Deciding when cloud makes sense for soldiers
Connecting state and local government leaders
Cloud's capabilities are central to military missions, but defense officials stress that the cloud must adapt to the needs of warfighters in the field.
With soldiers deployed all over the globe, the Army’s technology requirements go far beyond those of agencies whose work primarily plays out in offices. Therefore, the cloud environment may not always be the best solution for soldiers in the field, Thomas Sasala, director of the Army Architecture Integration Center, told attendees at a May 12 Washington Technology Defense Contracting event,
“My ask to you in the industry is that you consider the tactical users -- the people working and operating in a contested environment,” Sasala said. “They are core employees and high-level targets for the enemy,” he added. “If the information in their units is not encrypted and gets captured and compromised, that could … put those people in danger.”
Kevin Dulany, chief of the DOD’s Risk Management Framework Division and deputy CIO for cybersecurity, echoed that need and offered a specific opportunity to the more than two hundred industry and federal employees in attendance at the event. DOD's industry Information Day on June 23, he said, is a prime opportunity to discuss how best to square cloud services acquisition with the recently revised Defense Federal Acquisition Regulation Supplement.
All cloud service providers who want to work with DOD customers must be compliant with DFARS requirements at the end of the year. During the May 12 event, Microsoft Azure General Manager Tom Keane announced that his company's platform is the first to comply with DFARS.
“We are looking for information that gives the perspective for troops who are not deployed in a garrison environment,” Dulany said. “We want to see how your capabilities can support forces deployed in not so nice neighborhoods.”
Given the globe-spanning and decentralized nature of military systems, Sasala said, traditional perimeter-based security simply isn't sufficient. Field operations are not behind the typical “hard wall” used to secure enterprise systems, Sasala explained.
“Our enterprise is very much like an M&M that has been out in the sun for a while,” he said. “If you crack it open, lot of stuff oozes out.”
Agencies and cloud service providers also must acknowledge that systems are easier for attackers to penetrate with phishing emails and links that can attack the enterprise infrastructure rather than with a top-down attack of the network itself, he said, adding: "The fight is not at the network level anymore. It is at the application."
The threat to DOD information systems security is “real,” Sasala stressed. “It is not about compliance or checking boxes," he said, and agencies must honestly assess the mission needs and acceptable risk levels for each program.
John Connor, IT security specialist with National Institute of Standards and Technology’s Office Information Systems Management, agreed with Sasala that cloud technologies should be tailored to fit each agency’s needs.
“Just because systems can be the in cloud doesn’t mean that they should be in the cloud,” Connor said. “We need to decide whether it is worth it for each agency.”
Connor said the cloud calculus for defense agencies doesn’t really change due to the number of employees on the battlefield, but the priorities can change depending on the users and their access methods.
“Securing our government data and people out there in the field doesn’t change, but it does depend on how we are approaching and fulfilling the requirements that are necessary because the technology needs are going to change,” he said.
Sasala also said cost savings along are rarely reason enough to move to the cloud, and urged DOD employees and industry stakeholders to consider the indirect expenses when weighing their options.
“There are always going to be indirect costs to get the technology to the people who are utilizing it in the field,” Sasala said. “It’s hard for us when doing spreadsheets to determine how much it is going to cost us to significantly change our systems.”
Across DOD, Dulany said, he sees budget cuts across the agency spurring a shift to “an enterprise architecture structure.”
“We want business owners to enable DOD processes through shared properties using the same cost models that everyone else uses,” he said. “You are starting to see more of the enterprise architecture and records architecture process enable the bigger picture initiatives in addition to smaller projects.”