DISA Aims For Big Cost Savings With MilCloud 2.0
By William Matthews
Share this page:
Cloud computing is turning the data information technology marketplace on its ear, driving down costs and speeding up application development. But many government agencies continue to hold back, concerned about security, migration and cost worries.
Defense Information Systems Agency (DISA) officials believe they can overcome those concerns by building a commercial-grade private cloud exclusively for defense customers. Call it MilCloud 2.0.
“Why is MilCloud 2.0 important? Cost,” said John Hale, chief of DISA’s cloud portfolio, addressing a large industry audience at the AFCEA Defensive Cyber Operations Symposium on April 21. By leveraging commercial cloud services, DISA can offer cutting-edge commercial services at a lower cost than it can for its own cloud-like offerings.
Hale said MilCloud 2.0 aims to get more of the military to adopt cloud computing, while at the same time reducing the number of defense agencies creating separate cloud services.
MilCloud 2.0 would turn the bulk of military cloud computing over to the commercial sector, but with a twist. Like the CIA, which hired Amazon Web Services in 2014 to build an Amazon cloud for the intelligence community, DISA hopes to build a similar shared military cloud for its customers that will meet security requirements and also save the military money.
How secure is it? That’s the beauty of the approach, said Chris Burns, a vice president and technical director with General Dynamics Information Technology.
“The big advantage of building a commercial cloud inside a DISA Data Center is the fact that it lives inside DoD’s network security perimeter,” Burns said. That perimeter will be guarded by a set of Joint Regional Security Stacks that will control access to the entire Joint Information Environment. “By building the cloud inside JRSS, DISA drastically simplifies the business of connecting cloud service to DoD’s NIPRNet and SIPRNet networks and ensures a faster route to getting an Authorization to Operate (ATO).”
NIPRNet is DoD’s non-classified internet protocol network, while SIPRNet is its counterpart for secret communications. Tying into those two critical networks gets around the biggest hurdle to defense agencies adopting commercial cloud alternatives: Trust. Conventional commercial clouds reside outside the Department of Defense’s “trust” boundary, but MilCloud 2.0 won’t have that problem.
With the trust issue solved, potential cost savings should follow. How much money might MilCloud 2.0 save? Hale isn’t ready to say. “We don’t have a business case analysis” yet, he conceded in an interview. But the analysis DISA has completed so far indicates MilCloud 2.0 will be the least costly of the military’s cloud options.
DISA’s existing cloud offering, MilCloud 1.0, is also an infrastructure-as-a-service offering. It hosts more than 100 virtual data centers for 55 DoD organizations, according to Jason Martin, chief of DISA’s Services Directorate.
As DISA transitions into MilCloud 2.0, the agency hopes to substantially increase that number by driving down costs and passing the savings onto DISA’s government customer base.
Incorporating commercial cloud services promise a bundle of benefits, according to the Institute for Defense Analysis (IDA), which studied the matter for the Defense Department in 2015. These include:
- Custom cloud: DoD can build its own massive data centers on military property. This may be more secure, but it lacks the ability to leverage the scale and expertise of the biggest, most efficient commercial cloud providers.
- Shared cloud: Military agencies can pool resources to gain scale and efficiency by sharing cloud infrastructure. But while this can be less costly than running individual data centers, it still lacks the efficiency and scale of massive commercial operations.
- Commercial cloud. By spreading costs among a multitude of customers, these offerings are inevitably the least costly, Hale said.
MilCloud 2.0 would be something else again: A commercial cloud, built, operated and maintained by commercial cloud service providers on DoD property, used exclusively for DoD data and users.
That’s a major shift from today’s MilCloud 1.0, built, operated and maintained by government employees on government property using commercial off-the-shelf technology.
Like MilCloud 1.0, MilCloud 2.0 will offer infrastructure as a service, meaning it will house servers and storage, for a use-based charge, Hale said.
By centralizing infrastructure, customer agencies can gain a number of benefits from commercial cloud models, IDA’s study found:
- “Rapid improvements to infrastructure, services, and technology” that would not be possible for government-operated systems operating government-owned equipment.
- Instant access to new services. “When commercial cloud providers add new services, the provider’s customers can immediately use those services. When providers add new processing or storage capacity, consumers across the entire cloud infrastructure can see those speed improvements.”
- “On-demand elasticity in IT services.” Commercial cloud services are designed to manage rapid fluctuations in user demand.
- Mission focus. Switching to commercial cloud services would allow defense agencies to focus on their core military missions and leave IT services to commercial experts.
- Cloud providers’ prices are decreasing. Between 2008 and 2014, for example, Amazon Web Services announced 42 price reductions. Commercial vendors are better situated to continue to wring greater savings out of every upgrade.
That gets back to the cost question. With commercial cloud providers, “you only pay for the compute you use,” Hale said, or as others at DISA say, “pay by the drink.” However, when the military owns and operates its own equipment, it pays for computing capacity that is often not fully used. Commercial clouds leverage that excess capacity by spreading the infrastructure across a larger user base. The result? Hale said: “You can save a lot.” But the reverse is also true, he added. Cloud users can end up paying more if they fail to control their usage.
More important still: security.
“Security and privacy of the data in the cloud is a critical issue,” the IDA reported. “Cloud promotes a shared environment in which multiple cloud tenants leverage the same infrastructure. Technical controls create virtual separation of data and applications for different tenants, but there are concerns that some users could [find ways to] access data across the virtual boundaries.”
DISA’s solution, like that of the CIA, is to ensure its data doesn’t mingle with anybody else’s. By letting a vendor build and operate MilCloud 2.0 on a military facility, and limiting access to its computing resources of networks, servers, storage and the like to military customers only, it gains the best of both worlds.
Even then, it is almost certain that some highly classified data will be deemed too sensitive to be allowed on MilCloud, Hale said. “Nuclear command and control” data, for example, will not be sitting on a shared server. Anywhere.
DISA spelled out its requirements for commercial cloud providers in a 213-page Cloud Computing Security Requirements Guide published in March.
As of late April, DISA had assessed some 45 commercial cloud providers for their ability to meet security requirements, Hale said. Of those, he expects four or five to be certified as suitably secure providers by late 2016 or early 2017.
MilCloud 2.0 is to be built in two phases. Phase 1 (to begin late this year when a single commercial cloud provider) is selected to begin assembling the cloud in two military data centers. In this phase, the cloud will handle only unclassified data. DISA’s main focus will be “to figure out the business of hosting a DoD workload on a commercial cloud,” Hale said.
Later, during Phase 2, the cloud will expand to more Defense Department data centers and will begin handling classified and unclassified data, he said. At that point, military customers will be able to buy MilCloud 2.0 services through DISA’s catalog, Hale said.
MilCloud 2.0 will not begin to replace the current MilCloud 1.0 until Phase 2, Hale said. How soon that will happen isn’t clear. Indeed, the Phase 2 acquisition strategy has yet to be determined, he said.
What is clear, is this: MilCloud 2.0 will have to compete for business, said Jason Martin, chief of DISA’s Services Directorate. No one will be required to use MilCloud 2.0.
“Cost will drive their decisions,” Martin said. “Our belief is that we will offer the most cost-effective portfolio.”