DOD cloud adoption: DISA shares lessons learned
“We want to
help make cloud adoption across the Department of Defense a reality,” said Rear
Adm. Nancy Norton, vice director of the Defense Information Systems Agency
(DISA), during a cloud symposium held at the agency’s headquarters on Fort
George G. Meade, Maryland, Dec. 12.
Norton cited
the agency has years of experience working with the cloud and wants to share
lessons learned with the broader DOD community to ensure each organization’s
approach to cloud adoption is both effective and secure.
“[DISA] wants
to help you make smart choices and appropriate choices,” she said.
To help with
the decision making process, DISA’s cloud portfolio manager, John Hale,
described some of the technical and business challenges encountered when moving
the agency’s own applications to the cloud and when assisting mission partners
in transitioning to the cloud.
Cloud readiness
Hale stressed
that an application’s “cloud readiness” is one of the most important factor to
consider when moving to any cloud solution.
“Taking
traditional, legacy applications and moving them into the cloud model is not
going to give you the efficiencies your organization is hoping for,” he said. “It
requires an investment to modernize your application and make it cloud ready.”
To save money
when transitioning to the cloud, applications must first be engineered to take
advantage of the tenets of cloud computing: security, elasticity, manageability,
scalability, and utility-based billing.
He said many of
the organizations DISA has worked with have not programmed funding to modernize
and optimize applications for the cloud, and urged mission partners to use
application rationalization data to determine which applications should get
funding to support modernization.
“As part of all
of DISA’s cloud computing contract options, we have engineering services
available to help you modernize your applications to take advantage of the
cloud infrastructure,” said Hale.
Cost comparisons
“When we do
business case analyses, comparing apples to apples in the cloud world has been
very difficult,” said Hale, who also pointed out the lack of a single place for
application owners across the DOD to find and compare all available cloud
solution features and costs.
He said one of
the most important lessons learned by DOD’s early cloud adopters is that the
commercial cloud business model is not always aligned to support DOD
applications with high transaction levels.
“A lot of cloud
providers provide really cheap compute and really cheap storage, and then
charge you a lot of transactional fees as you pull data out of the
infrastructure,” he cautioned.
He advised
mission owners to have a true understanding of transaction costs prior to committing
to a solution.
Security
Hale also said it
is important for application owners to remember that no matter where the
application is hosted, they remain responsible for the application’s security
posture.
Any application
currently hosted in a DOD data center that transitions to a commercial cloud
environment will no longer have access to the DOD shared services that
previously ensured security, said Hale. He urged application owners to consider
the cost of securing an application to DOD standards when assessing potential
cloud solutions, and pointed to DISA’s Secure Cloud Computing Architecture as a
potential option.
“DISA
recognized early on the absence of shared security services would be an
inhibitor to cloud adoption, so we built the Secure Cloud Computing
Architecture with a focus on providing those key security services so you could
meet your authority to operate requirements when moving into the cloud,” he
explained.
Finally, Hale
stressed the importance of understanding DOD’s information impact levels and choosing a cloud solution
authorized to protect that data.
“Understand
that if you put your application in Level 2 environment, you could be running
on the same infrastructure as a commercial service,” he said. “In the Level 4
and 5 world, our data is completely separated from the commercial world.”
More information
Briefing slides from the Dec. 12 cloud
symposium are available
on DISA.mil. They contain additional information regarding DOD’s cloud
strategy, cloud models, data impact levels, DOD cloud deployment models,
lessons learned, and DISA’s cloud service offerings.
To learn more,
mission partners should contact their Mission Partner Engagement
representative or the DISA field office or liaison officer in their
area of responsibility.