As ubiquitous as ‘the cloud’ is in the commercial world, that is not the case with the Army because of security requirements. But an Army cloud is not far away and offers significant benefits for sustainment and cost-savings—and the information Soldiers need.
by Col. John E. Rozsnyai
The keys to sound decision-making and effective action are good information—perhaps with a few specialized tools and services thrown in to help make sense of it all—and reliable communications. This is true no matter where you are or what you are doing—on the battlefield or in the office, conducting major combat operations, responding to a humanitarian crisis, training or planning.
Today, communications, the collection, delivery and sharing of information, and the applications that help us use and understand the information have a common denominator: They are network-dependent, and the demand for them is high and constantly increasing. At the same time, the scope and diversity of Army mission requirements are growing, budgets and staff levels are declining, and cybersecurity threats and attacks are becoming more sophisticated and more frequent.
This environment challenges the Army’s ability to maintain readiness and warfighting superiority. Innovative approaches that preserve resources and the Army’s technological edge, while fulfilling readiness requirements, are the solution. Cloud computing provides just such a transformational opportunity.
Delivering the enablers that warfighters and decision-makers need through traditional information technology (IT) infrastructure is inherently less secure and has become far too expensive to sustain. Cloud computing, however, offers an avenue to significantly improve the Army’s overall cybersecurity posture, lower IT hardware and software costs and provide the flexibility to develop and deliver more quickly the capability enhancements the force needs.
WHAT CLOUD COMPUTING IS NOT
Cloud computing is not merely a data center that has been optimized for performance and efficiency. Even the most optimized data center still requires significant management to operate, secure, sustain and provision computing resources (e.g., processing, memory, storage). In a standard data center, computing resources are dedicated to specific system and application owners (one computer is assigned to run only one application) based on predicted peak levels of demand, which often exceed actual need. This is known as over-provisioning, and these resources are rendered unavailable to other systems—whether or not they actually are being consumed—and the system owner pays to sustain them even when they’re not being used.
WHAT CLOUD COMPUTING IS
In contrast, cloud computing encompasses all of the efficient features of an optimized data center while adding five essential characteristics:
1. On-demand self-service, where system and application owners can provision, and de-provision, available computing resources without data center management intervention.
2. Broad network access to support multiple types of devices.
3. Shared pooling of configurable computing resources, which can be released for other uses when demand is low.
4.Rapid elasticity, which enables automatic scaling of resources up or down of resources based on actual demand.
5. Measured services through a metering capability, which ensures that system and application owners pay only for the resources they consume.
CLOUD SERVICE MODELS
In general, cloud computing provides capabilities through three service models, which can be deployed on- or off-premises in a private, community, public or hybrid environment, depending on the level of security required:
Software as a Service (SaaS): The cloud service provider (CSP) operates, secures and sustains all of the computing infrastructure, including servers, operating systems (platforms) and applications (software). SaaS is a complete service offering that requires very little intervention beyond the CSP, with the exception of some minor user-level customization, which may be offered as part of the service.
Platform as a Service (PaaS): The CSP operates, secures and sustains the computing infrastructure, including servers and operating systems. PaaS is a mid-level service offering that requires the application owner to self-provision and sustain all services and associated data, including cybersecurity updates and incident response.
Infrastructure as a Service (IaaS): The CSP operates, secures and sustains only the hardware. IaaS is the minimum-level offering. It requires system and application owners to self-provision and secure the entire operating environment, including the operating system, application services and associated data, and to provide the required cybersecurity updates and incident response.
BENEFITS TO THE ARMY
Today’s data center environment, with more than 1,000 locations, is cost-prohibitive to sustain and nearly impossible to secure because of the vast cyberattack surface and inconsistent, untimely cybersecurity practices. This target-rich environment prevents the Army from adequately protecting its information resources and fully exploiting economies of scale. It also prevents the Army from keeping pace with emerging technology and setting conditions to harness the power of “big data” analytics—working with data sets so large or complex that traditional data processing applications are inadequate.
Cloud computing upends this paradigm. When the appropriate cloud service model is used, the Army reaps a slew of benefits. Application owners no longer acquire specific, dedicated computing resources; rather, they contract for these resources as a service from a CSP, which then hosts applications and data in a common, shared computing environment. Overall software licensing costs drop through centralized delivery.
In the aggregate, the Army’s cybersecurity posture improves dramatically. Instead of 1,000 or more open connections to the network that must be supported today, DOD intends to have fewer than 85. Additionally, centrally managed and pushed patches for software and operating systems speed the implementation of fixes to “zero day” vulnerabilities (vulnerabilities that the developer is not aware of but a hacker may have found, and therefore the developer has zero days to fix them) and lower hands-on labor requirements.
Additionally, the user experience becomes more consistent and less technically complex, through a common set of applications and consistent end-user device interfaces, which reduces training requirements and costs. And capability enhancements are fielded much faster; with computing infrastructure available to research and development (R&D) communities through on-demand, self-service portals, there is no need to wait on long procurement cycles for R&D to begin enhancing capabilities. The Army also can take advantage of the commercial R&D efforts that can readily be ported from and into the cloud.
WHAT THE ARMY IS DOING
Hybrid cloud: The Army Cloud Computing Strategy encompasses a hybrid deployment model that includes on-premises DOD (for example, milCloud, which is housed in DOD facilities) and commercial CSPs and off-premises federal (such as NASA or the Department of Homeland Security) and commercial CSPs and cloud computing infrastructure in the tactical environment. The Army determines the “best cloud” deployment and service for each application through an engineering evaluation process that considers migration readiness, information security requirements, mission requirements and cloud service provider capabilities.
Off-premises cloud pilots: The Army is leveraging the Defense Information Systems Agency (DISA) cloud pilot program, which uses an off-premises commercial CSP. The pilot is not only evaluating the security capabilities provided by the CSP, but it also is helping to shape the security requirements for DISA-provided cloud access points (CAPs), which provide boundary security for the Department of Defense Information Network. The final CAP architecture is now in place and is in the early stages of integrating additional CSPs and DOD applications. The objective is to test their capabilities to increase the pool of potential bidders, and ultimately to accelerate migration of applications to the cloud and closure of data centers. As a follow-on effort, the Army will begin a pilot in FY16 for “common services” (user and device authentication, Active Directory services, scanning and information assurance vulnerability assessment) provided from off-premises CSPs.
On-premises cloud pilot: The Army also is pursuing an on-premises commercially owned, commercially operated (COCO) cloud service offering at Redstone Arsenal, Alabama. A proof of concept, this effort is focused on reducing the risks associated with providing an Armywide, COCO private cloud that accommodates more sensitive information, up to the secret level.
Acquisition vehicles: Although there are acquisition vehicles that can be leveraged now, the Army is adapting to recent lessons learned and changes to the DOD Federal Acquisition Regulations. In November 2015, the Army’s Program Executive Office for Enterprise Information Systems (PEO EIS) issued a draft request for proposals to industry to refine requirements for an Army Cloud Computing Enterprise Transformation (ACCENT) contract, to be awarded in FY17. Intended as an enterprisewide cloud acquisition vehicle, ACCENT will provide commercial cloud solutions for eligible Army enterprise applications (email, collaboration, SharePoint—any application used across multiple installations).
CHALLENGES AND THE WAY AHEAD
First, the Army must ensure that it does not compromise its mission by unrealistically trading the confidentiality, integrity and availability of critical data and information in pursuit of the cloud’s potential benefits. Because cloud computing within DOD is still evolving, measuring overall security vulnerabilities and other inherent risks is difficult. The Army is significantly changing how it operates the network and we don’t necessarily know what we don’t yet know. Collectively, all DOD components are working to mitigate the risks that are known, both at DOD’s network boundary as well as within CSPs’ infrastructure. Additionally, we are evaluating how to effectively integrate the use of big data analytics to rapidly mitigate insider and external threats to the network.
Assured level of communications: One of the biggest challenges is that deployed forces are not assured the level of communications availability and bandwidth to which they are accustomed at home station, which could impact their ability to reach the cloud. The Army must be able to deploy forces far away from its fixed infrastructure, into austere and highly contested environments, where they will have to operate for extended periods of time in disconnected, intermittent and limited communications conditions.
Cultural resistance: Changing mindset is not an easy endeavor for an enterprise as large as the Army. It’s hard work convincing organizations and agencies that own and operate their own systems and applications to accept that someone else can provide the same or better level of service at a reduced cost.
Application/data determination: The Army is taking a close look at what types of applications and data elements are the highest risk to the mission and the overall force protection effort. This will determine which must always be available locally in case of disconnection and which lesser-risk elements forces can wait for.
While network security, operational efficiency and cost are driving factors in the move to cloud computing, they are not the primary goal. Increasing mission effectiveness is the main objective. Cloud computing will make information and IT services, such as collaboration, communication and analysis tools, available wherever Soldiers and commanders are, whenever they need them. As a result, split-base operations, where certain elements deploy forward and others remain outside the operational theater (and even at home station), will become much easier to execute. With fewer people and less materiel forward, operational sustainment requirements will decrease. At the same time, quicker, more complete collection of data—made readily accessible regardless of the source’s or the user’s location—and the ability to use big data analytics have the potential to simplify anticipation and fulfillment of the sustainment needs that remain.
Developing a rapidly deployable cloud capability is not an easy endeavor when you start to consider all of the variables. However, it is achievable, and it is imperative for the Army to maintain its warfighting superiority in the 21st century.
For more information on the Army cloud computing strategy, go to Army Cloud Computing Strategy, Version 1.0, March 2015. For more information on Army guidance on the use of and migration to commercial cloud service providers, go to http://ciog6.army.mil/Portals/1/Army_Cloud_Computing_Strategy%20Final_v1_0.pdf.[rule type=”basic”]
COL JOHN E. ROZSNYAI is the chief, Enterprise Architecture Division, within the Office of the Chief Information Officer/G-6, and the Army Cloud Transition trail boss. He holds an M.S. in information technology management from Webster University and a B.S. in business administration from Limestone College.
This article was originally published in the April – June 2016 issue of Army AL&T magazine.
Subscribe to Army AL&T News, the premier online news source for the Acquisition, Logistics, and Technology (AL&T) Workforce.[rule type=”basic”]