The Defense Information Systems Agency is among the few government agencies actively involved in cloud computing.
Helping lead its efforts is Henry Sienkiewicz, technical program advisor in DISA's Computing Services Directorate. He sees cloud computing as another way information technology can serve the nation's war fighters by finding appropriate innovations and introducing them as rapidly as they can be secured.
Sienkiewicz was interviewed by GovInfoSecurity.com managing editor Eric Chabrow.
ERIC CHABROW: What is your definition of cloud computing?
HENRY SIENKIEWICZ: Our general definition of cloud computing is really a style of computing where we have massively scaled and elastic IT service-related capabilities, provided as a service to our constituents, using Internet based technologies.
We are looking at four new things inside this cloud computing paradigm, and it is a change on the acquisition model where we are buying these IT services as services, a change in the business model where we are paying for use, where we are trying to incent behavior patterns, where users, either our war fighters or our developers, are actually paying by the SIP, so that they are using resources and paying for resources as they consume them, and they are not overbuying.
The access method is using Internet-based technologies. We, as a Defense Department, have done heavy pushes into net-centric services and delivering these services using Web 2.0 or Web 2.5 technologies to any device across the world. We have a large number of our war fighters who are in, what we consider, disadvantaged space. They have a small pipeline and we are obviously adopting our technologies to support those war fighters.
The models are scalable, commodity-based, elastic, dynamic multitenant technologies underneath the covers. All of those obviously have some security implications.
While we look at cloud computing across the board, there are different types of clouds out there: platforms as a service, infrastructures as a service, applications as a service and software as a service - the four areas that we inside of DISA have been focusing in on.
One of these initiatives that was launched this year is our Forge.mil, which is one of our entrees into applications as a service, where we have launched our version as a SourceForge.net, the open source development environment that is inside the Defense Department. It is behind the DoD firewall; it does require our common-access card to access it, but we have an open source development environment with approximately 1,000 users and approximately 50 projects at this point in time.
We are trying to address the security on the cloud environment through policy and through technology. We obviously ascribed to the DIACAP (Defense Information Assurance Certification and Accreditation Process) and the DITSCAP (Defense Information Technology Security Certification and Accreditation Process) processes; we follow the traditional certification and accreditation methodology inside the Defense Department. We are working with partners to try to streamline that process and we are looking at some other approaches. We are working with other partners inside and external to the government on finding better ways to streamline the processes, such as host-tenant model, where we certify that the operating system has a host and the tenant, the new application, goes through a streamline process of certification.
As one of the potential ways that we think we can solve the rapid introduction of innovative applications inside the department, we are working with vendor partners on trying to ensure that our virtualized environment, which is one of those enabled inside that cloud environment, is able to go there and have the proper levels of security and authorization so that there is not a cascade effect of data leaking between different environments. We inside of computing services have really standardized on VMware as our virtualization platform. We are working the VMware community to ensure that we can add additional security functions and features.
CHABROW: Everything you are doing in the cloud right now is behind the firewall, correct?
SIENKIEWICZ: We look at the three models that are out there for clouds. There is the public, there is the private and there is the hybrid. Right now we are primarily focused on a private cloud built inside the Defense Department.
Are we also working with software service vendors who put instances of their software as a service inside a DoD environment? Yes we are. We are actively working with software service vendors to put instances of their software within our secured facilities and have a model of charging by the SIP.
CHABROW: Functionality would be very similar to what private business would get over the Internet?
SIENKIEWICZ: Yes. That is the exact model we are using. We are working with a number of vendor partners to take instances of their software - CRM (customer resource management) packages, back-up recovery packages, host-based security solutions, end-to-end modern training tools - and move it from their data centers into our data centers and allow DoD customers to access those services on demand as they need those types of applications.
Who would be monitoring those applications to ensure performance and security? For monitoring security and maintenance, DISA obviously engages with the vendor partners on a regular basis for high-level maintenance and support. Those applications that are running inside our data centers, we, DISA, would provide level one and level two support, initial contact, initial help, some troubleshooting. But for the high-end engineering support, we would obviously be in partnership with the actual vendor partner. We do not envision taking that role over.
CHABROW: Though you are behind the firewall, what are some of the major security concerns you still have about cloud computing?
SIENKIEWICZ: We have to wrestle with a few things. One, we have a culture change. We also have to recognize that multi-tenancy application, which is at the heart of most of this software as a service application, is a little bit of a different paradigm for us and we have to ensure that we have the right security and access controls all the way through the environment and not just at the initial access level. There are attributes inside multi-tenancy applications that we have to ensure individuals cannot have access to, information obviously that they should not have access to.
CHABROW: How aggressive will DISA be in deploying cloud computing solutions?
SIENKIEWICZ: We are obviously very cautious because we know that what we do directly impacts American war fighters in the field. Their security is foremost in our minds and it is something that we take into our daily problem set. If you see us erring on the side of being cautious, it is because we have a very valid reason for doing so. But we also recognize that technology and innovation does drive where we as an organization are, and it is the best way that we can serve the war fighters, that is to find appropriate innovations and introduce them as rapidly as we can securely do it.