Two Barriers Block New Architecture

November 2011
By Paul A. Strassmann, SIGNAL Magazine

A successful Defense Department transition to platform-as-a-service computing will require adjusting both funds and mindsets.

The tight coupling that currently binds Defense Department architecture—the infrastructure, communications, databases, applications, security and desktops into more than 2,200 unique silos—must be separated. Right now, each silo is the consequence of contracts in which all software is assembled into a one-of-a-kind collection of codes. The resulting software is costly to maintain; applications are not interoperable; and lack of compatibility complicates the exchange of data.

Defense Department applications are not built to controlled standards. Most department databases are not constructed for shared data definitions, and communication interfaces do not match.

Such diversity is excessive. It imposes on every system the burden of tooling more than 75 percent of the programming code to unique requirements, which results in every system possessing its own infrastructure. If the Defense Department could operate a standard information technology infrastructure, the application developers then could concentrate on building only 25 percent of the code. Diverse systems could be built on top of only a few universal infrastructures. Individual customers would be able to modify individual applications but would not be allowed to alter the code of the infrastructure, which would be centrally managed.

Only after separating the infrastructures from the applications will it be possible for the Defense Department to organize projects to fit into an enterprise architecture that is modular, interoperable, upgradeable, secure and inexpensive. Only then will it be feasible to place application-specific programs, without huge amounts of attached infrastructure code, on top of an enterprise standard environment, defined as the Defense Department private platform-as-a-service (PaaS) clouds.

Once PaaS is accepted as the ultimate architectural objective for defense computing, attention must turn to a most difficult challenge: how to migrate from thousands of incompatible legacy systems into an environment that is far less complex. That cannot be accomplished by retrofitting legacy systems with fixes, conversion routines, software bridges, emulations and patches. An overlay cannot be placed on legacy systems to make them look as if they were interoperable PaaS clouds.

To achieve cost reductions in information technology spending, the Defense Department must concentrate on generating short-term cash savings to finance the creation of PaaS clouds. In the long run, PaaS will create the greatest opportunities for cost savings for the department.

One of the military service chief information officers announced a cut in information technology expenses by 25 percent over the next five years. Consequently little money, if any, will be available to convert to PaaS–based infrastructures. The question then is what approach can be used to slim down information technology spending in the most expeditious way so that cash becomes available to start investing in PaaS in the next five years.

The department’s information technology budgets for fiscal years 2012 through 2016 somehow must be structured to produce cash savings to fund cloud adoption investments. The current lack of funds also is aggravated by rapidly rising cybersecurity costs.

The Government Accountability Office just reported that fiscal year 2012’s $3.6 billion for cybersecurity is not fully funded. Expenses classified as the costs of cybersecurity now are consuming 9 percent of total information technology spending. Cybersecurity is eating up most of the money that otherwise would be available for migration to a cloud environment. Spending on security will continue to grow and will have a higher priority than spending on cloud computing, despite large cost reductions that can be realized from PaaS. With a squeeze on information technology budgets where will the new funds come from?

The Defense Department currently spends 30 percent of its $36.5 billion information technology budget on new development and on upgrading existing systems. The department spends the remaining 70 percent on operations and maintenance (O&M), although that amount is understated because it does not include military and civilian personnel payroll.

Prying short-term cash from new development and upgrading to pay for PaaS is hard to do. Projects have multiyear durations. Urgent, immediate fixes also are needed to support warfare operations; these fixes cannot be deferred. Though some money could be obtained by eliminating redundant programs, the pending information technology budget shortfalls are too large to be made up through the cannibalization of development funds.

O&M funds must be the first ones approached as the immediate cash cow to finance PaaS cloud migration. Somehow, the required cash to support cloud migration must be extracted from the $26 billion spent annually on O&M. Assuming level information technology budgets for the next five fiscal years—2012 through 2016—this represents an optimistic pool of $130 billion from which to squeeze at least 10 percent savings. This is the amount most likely needed to accomplish a high level of migration into the cloud-computing environment. Only after the department begins collapsing thousands of costly silos into a handful of PaaS clouds can it hope to migrate toward lower-cost operations.

PaaS clouds, when finally installed, will offer superior service levels, be more secure and operate at lower costs than the current collection of legacy systems. The issue is not what is theoretically conceivable, but how much cash will become available in the next five years from cutting back on legacy O&M operations. The question is one of timing: Is there sufficient time to make the necessary reinvestments so that the Defense Department can continue operating without increasing its information technology budget?

The first step calls for a business case for checking the financial feasibility of a PaaS. There are several total cost of ownership (TCO) models available to make such calculations. For the purposes of this article, the most mature cloud model will be used ( It was derived from the Alinean Corporation, where I was a founder and member of the board of directors.

I have estimated the five-year TCO costs for the Defense Department’s 4 million desktops and 200,000 servers. That TCO is about $15 billion per year, or 41 percent of total information technology spending. This estimate includes the costs of telecommunications and rising expenses for security.

The largest share of the department’s annual information technology costs is the average expense for the support of desktop operations, or $9.3 billion. This includes administrative support and downtime costs.

The average cost of $5.3 billion per year for servers is less than the cost for desktops. Though the department is concentrating on server virtualization, which can bring down server costs by more than 60 percent, this requires large-scale data center consolidation for which plans do not exist yet. Meanwhile, the largest short-term dollar gains can be realized from the adoption of virtual desktops. Concentrating on desktops can yield cash savings of up to $3.2 billion per year.

Estimated cash savings are based on TCO costs. Additional cost reductions could be obtained when a smaller number of PaaS clouds would shrink the expenses for existing data centers.

The virtualization of desktops, which shifts manpower costs from onsite support to server farms managed by automated network control centers, offers savings by operating a large number of virtual workloads per blade server. Administrators then can manage standard desktop images on clusters of blade servers to streamline security monitoring, access control and provisioning for every desktop.

Applying a conservative version of the Defense Department TCO model indicates that the five-year cost of 4 million desktops could be reduced from $46.7 billion to $30.8 billion using a gradual implementation schedule.

After five years, the cost of desktops would continue to shrink as devices are replaced by mobile wireless connections and by thin clients. With the addition of desktops from the Reserve forces, the National Guard, the service academies and contractors, additional savings could be realized.

As the control of desktops migrates to a few network control centers, more savings could be realized as existing server farms are consolidated through PaaS cloud operations. There would be, however, large capital expense for more powerful servers so that PaaS migration can proceed simultaneously with desktop virtualization.

Desktop virtualization, the primary cash generator for the next five years, improves business continuity and disaster recovery by activating automatic failover technologies. Such high-level reliability is needed because of the increased dependency of virtual desktops on central servers. This will require at least 99.9999 percent uptime for server clusters. These will have to depend on redundancy and not on hardware reliability to avoid downtime for individual desktops. Consequently, Defense Department PaaS data centers will be able to operate with less reliable, less expensive servers, but be able to achieve uptime by tolerating failures of redundant devices.

Desktop virtualization eliminates planned and unplanned downtime for delivery of high service levels. This is achieved by means of server redundancy and not by buying highly reliable servers. As a result, the current large penalty that ranges anywhere from 50 to 500 hours of email unavailability annually can be eliminated and counted as savings in administrative time. In addition, the load-balancing features of desktop virtualization make it possible to manage the storage capacity, which improves asset utilization.

Desktop virtualization reduces capital and operating system costs because the workload peaks can be dispersed across geographically separate regions while improving the sharing of spare capacity as the department workload migrates across time zones. It reduces the need for most of the local information technology administrative staff, as well as the contractor overhead at hundreds of server farms. It centralizes security management, makes real-time surveillance affordable and speeds up deployment of application upgrades and bug fixes.

The TCO calculations assume that the Microsoft desktop environment will persist for another five years. Upgrading from Windows XP to Windows 7 desktops can be included as a transition method for much cheaper open-source office solutions. Open-source cloud computing allows the department to place its operations with multiple competing vendors.

Added savings from open-source office solutions are large. The increased rate of adoption by personnel of a variety of consumer-grade wireless desktops will steer the department toward the installation of centrally managed PaaS solutions.

Perhaps the most important feature for enabling desktop migration is the ability to encapsulate legacy applications for migration into a standard PaaS setting. Encapsulation isolates applications from their underlying legacy environment, which includes the legacy operating system. Each legacy application can be packaged into a single executable code that runs completely isolated from all other applications and from every separate infrastructure.

With encapsulation, application packages can be redeployed simply by moving individual icons that originate from different Windows platforms. Such a move would eliminate costly recoding and testing.

Desktop virtualization breaks the links that individual contractors have traditionally wedged into each application. The department must break up the contractor-controlled versions of operating systems, along with the dependency on unique hardware. Virtualization eliminates the need to manage custom-fitted environments for each end-user device. After desktop virtualization is in place, a network control center can take over and deliver as well as update every legacy desktop and applications in minutes. This lessens the tasks of load balancing, testing, provisioning and supporting applications and desktops.

Desktop virtualization changes the way information security is implemented. Instead of managers installing antivirus and anti-malware solutions on individual personal computers, great improvement in security assurance can be realized by offloading almost all of the protection software and firewalls to centrally managed servers.

When fully implemented on a large scale, the annual TCO cost per seat has been quoted to be as low a $300 per year, based on seven-year depreciation. In this way, mobile Defense Department personnel will be able to connect with their personal desktop from any place in the world, while keeping up consistent security access restrictions.

Desktop virtualization also makes it possible to work offline, such as during airline travel or while on a military mission. Consequently, the virtual desktops offer a seamless and completely scalable user experience far superior to what currently is available.

The department should be able to standardize on similar client computing platforms so that equipment can be re-used instead of being junked when it loses its local utility. When each platform would be tracked with globally traceable radio frequency identification (RFID) tags, the multimillion dollar inventory of computing devices will make is possible to manage more than $28 billion worth of capital assets.

Centrally managed virtualized desktops can extend the management of local physical assets to third-party support contractors. This can include access by public cloud providers to process workloads not requiring compliance with Defense security requirements. This can be done without sacrificing control over security policies or administrative privileges. By using centrally managed oversight support, contractors would have no control over user authorization or user network access.

Virtual desktops are only a part of a greater puzzle of how the department can migrate to its objective operating in a private PaaS cloud. The adoption of virtual desktops can take place only after “commodity” applications such as email, calendars and collaboration methods are reorganized for cloud operations.

This is the final installment in Paul A. Strassmann’s series on defense information technology.


Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.