First step in cloud for DOD: Cutting through the confusion

Cloud computing may be the biggest buzzword in government IT, but that doesn't mean everyone completely understands what it means. Still, clearing up the confusion has never been more crucial, as the Defense Department looks to move critical networks and functions to the cloud, according to two top industry executives who spoke at the AFCEA C4I conference May 25 in Fairfax, Va.

“Soon [DOD] will have more devices than people on the network ... sensors will eventually outnumber people 10 to 1,” said Dan Kent, director of federal solutions at Cisco Solutions. “We’re going to have the ‘Internet of things’ – where there are more machine communications than user communications.”

With so many options available under the umbrella of cloud, confusion abounds and DOD must be careful to choose the right solutions for mission needs. For example, infrastructure-as-a-service and software-as-a-service are both becoming increasingly common options, but each have different requirements, Kent said.

Related stories:

“Cloud is everything and that has helped lead to confusion,” Kent said. “It’s important to understand the different point values of cloud and the effect they have on the organization. You need a portfolio of clouds – there’s no one answer.”

According to Dale Cline, CEO of netForensics Inc., there are other important  needs and concerns in front of cloud implementations as well. He said any cloud solution must have elasticity, with which the environment can be built up and taken down as necessary, and users must have on-demand capabilities with quick, fluid identity access controls.

Both executives agreed that no cloud conversation can take place without discussing security.

“Cloud is creating a nightmare for some organizations ... so you need proper defenses and pooling of knowledge in the industry,” Cline said. Though many companies may be hesitant to share information, Cline said that, when it comes to security, the barriers come down a bit.

“I don’t know of any vendor that would withhold critical security information from other vendors to try to maintain an edge,” Cline said.

The variety of cloud solutions also requires an accompanying variety of security measures, especially identity access control, both speakers agreed.

“It’s important to remember that cloud is end-to-end and all points have to be secure – you need to have end-to-end security capabilities,” Kent said. There must be multiple layers and segmentation for data security, and application security must be “whole stack,” protecting data ranging from the end user to data at rest, he said.

“It’s like Facebook – you need to be able to let the user access Facebook, but not Farmville. That’s hard to do, but it’s necessary,” Kent said.

The emergence of cloud at the federal level is also creating many questions over ownership and responsibility – another example of policy needing to catch up with technology, the speakers said.

For example, who owns the data and who’s responsible for protecting it if it’s being shared? Kent said that very debate is currently ongoing on Capitol Hill, but solutions are unclear.

“The lines of demarcation are tough ... it’s about risk assessment to start; what is your organization willing to live with? From there you have to define what policies should be in place – and you have to balance the risks and benefits,” Cline said.

But Cline and Kent believe that DOD is on the right track.

“DOD has some of the best security policies and infrastructure ... but there are unique issues [including] in terms of personnel,” said Cline. “We’re seeing greater flexibility in [acquisition] cycles and more flexibility with testing. Requirements are moving upstream away from simply the lowest common denominator to, ‘We can deploy the latest technology.’ The idea of ‘make it simple, stupid’ is disappearing.”