DoD Seen Hosting Commercial SaaS AppsEliminates Security Concern of Public Net Access
"We're actively working with software-as-a-service vendors to put instances of their software inside our secure facilities," Henry Sienkiewicz, technical program advisor for the Computing Services Directorate at the Defense Information Systems Agency, tells GovInfoSecurity.com.
Sienkiewicz, who's helping shape DISA's cloud computing initiatives, declined to identify which commercial applications are under consideration until DoD strikes deals with the SaaS providers.
The Defense Department would like to exploit the efficiencies offered by software as a service, but won't access commercial providers sites over the public Internet because of security concerns. The next best alternative: host the applications on its own cloud situated behind a firewall. "We're big enough to be our own cloud," Navy CIO Robert Carey says in an interview with GovInfoSecurity.com. "The GIG the Global Information Grid of the DoD is quite a large cloud to itself. ... The obvious opportunity is to keep it inside ... the DoD."
In essence, DoD would act as the SaaS provider to various agencies that would access the applications over the internal cloud. Each agency would be charged for the service it uses. That's a different model than the existing one, where agencies ran their own software on their own servers, paying for them out of a capital budget. With SaaS, payment will come from the operations and maintenance budget.
DoD and the commercial vendors would share responsibility in maintaining the SaaS offerings on the Defense cloud. For instance, DoD employees running the data center would provide levels 1 and 2 user support for the hosted applications, but tier 3 support would come from the commercial vendors' engineers who have appropriate security clearance.
Sienkiewicz says a similar process has existed within Defense for the past three years, when the department switched to a storage-service model. "This notion of we running level 1 and level 2, and working with vendors for level 3, that's actually already embedded in our business processes," he says. "We have worked that model out, and for us, it's a proven model."
Still, even hosting the applications within DoD's firewall presents IT security challenges. "We have to ensure that we have the right security and access controls all the way through the environment, and not just at the initial access level," Sienkiewicz says. "There are attributes inside multi-tenancy applications (software servicing multiple clients) that we have to ensure that individuals cannot have access to information that they, obviously, should not have access to."
Though DoD is aggressively looking for better ways to secure cloud computing, it will be very deliberate in rolling out services. "We are, obviously, very cautious because we know that what we do directly impacts American war fighters in the field, and their security is foremost in our minds," Sienkiewicz says. "If you see us erring on side of being cautious, it's because we believe we have a very valid reason for doing so.
"We also recognize that the best way we serve the war fighters is to find the appropriate innovation and introduce them as rapidly as we can securely do it."