009 for unclassified programs. DISA’s Forge.mil program enables collaborative software development and cross-program sharing of software, system components ad services in support of network-centric operations and warfare. Forge.mil is modeled from concepts proven in open-source software development and represents a collection of screened software components and is used by thousands of developers. Forge.mil takes advantage of a large library of tested software projects and its components are continuously evaluated by thousands of contributors (including some from firms like IBM, Oracle and HP although not from Microsoft, which controls its own library of codes).

OSS is defined as software for which the human-readable source code is available for use, study, reuse, modification, enhancement and redistribution by the users of that software by a DoD Memorandum of October 16, 2009 by the Acting DoD Chief Information Officer on “Clarifying Guidance Regarding Open Source Software (OSS).” OSS meets the definition of “commercial computer software” and will thus be given preference in building systems. DoD has began the process of adoption of open course computer code with the announcement of Forge.mil.

Implications
Due to the emigration of business applications, a reorientation of systems development technologies in favor of running on “private clouds”—while taking advantage of “open source” techniques—is necessary in order to save the most. The technologies currently offered for the construction of “private” clouds will help to achieve the complete separation of the platforms on which applications run, from the applications themselves. The simplification that can be achieved through the sharing of “open” source code from the Forge.mil library makes delivering cloud solutions cheaper, quicker and more readily available.

For more information regarding the DoD and open source cloud platforms, please visit nubifer.com today.

Feds to Unveil Cloud Security Guidelines

Late in 2010, the federal government issued draft plans for the voluntary Federal Risk and Authorization Management Program, dubbed FedRAMP. FedRAMP is expected to be operational by April, 2011 and would ensure cloud services meet federal cyber-security guidelines—which will likely shelve remaining government concerns about cloud security and ramp up adoption of cloud technologies.

Developed with cross-government and industry support over the past 18 months, the voluntary program would put cloud services through a standardized security accreditation and certification process. Any authorization could subsequently be leveraged by other agencies. Federal CIO Vivek Kundra said in a statement, “By simplifying how agencies procure cloud computing solutions, we are paving the way for more cost-effective and energy-efficient service delivery for the public, while reducing the federal government’s data center footprint.”

The adoption of cloud computing has been promoted by the Obama Administration as a way to help save the government money, and Kundra and other top officials have championed the technology and instituting policies like data center consolidation requirements—which could bring about a shift to the cloud. Federal IT managers, however, have consistently raised security concerns as the biggest barrier to adoption.

The government’s security concerns arise partly because cloud computing is a relatively new paradigm that has to be adapted to the security requirements of regulations like the Federal Information Management Security Act (FISMA, which governs federal cyber-security for most government agencies).  By mapping out the baseline required security controls for cloud systems, FedRAMP creates a consistent set of security outlines for cloud computing.

FedRAMP will seek to eliminate a duplicative, costly process to certify and accredit applications. Each agency used to take apps and services through their own accreditation process, but in the shared-infrastructure environment of the cloud, this process is redundant.

The FedRAMP draft is comprised of three major components: a set of cloud computing security baseline requirements; a process to continuously monitor cloud security; and a description of proposed operational approaches to authorizing and assessing cloud-based systems.

FedRAMP will be used for both private and public cloud services, and possibly for non-cloud computing information technologies and products. For example, two agencies have informed IBM of their intent to sponsor certification of their new Federal Community Cloud services.

Commercial vendors will not be able to directly request FedRAMP authorization, but rather have to rely on the sponsorship of a federal agency that plans to use their cloud services. Guidance on the CIO Council’s website suggests, FedRAMP “may not have the resources to accommodate all requests initially,” and that GSA will focus on systems with potentially larger user bases or cross-government interest, suggesting that the government predicts a large amount of interest.

FedRAMP will remain an inter-agency effort under federal CIO Kundra’s authority and will be managed by GSA. The new Joint Authorization Board, which now includes reps from GSA, the Department of Defense, will authorize the systems that go through the process with the sponsoring agency.

Although FedRAMP provides a base accreditation, most agencies have security requirements that go beyond FISMA and thus may have to do more work on top of the FedRAMP certification to make sure the cloud services they are looking to deploy meet individual agency requirements.

For more information regarding the Federal adoption of cloud technologies, visit Nubifer.com.

Department of Defense And Cloud Security Management

Migrating Department of Defense applications to public cloud platforms operated outside of the Department of Defense DMZ typically raise concerns about the efficacy of security protocols. Currently, the DoD data-centers rely on fire-walled barriers that are designed to prohibit interactions with those outside of its perimeter. The effectiveness of these safe-guards can be argued on a number of levels. The DoD contracts out the management of much of its data, meaning those in charge of their data are neither military nor civilian employees.

Regardless of this outsourcing, the transference of compute resources to third party platform providers will be subjected to stringent security guidelines. What may be viewed as a minor security incident could result in a revocation of security certification for the cloud services provider.

High level DoD executives realize that cloud computing offers a significant opportunity for cost savings, scalability, as well as fail-safe features that offer advantages when compared to the current DISA data-centers. Decision makers are now asking whether the externalization of the DoD workload to a public cloud cause a degradation in network security. Will the governmental auditors reject a public cloud because they cannot fully guarantee security? But the fact is that many public cloud offerings offer the same level of data security, obfuscation and redundancy that’s offered in the DoD’s internal data-centers.

DoD data-centers lock up server farms as well as associated power inside a physical structure in order to gain security. Additional controls installed include:

– Perimeter firewalls
– Demilitarized zones (DMZ) for isolating incoming transactions
– Network segmentation
– Intrusion detection devices and software for monitoring compliance with security protocols

Currently, there are a plethora of companies selling hardware devices and software packages claiming to increase data-center security. But as security threats rise, data-center management teams keep adding disparate security management devices, thus increasing not only operating costs but also the delays that are incurred as transactions travel their way through multiple security barriers.

The accumulation of these disparate security features only increase the vulnerability of systems and add to potential security loop-holes. Each data-center will ultimately have security measures that are unique to each individual situation. Therefore they are not amenable to coordinated and standardized oversight.

Cloud platform providers gain from the benefits of virtualization. Virtual machines from multiple providers are co-hosted on physical resources without any cross-referencing that can jeopardize security. This allows virtualization to be the key technology that enables the migration of applications into a cloud environment where security is provided via the hypervisor that controls each separate virtual machine.  A standardized third-party security appliance can be connected to this hypervisor allowing for consistent security services delivered to every virtual machine even if they run on differing operating systems.

Users must stop viewing protection of applications at the data center or server levels as the basis for achieving security. Instead, we have to view each individual virtual computer, with its own operating system and its own application as fully equipped to benefit from standardized security services.

A data-center may encompass thousands of virtual machines. Cloud security will be achieved by protecting virtual computers through their hypervisor on which they operate. This way, every virtual machine can be assigned a sub-set of security protocols that will carry its protection safeguards as well as security criteria. Take moving a virtual machine from a DISA data-center to the cloud, the security of a relocated virtual machine will not be compromised. Multi-tenancy of diverse applications, from varied sources is now feasible since the cloud can run diverse applications in separate security enclosures, each with their own customized security policies.

In a cloud environment the addition of a new application is simplified. Integration with security measures can be instant and seamless because a hypervisor already supports your current security protocols. And if a virtual machine can port its own security measures when migrating from one cloud to another, these integration efforts can be further reduced.

In Summation
Security services for a cloud environment can now be pooled and standardized to support a large number of virtual machines. Such pooled services can be managed to give DoD data-centers vastly improved shared security awareness.

But the overall management and monitoring of enterprise-wide security will still remain an intensive task. However, as compared with the current diversity in security methods, the transfer of applications onto a cloud platform will further reduce costs and simplify the administration of security.

Whether the Department of Defense can efficiently implement its own private cloud, or whether it will have to rely on commercially provided cloud providers is yet to be known. The DoD could rely on commercial firms for most cloud computing services, except for retaining the direct oversight over security. This could be accomplished by managing all security appliances and policies from DoD Network Control Centers that would be staffed by internal DoD personnel.

For more information regarding security of Cloud platforms and how the government is approaching Cloud Computing and Software-as-a-Service, visit Nubifer.com.