Reactions to Cloud Strategy Only Partly Sunny
The cloud strategy document released this week by the U.S. Defense Department is drawing mixed reactions from industry and military officials. Experts welcome the strategy as an important step toward modernizing the department’s infrastructure but also express some concerns and note that many questions remain.
The cloud strategy incorporates multiple cloud providers, including the first-ever enterprise general-purpose cloud, known as the Joint Enterprise Defense Infrastructure, or JEDI, which is expected to help the department to put in place enterprise cloud solutions to meet its needs, explains a written announcement accompanying the strategy. The general-purpose cloud can be used by employees who need large-scale computer power at their fingertips.
But because a general-purpose cloud cannot meet every Department of Defense (DOD) need, the department also will use special-purpose, fit-for-purpose or special-purpose clouds. For example, cloud capability allows the DOD to communicate with other agencies, which could be categorized as a special-purpose category. Internal-purpose clouds will be for in-house needs, such as office tools.
The strategy is drawing both praise and concerns from cloud computing experts. Maria Horton, founder and CEO, EmeSec, a Chantilly, Virginia, cloud service provider, says she is happy to see “clear guidance coming forward” from the department. “It affirms for me that there’s no turning back from the cloud-first strategy. That signifies that we are modernizing,” Horton says. She also says she loves the fit-for-purpose, multicloud concept.
Like some others, however, Horton is not enamored with the JEDI portion of the strategy. The Pentagon will pick a single company for the 10-year, potential $10 billion JEDI contract. The approach is often criticized because it is seen as favorable toward Amazon Web Services, which already provides classified cloud services to the intelligence community. Critics also allege it will reduce competition, choke innovation, potentially raise costs and ultimately invite cyber risks.
“It’s reminiscent of betting on a single horse. I’m going to pick a winner, and I’m going to ride it for 10 years? Seriously? Probably the length of time bothers me more than the single player, single winner,” Horton states. “Think about it as if the only type of food you could get was Burger King. If I’m the only company in play in the market, I have the right to charge you whatever I want because I have a long-term contract that says you have to buy from me.”
She also argues that nefarious hackers will have an easier time infiltrating a cloud infrastructure owned by a single company. “If I’m a hacker from China or from Russia, I now know the infrastructure is owned by a single company for 10 years and that they’re only going to make so much of an investment,” she notes.
Horton recommends DOD officials include provisions that allow them to get out of the JEDI contract if the provider does not perform up to expectations, and she suggests they award two contracts. “They’re trying, in my opinion, to eliminate the problems of sharing data. They think that by having a single provider, that will eliminate that business process issue. I don’t think it’s a technology issue but a business process issue that prevents the sharing.”
Overall, Horton indicates she likes much of what she sees in the strategy. “I think it’s a positive move. There are some potential risks—not technology risks business practice risks.”
Dana Deasy, the DOD chief information officer defends the JEDI approach. “What JEDI is simply helping us to do is to find a partner to help us learn to build clouds at enterprise scale, learn how to secure them the right way, learn how to use the tools, learn how to build applications from a cloud mindset," he said in the October issue of SIGNAL. "We need to start with a partner to do that,” he asserts, stressing the article “a” to emphasize that it needs to be one partner.
The strategy establishes seven objectives:
Enable exponential growth in data because “As the quantity of raw information production increases, so does the struggle to organize, analyze and distribute that information to make critical decisions,” the document states.
Scale for the episodic nature of the DOD mission, which will “gain significant efficiencies in the execution of mission capabilities and cyber operations by fully embracing the dynamic elasticity of commercial cloud infrastructure.”
Proactively address cyber challenges to “ensure the security of these large amounts of data and to safeguard the information.”
Enable artificial intelligence (AI) and data transparency, which will allow decision makers to “use modern data analytics, such as AI and machine learning (ML), at the speed of relevance to make time-critical decisions rapidly in the field to support lethality and enhanced operational efficiency.”
Extend tactical support for the warfighter at the edge to serve “mission owners in every environment, across the range of military operations, from the tactical edge to the home front, both CONUS [continental United States] and OCONUS [outside continental United States], and at all classification levels and disseminations.”
Take advantage of resiliency in the cloud, allowing for “continuity of operations and efficient failover in times of crisis and operational disruption.”
Drive DOD information technology reform, providing the department the ability to “further consolidate its sprawling data center assets.”
Steven Boberski, vice president of business development for Collab9, a provider of secure cloud communications, praises the department’s focus on commercial solutions, saying it will open up opportunities for nontraditional defense companies, leverage innovation and save time and money. He suggests, however, that many commercial cloud vendors are still unclear how to work with the DOD. “There’s still some education that has to happen out there, but the word is getting out. The DOD’s being amenable to approaching secure commercial applications rather than having to build really expensive custom apps is a great move.”
Boberski also says the department may need to revisit the Joint Regional Security Stack initiative, which is designed to perform firewall functions, intrusion detection and prevention, enterprise management, and virtual routing and forwarding while providing a host of network security capabilities. “It’s so old at this point because it’s taken so long to roll out that it’s an impedance for something like cloud communications. It’s a great concept, but the architecture is a little older. Right now the way it’s provisioned, for something like real-time traffic, voice, video, you have to either poke a hole through it or go around it. It slows things down,” Boberski says.
The strategy emphasizes a “warfighter first” approach. “At all times the DOD needs to ensure that cloud is addressing the needs of improving military lethality,” the document states. Horton expresses concern, however, that support services, such as medical care, could suffer. “How, if the warfighter is first, are you going to bleed off the bandwidth and infrastructure for the current medical applications. What’s the strategy for those lesser warfighter support services,” she asks. “They should soon address those other implications.”
Maj. Ryan Kenny, USA, operations officer for the 516th Signal Brigade, says it will take some time for the services to work out the details for implementing the strategy. The Army, for example, had already embarked on a plan to consolidate data centers into a series of Army Enterprise Data Centers, two of which will reside within the 516th. That process affects information infrastructure, task organization decisions and talent management across organizational boundaries.
With a new cloud strategy added to the mix, lower-level organizations are left with questions to answer and challenges to overcome. “If you look to our commercial partners, DOD is clearly behind in going full bore on cloud. However, from the security perspective, from a management perspective, from an efficiency perspective, most IT professionals will say we need to get there faster,” Maj. Kenny says.
As important as it is to drive to a unified vision for cloud services, some concerns remain. “The military needs to get to a cloud solution for efficiencies, security and governance, but the challenge right now is that there is some misalignment between current strategies and on-the-ground realities. For example, transport and network infrastructure and management tools will require improvements and modifications,” Maj. Ryan points out. “Likewise, some subordinate organizations will be required to take on new responsibilities while divesting of others. All of these second and third order effects should be considered as this process unfolds."
For the strategy to work in the future, Maj. Kenny adds, certain steps should begin immediately. “All of these efforts will add value in the long run, but significant parallel planning between policy makers, procurement drivers, and mission executers needs to take place now.”