Sponsored Content: Getting DoD to the Cloud, Faster

As the U.S. Department of Defense (DoD) drives forward on its cloud strategy, development teams and chief information officers alike are looking for faster ways to deploy new capabilities, proactively address cybersecurity challenges and take advantage of the resiliency of cloud operations.

The DoD has embraced the cloud to achieve speed, security and scale. The focus is now on clearing the blockers that have slowed deployment in order to accelerate the adoption of new services and unlock the transformational capabilities of cloud for the DoD enterprise and warfighters at the tactical edge.      

The DoD has recognized, for example, that, “Cloud can help unlock the benefits of DevSecOps [development, security, and operations], incorporating security continuously throughout the application development lifecycle,” says Derek Strausbaugh, chief technology officer for Microsoft’s Department of Defense business. “We’ve spent a lot of time working with DoD to develop DevSecOps accelerators so they can build, test, deliver and operate secure apps in a continuous fashion and get them quickly authorized to operate.”

This addresses one of the core challenges many DoD customers still face: Legacy processes for compliance that can hold up or create friction for cloud adoption.

“The authorization requirements for cloud security are vital but the supporting processes and documentation inputs to meet the requirements are not designed for cloud speed,” says Strausbaugh. “Our goal is to help our customers use cloud-native automation and governance constructs to provide predictable input to speed up the processes and documentation needed to meet those requirements.”

To address these friction points, says Zach Kramer, partner engineering manager at Microsoft Azure Global, his team began by “stepping back and letting the data answer the question. … We conducted hundreds of hours of interviews with teams driving cloud adoption in DoD.”

Two underserved needs emerged from the research the team did, says Kramer:

• The need to create a secure cloud enclave
• The need to document security to get authorization to operate

“We realized we could provide solutions for both in software,” says Kramer, “I can build a secure infrastructure that is defined in code. And then I can use that code to automatically generate documentation and descriptions to show why that is secure.”

The DoD’s approach to risk management “is about getting the right information in the hands of the right folks to make a risk decision quickly. That is what unlocks the ability to deliver innovation to the DoD,” Kramer explains. This means compliance requirements at every level can be met and documented by cloud infrastructure — massively speeding time to value for DoD cloud programs.

Initiatives such as the Defense Information Systems Agency’s (DISA’s) Cloud Computing Program Office (CCPO) show the DoD’s determination to learn from the private sector when it comes to cloud deployment, says Strausbaugh. “DoD’s focus on using cloud has really shifted from a legacy mindset ... to learning from and adopting best practices from the commercial sector. DoD is leaning forward and strengthening strategic partnerships to move faster. Our collaboration with the CCPO is a great example.”      

Microsoft has partnered with DISA CCPO to produce DoD Cloud Infrastructure as Code (IaC) for Azure. A compliant cloud infrastructure is one thing, says Kramer: “That gets you part of the way. Then you need a security boundary. How am I monitoring and logging it? How am I securing my virtual machines and containers? And that’s what IaC delivers, the secure boundary on top of the infrastructure.”

In some cases, DoD Cloud IaC for Azure will help reduce the timeline to deployment from 30 weeks down to potentially as little as 2 hours.     

IaC provides pre-authorized cloud instance baselines that can serve as a platform to host mission critical apps, and Microsoft is piloting software that automates much of the laborious security documentation. “The authorizing official can accept the prior authorization granted to this IaC template,” explains Kramer, and the software automatically populates the answers to compliance questions, “so you no longer need to go gather a bunch of spreadsheets or take screenshots. The system communicates directly with those audit tools to say: Here’s the state of the system.”

More importantly, Kramer points out, the software will enforce the preprogrammed policies with the rigor of code. “The cloud will not allow you to deviate from what you described in your system security plan and you can get [real-time] dashboards that show your compliance. It shows whether you’ve got your monitoring turned on, your two-factor authentication turned on, and that all makes for an easier risk management decision.”

Azure also offers solution templates for Security Technical Implementation Guides, or STIGs. STIGs are sets of parameters for installation and operation for certain kinds of networked equipment that can run to hundreds of pages. STIG templates in Azure lighten the burden of adoption and can reduce the time to obtain compliance for virtual machines from three weeks to three hours, according to Wes Anderson, Microsoft Federal vice president, Customer Success.

But the real security paradigm shift the cloud represents for DoD, according to Anderson, is the ability to monitor compliance on an ongoing basis. “Authorization in the past has been a point-in-time exercise,” he explains. “Continuous authorization and the tools we’ve built to achieve that mean you can start secure and remain secure.”

Done right, cloud can also enable enormous cost savings, for example in the ability to migrate mainframes to cloud for orders of magnitude lower operating costs.

To take one example, the Air Force, partnering with DISA and Astadia, last year migrated its Integrated Maintenance Data System-Central Database (IMDS) from a Unisys mainframe to Azure, using a fusion of Information as a Service (IaaS) and native Azure Platform as a Service (PaaS), leveraging DevSecOps processes that enabled developers to drive 480-plus targeted code fixes across 60 releases. The move reduced the maintenance costs of the application—which tracks spare parts for combat aircraft across the global USAF infrastructure—from $30 million a year to $3 million and allows the Air Force to achieve many firsts for this application: elastic scalability, disaster recovery and failover across regions, point in time recovery for code and database, and the ability to spin up ephemeral forensic test environments at will.

The migration also makes the database more accessible by forward-deployed maintenance personnel and means it’s updated more frequently.

“We’ve been on a decade-long journey with DoD, during which they’ve been adopting cloud capabilities,” says Strausbaugh. “Going from contracting to deployment of simple business applications to enabling cloud usage for business-critical applications like IMDS is representative of progress in that journey.”

Along the way, we’ve learned a lot from each other,” he says. “There’s been a lot of necessary cultural change and workforce enablement that are typical of any large organization trying to move
from one model of operating to another but migrations like this really begin to open eyes that moving and modernizing even the most challenging legacy applications in the cloud can create real business and mission value.”

Anderson adds, “To help the DoD move mission workloads in weeks instead of months, we offer expert guidance from cloud architects and engineers, along with free migration programs and training to accelerate the cloud journey for our customers, and ultimately, their success. We find this is essentially creating a bridge to help our customers rapidly harness the benefits of cloud
to accelerate their mission.”

For more information, visit azure.com/gov