Search:  

 Blog     e-Newsletter       Resource Library      Directories      Webinars     Apps
AFCEA logo
 

Approval Granted for Private Software to Run in Secure Cloud

August 2010
By Rita Boland, SIGNAL Magazine
E-mail About the Author

 

RightNow Technologies has received approval to run products within the Defense Information Systems Agency cloud. The company’s offerings address the Web, social and contact center experiences. Users begin their information search online. They want to choose when and how they interact with agencies and want to feel as if they are receiving genuine, relevant responses to questions and requests. RightNow CX helps military agencies assist their stakeholders by enabling personalized online experiences.

This software as a service offers customers the benefits of cloud computing with enhanced information assurance.

The federal government has approved commercial products to operate on a defense cloud, marking the first time industry online offerings with this level of security are accessible to the military via such an environment. The accreditation, which took approximately two years, means that military organizations can route sensitive data through online software products. As more clients migrate to the cloud and employ the technology, the cost of use will drop. This creates a benefit for anyone wishing to take advantage of the offerings, which include a suite of products designed to enhance communications across Web, social and contact center touch points.

RightNow Technologies achieved its DOD [Defense Department] Information Assurance Certification and Accreditation Process (DIACAP) earlier this year and has deployed its services in the Defense Information Systems Agency (DISA) cloud. The DISA cloud is a private cloud for Defense Department personnel and support contractors.

The company achieved interim authority to operate (IATO) on April 19, 2010, which meant it could take customers live. Nine days later, RightNow received interim authority to connect, enabling it to tie in to the DISA Defense Enterprise Computing Centers (DECCs) and to complete the configuration to customer sites and loading of customer data. The DIACAP approval was linked to the connect date. Eventually, the company expects to receive authority to operate, but by achieving the IATO status customers can leverage the products earlier.

Before the authorities came through, military clients could not use this private sector software through the DISA cloud. Now, defense units can employ the RightNow software to support mission-critical applications and share mission-critical information.

The approved software applications meet government security regulations by using DOD Information Technology Security Certification and Accreditation Process (DITSCAP)/DIACAP to ensure compliance with DOD Instruction 8500.2 and to meet U.S. federal security standard Federal Information Security Management Act (FISMA) (National Institute of Standards and Technology [NIST] 800-53) compliance. The company provides certification and accreditation artifacts, and its military offerings include a dedicated security and information assurance team available at all times.

The secure solutions RightNow offers to military organizations in the defense cloud is called RightNow CX—for customer experience—and they address customer service by improving user experiences through multiple channels. RightNow is not an infrastructure provider so it does not sell hardware, networking solutions or any of the components to stand up and manage a cloud. However, it does offer several levels of certification for use in clouds with various security levels. These include commercial—the least secure—private government-only and Health Insurance Portability and Accountability Act-compliant levels. It also has another hybrid offering for Canadian customers.

Some definition differences about RightNow’s defense offerings exist between the company and DISA regarding how the products are categorized. Company officials call its effort a hybrid public-private cloud, while DISA officials classify what the company offers only as software as a service (SaaS). “DISA has adopted the NIST definition when referring to and building out [its] cloud solution set,” Alfred Rivera, the director of computing services at DISA, explains. The NIST definition of cloud computing promotes availability and is composed of five essential characteristics, three service models and four deployment models. Cloud SaaS is one of the service models.

Defense Department organizations want the same benefits from cloud computing as civilian agencies and commercial companies. However, the department “requires additional security for many applications and is less likely to use an open, public cloud,” Rivera says. “DISA cloud computing services are located in secure DECCs, connected to private DOD networks, and under positive government network operations control.”

Rivera explains that a major idea behind trying to establish SaaS is to enable cost savings. It also assists with achieving standard product lines instead of encouraging organizations to adopt point solutions. Other advantages include  increased uptime and moving responsibility from running and maintaining a network infrastructure out of the hands of organizations with other main purposes.

The DISA cloud’s position as a military-only environment enables certain functions, but it also comes with risks. “DISA cloud computing services are integrated with DOD networks and support military-unique missions,” Rivera says. “Any DOD system automatically becomes a target for both typical hackers as well as some foreign actors.” 

Those threats are an impetus for the protection necessary in the military cloud that RightNow is using to offer its specific, secure services to military customers. Kevin Paschuck, the vice president of the public sector at RightNow, explains that, “We are leveraging [DISA’s] cloud computing environment and our software running on a military base in a DISA-owned and -operated data center. Our staff runs the software, and the DISA staff runs the infrastructure and network. [The] Army and Air Force are the first customers to go into the DISA/RightNow cloud.” DISA also has other cloud computing efforts not related to its work with RightNow.

 

Blanca Rubio, a contract scanning team leader at the Air Force Personnel Center (AFPC) at Randolph Air Force Base, Texas, scans the last paper unit personnel record in June 2008. The AFPC has transferred what used to be done on paper to an online environment. Taking advantage of more technological advancement, the center plans to begin using the first private vendor product line to achieve the necessary certification and accreditation to run on a secure military hosting network in November.

Though RightNow is offering defense clients its SaaS, it does not offer platform as a service—in which the consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems or storage, but instead has control over the deployed applications and possibly application-hosting environment configurations—though those two different services often go together. Laef Olson, the chief information officer at RightNow, explains that his company does have platform capabilities where people can build software, but that it would be purpose-built and based on the CX solutions. He states that users would not create, for example, a word processing application on the platform.

Olson says that meeting the FISMA standards for data security proved a challenge because the regulations were set without the idea of cloud computing in mind. “[This was] phenomenally difficult to achieve, which is part of the reason we were so eager to get it done,” he states. The automation used by RightNow’s software helped the company by driving some actions away from human control. The personnel who are involved still go through the necessary clearance processes and procedures.

In addition to providing security, another way this cloud arrangement serves defense customers is by updating software on the military’s timeline instead of the vendor timeline. When RightNow issues an update to commercial customers, it does not force military clients to follow suit. This approach enables RightNow to keep its offerings current with the security standards of organizations. Paschuck explains that the usual way of performing updates in the private sector fails when dealing with the necessary moderate level of security in the DISA cloud. The service level agreement offered by RightNow to clients also enhances mission readiness because it guarantees a 99.9 percent uptime or the company will refund a portion of the contract payment.

One customer using RightNow capabilities is the Air Force Personnel Center (AFPC). The center has been using this technology since March 2006 and will begin taking advantage of DISA’s RightNow DOD Hosting Facility in November. Though each installation of the products must meet DIACAP standards separately because of different customers’ installation particulars, Col. Glenn Rattell, USAF, director, Personnel Data Systems at the AFPC, says that “having the base product fully ‘DIACAP’d’ significantly speeds up the final accreditation process.” He adds that the “AFPC continues to take the safeguarding of our data very seriously. Migration to DISA’s DOD Hosting Facility allows us to continue to safeguard our data within the DOD network while taking advantage of the benefits of a RightNow-hosted environment.”

The online data systems at the center include many services that people formerly did on paper, including retirement actions. Processes that formerly required submitting a physical packet to a personnel office now take place on the Web. “Uptime, system availability and performance are critical to us,” Col. Rattell says. He adds that what his unit does involves not only gathering information, but also acting as command and control for personnel actions.

Using the cloud to host its services is part of the AFPC’s total force efforts. Air Force Reservists and Air National Guard members can use the same case management technology. If they contact an AFPC call center, they will be transferred automatically to a Reserve center. “This really brings us into the whole total force idea of active [duty], Reserve and Guard,” Col. Rattell explains.

Building on its recent success of meeting the standards to run information at the Secret level, RightNow is looking at a way to accommodate even more highly classified material. Paschuck shares that the National Security Agency already is a customer, but it is not running in any type of cloud environment because of the nature of its data. He adds that the company is in early talks with the government about how to provide similar services to the ones now available for lower security levels.

Another area for potential hybrid-cloud application is offering solutions for government clients in the United Kingdom and European Union. Through its research, RightNow officials say they have found that certification and accreditation processes in various organizations and locations have different names and categories, but most are trying to accomplish the same goals. However, because of the security needs, none of the government entities will allow their information to be co-located “at least not for a good long time,” Paschuck says. He adds that due to the similarities, he believes that the technology already in place for security is transportable to new organizations.

As RightNow works to expand its European offerings, it continues to focus on the U.S. government through the company’s Safe Switch program. The effort offers fixed-price, milestone-based contracts with no payments required until agencies are satisfied that their milestones have been met. Companies can migrate their existing on-premise applications to the company’s secure government cloud with an average “go live” period of fewer than 90 days. Safe Switch aims to save participants money by allowing customers to migrate their services for the fee they pay their current provider or less. Another cost-savings tool is the establishment of a meter to determine how often organizations use a service. If they use less than their allotted amount for the month, that time “rolls over” to the next month so they avoid incurring additional fees if they spend more time using the software another month.

WEB RESOURCES
DISA Computing Services Directorate: www.disa.mil/about/offices/csd.html
RightNow Technologies: www.rightnow.com
DIACAP Information: http://iase.disa.mil/diacap