DoD May Invite Cloud Vendors Into Govt. Data Centers
In an effort to tap commercial cloud technology without sacrificing security or control, the Department of Defense considers two potential models.
5 Early Cloud Adopters In Federal Government
(Click image for larger view and slideshow.)
The US Department of Defense is exploring the idea of having commercial cloud vendors use secure DoD data centers and facilities to deliver private cloud services to the military.
The goal, explained in a just-published Request for Information document, is to put in place an ecosystem that will allow the DoD to take advantage of commercial cloud computing technologies while ensuring the level of security needed to run highly sensitive workloads.
One option being explored is a Data Center Leasing Model (DCLM), under which cloud vendors would be allowed to lease out rack or floor space in DoD data centers and run their hardware and software from them.
Selected vendors would be subjected to security scrutiny and an accreditation process before being allowed leased space in DoD's core data centers. The vendors would deliver their services for the military wholly from inside the DoD data centers.
The second model that is being explored is dubbed the On-Premise Container Model (OCPM) and involves the cloud vendor delivering services to the military via containerized data centers.
Under the proposed model, prefabricated containers filled with data center equipment would be dropped off outside select DoD data centers, where they would be supplied with the required heating, cooling, redundant power supplies, and network connectivity.
Since both models require commercial cloud vendors to operate inside of or in close proximity to a DoD data center, they would be considered secure enough to support Level 5 and Level 6 workloads -- the military's most sensitive data.
DISA released details of the two options it is exploring Wednesday in a formal Request for Information (RFI) from commercial cloud vendors. It described the RFI as an attempt to assess vendor readiness to provide commercial cloud services on DoD networks for use by the military.
"DISA is exploring several possible ways to integrate commercial cloud services with DoD networks," the RFI said. "These models are being considered as possible alternatives in providing cloud ecosystems and services to the DoD community."
The RFI seeks information from vendors about their willingness and ability to deliver services from DoD facilities and data centers.
The cloud services that the DoD is particularly interested in over the short term include workload and virtual machine management systems and object and block storage systems.
The DoD is unsure of the exact size and scale of its cloud infrastructure requirements, but it expects the infrastructure to range from small configurations of up to 10,000 virtual machines to large configurations exceeding 200,000 virtual machines, the RFI said.
The two deployment options being considered by DISA appear similar to the CIA's $600 million, 10-year initiative to get Amazon to deliver private cloud services behind the agency's firewall.
The DISA RFI reflects the level of attention the DoD is putting into ensuring the security of its cloud deployments.
Like many other federal departments, the DoD has committed to accelerating commercial cloud adoption over the next few years in a bid to pare costs and improve efficiencies. But it has been very cautious in how it has gone about doing that so far because of the especially sensitive nature of its operations.
"The Department has specific cloud computing challenges that require careful adoption considerations, especially in areas of cybersecurity, continuity of operations, [and] information assurance (IA)," DoD CIO Teresa Takai said in a report outlining the department's plans back in 2012.
The DoD is taking advantage of the Federal Risk and Authorization Management Program (FedRAMP) to put in place standard processes for assessing and authorizing public cloud computing services on its network.
The department is also using FedRAMP to define requirements for continuous monitoring and auditing for cloud computing providers.
What it have been somewhat slower in doing is actually implementing commercial cloud services, according to John Pescatore, former Gartner analyst and director of emerging security trends at the SANS Institute in Bethesda, Md. "FedRAMP has been phenomenally successful in getting commercial cloud services certified for government use, especially for low- to medium-risk workloads," he said. Even so, federal IT departments have to clear several other hurdles, most notably from their own inspector general, before they can actually deploy cloud services.
"Think of an infrastructure-as-a-service application where Amazon has a FedRAMP certification and some agency is running their software on that infrastructure," Pescatore said. "That's not something that IGs are used to auditing. So they are very conservative."
The DoD's apparent interest in having cloud providers deliver service out of containers placed in close proximity to their data centers also reflects the lingering concerns over loss of control that many organizations have when migrating to the cloud, Pescatore said. "It shows a certain 'server-hugger' stance that says, 'Wait a minute. Unless I have physical control of the data center, it will never work.'"
Apply now for the 2015 InformationWeek Elite 100, which recognizes the most innovative users of technology to advance a company's business goals. Winners will be recognized at the InformationWeek Conference, April 27-28, 2015, at the Mandalay Bay in Las Vegas. Application period ends Jan. 9, 2015.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.