The Blog

Lessons Learned from the First DOD Applications Migrated to the Commercial Cloud

Relevant links are at the bottom of this post.

Jack Wilmer, vice director of the Defense Information Systems Agency’s (DISA) Development and Business Center, spoke about the security, culture, and business process challenges associated with migrating applications to the commercial cloud during the fifth annual MeriTalk Cloud Computing Brainstorm. The event, held June 15 at the Newseum in Washington, gathered more than 200 cloud thought leaders from across industry and federal government.

“We’ve learned a tremendous number of lessons with just the first couple of apps that we moved [to the cloud],” said Wilmer.

As the Department of Defense (DOD) and other government agencies begin to see the benefit of increased speed, agility, and cost savings from cloud offerings, discussions are starting to focus on the steps beyond initial migration. Leaders are drawing upon lessons learned to help shape the future of cloud computing and address security, interoperability, and data portability.

Securing Applications in the Cloud

“From a security perspective, we need to defend the applications in the commercial cloud,” said Wilmer. “We need to define our relationships with cloud providers, and then find a way to have scalable solutions, at cost, for individual applications we take care of as a service out of our own data centers.”

For example, if a particular tool is used to scan various applications in a DOD data center, once those same apps are migrated to the commercial cloud, another virtual machine would need to be set up to run the same scanning tool and then scan the same applications. If every application had to go through this process, the cost could exceed the savings.

The solutions DISA is trying to find, according to Wilmer, are the enterprise and service-level capabilities that will enable organizations to move their capabilities to the cloud with the same level of assurance they had when running inside a DOD data center.

Wilmer also reminded attendees that commercial cloud service providers (CSPs) must meet the government-wide Federal Risk and Authorization Management Program (FedRAMP) standards for security assessment, authorization, and continuous monitoring for cloud products and services. CSPs must also follow the additional DOD provisions that are layered on top of FedRAMP for sensitive and mission critical data.

Culture and Business Process Changes 

“Our cybersecurity service providers across the department have a very effective way of defending apps [within DOD data centers],” said Wilmer.

The challenge, he said, is in understanding how operators will be affected once new cloud providers, and even application owners, are integrated into the process. For example, how will it affect the operators’ dashboards if a security event occurs inside an app? Wilmer said a change in the way of doing business and operating systems may be necessary.

“We need to train up operators in how to do business differently,” said Wilmer.  “They’re going to be getting different feeds of information, potentially with different levels of detail, through the CSP in different ways that they’ve previously accepted. How are they going to integrate that into their processes to make sure they can accurately detect and defend our capabilities?”

Planning for the Future

Wilmer concluded by challenging cloud professionals to think beyond initial migration into the cloud, and to be mindful of some potential barriers to getting out of the cloud. He urged leaders to understand, while there may be economical benefit for moving to the cloud, there is a cost of pulling data and applications out of the cloud, or moving them to the next capability.

“I don’t think these are barriers that should stop anyone from moving to the cloud, but they should be given some thought,” advised Wilmer, “so you’re not locked in, with no ability to migrate out at some point in the future.”

Published June 23, 2016