DOD cloud adoption: DISA shares lessons learned

“We want to help make cloud adoption across the Department of Defense a reality,” said Rear Adm. Nancy Norton, vice director of the Defense Information Systems Agency (DISA), during a cloud symposium held at the agency’s headquarters on Fort George G. Meade, Maryland, Dec. 12.

Norton cited the agency has years of experience working with the cloud and wants to share lessons learned with the broader DOD community to ensure each organization’s approach to cloud adoption is both effective and secure.

“[DISA] wants to help you make smart choices and appropriate choices,” she said.

To help with the decision making process, DISA’s cloud portfolio manager, John Hale, described some of the technical and business challenges encountered when moving the agency’s own applications to the cloud and when assisting mission partners in transitioning to the cloud.

Cloud readiness

Hale stressed that an application’s “cloud readiness” is one of the most important factor to consider when moving to any cloud solution.

“Taking traditional, legacy applications and moving them into the cloud model is not going to give you the efficiencies your organization is hoping for,” he said. “It requires an investment to modernize your application and make it cloud ready.”

To save money when transitioning to the cloud, applications must first be engineered to take advantage of the tenets of cloud computing: security, elasticity, manageability, scalability, and utility-based billing.

He said many of the organizations DISA has worked with have not programmed funding to modernize and optimize applications for the cloud, and urged mission partners to use application rationalization data to determine which applications should get funding to support modernization. 

“As part of all of DISA’s cloud computing contract options, we have engineering services available to help you modernize your applications to take advantage of the cloud infrastructure,” said Hale.

Cost comparisons

“When we do business case analyses, comparing apples to apples in the cloud world has been very difficult,” said Hale, who also pointed out the lack of a single place for application owners across the DOD to find and compare all available cloud solution features and costs.

He said one of the most important lessons learned by DOD’s early cloud adopters is that the commercial cloud business model is not always aligned to support DOD applications with high transaction levels.

“A lot of cloud providers provide really cheap compute and really cheap storage, and then charge you a lot of transactional fees as you pull data out of the infrastructure,” he cautioned.

He advised mission owners to have a true understanding of transaction costs prior to committing to a solution.

Security

Hale also said it is important for application owners to remember that no matter where the application is hosted, they remain responsible for the application’s security posture.

Any application currently hosted in a DOD data center that transitions to a commercial cloud environment will no longer have access to the DOD shared services that previously ensured security, said Hale. He urged application owners to consider the cost of securing an application to DOD standards when assessing potential cloud solutions, and pointed to DISA’s Secure Cloud Computing Architecture as a potential option.

“DISA recognized early on the absence of shared security services would be an inhibitor to cloud adoption, so we built the Secure Cloud Computing Architecture with a focus on providing those key security services so you could meet your authority to operate requirements when moving into the cloud,” he explained.  

Finally, Hale stressed the importance of understanding DOD’s information impact levels and choosing a cloud solution authorized to protect that data.

“Understand that if you put your application in Level 2 environment, you could be running on the same infrastructure as a commercial service,” he said. “In the Level 4 and 5 world, our data is completely separated from the commercial world.”

More information

Briefing slides from the Dec. 12 cloud symposium are available on DISA.mil. They contain additional information regarding DOD’s cloud strategy, cloud models, data impact levels, DOD cloud deployment models, lessons learned, and DISA’s cloud service offerings.

To learn more, mission partners should contact their Mission Partner Engagement representative or the DISA field office or liaison officer in their area of responsibility.