Tim Solms

COMMENTARY

5 ways the public cloud can go wrong for DOD agencies

Governments around the world are taking a leap into the cloud. New deployments are popping up every day, in large part because the cloud model has the potential to help agencies save on infrastructure and storage costs, pay “on-demand” for the services they use and access computing resources from any location. 

But listing the benefits is easy. The real challenge is evaluating whether a cloud solution can provide these advantages while still meeting the unique privacy, security and compliance needs of large and complex government agencies.

This is especially true for the Defense Department, which has gone on record about seeking a balanced approach to cloud computing, ensuring that key concerns such as security remain a top priority during the transition. 

As defense agencies embrace cloud computing, many are finding that cloud solutions deemed good enough for consumers can’t handle their unique requirements. So here are a five things to think about when evaluating whether a cloud solution is truly ready to support your mission.

1. Total cost of ownership

We all love low sticker prices, but determining the total cost of ownership (TCO) of an enterprise cloud solution is far more complex. To do this, it is important to think big picture. There are long-term costs around accessibility, device support, interoperability and scalability that have to be factored into ROI considerations. If a consumer cloud solution doesn’t come equipped with enterprise-level tools, it will have to be supplemented with expensive third-party “add-ons,” which increases complexity while negatively affecting your agency’s bottom line. 

Say a defense agency just bought a consumer cloud productivity solution that doesn’t allow it to encrypt messages, sort e-mail or designate a file as confidential. Now that agency has to go shopping for those capabilities. It’s like entering a Smart Car into a NASCAR race.  Even though the sticker price was great, after you replace the engine, modify the body, buy new tires and slap on a new paint job, you end up spending more than Dale Earnhardt Jr. spent on his car. 

And because your car was patched together, and not built for this type of race from the start, you’re less confident in your prospects for success. 

2. Security and privacy

Most of us use cloud-based e-mail applications for our personal mail, and as much as we care about our privacy and data security, our concerns pale in comparison to the highest level security requirements of defense agencies. These organizations are responsible for protecting highly sensitive information that directly affects our national security and economic stability. Security certifications are important, but there are other factors to consider as well. In defense agencies, IT leaders typically start with one very important question: Where is my data located? Data location matters. Does it stay in the U.S.?  Who has access? What other data lives in that environment?

It’s also important to remember that all data isn’t created equal. Some types of information are more sensitive, which is why many defense agencies operate mixed or “hybrid” IT infrastructures consisting of both cloud and on-premise resources. For example, a defense agency may want e-mail and collaboration in the cloud, but financial or classified mission data on-premise. This requires a solution capable of offering both options and integrating the two environments to simplify usability and management. 

3. Functionality

There shouldn’t be a penalty for moving to the cloud. Defense agencies shouldn’t have to sacrifice functionality to take advantage of cloud computing. They should be able to enjoy the same innovative tools and capabilities they’ve come to expect from their traditional on-premise software in both connected and disconnected network environments.

As DOD expands its cloud portfolio beyond e-mail to include collaboration (such as chat, document collaboration and video conferencing), Web hosting, and enterprise resource planning (ERP) solutions, there can’t be a decline in functionality. A guarantee of functionality will involve thorough testing and deploying pilots.

4. Records compliance

In the cloud, records should never be lost in translation. Important documents must remain consistent as they move in and out of the cloud. That’s particularly critical for defense agencies, where official documents are essential to daily operations.

Some cloud offerings do not maintain such data integrity, and can potentially disrupt formats, discard data or removing key features like watermarks. Considering the volume of sensitive intelligence reports managed by defense employees on a daily basis, this information is too important for record inconsistencies. That goes for archiving and data retention policies as well. Regulations put forth by the Government Records Act, the E-Government Act of 2002 and National Archives and Records Administration must be observed in the cloud just as they are in any other environment.

5. Support

Defense agencies need confidence that their cloud provider is there when they have product questions, experience service disruptions or are ready to upgrade to a new service. This comes in the form of customer support, service-level agreements and product road maps. 

Complex defense enterprises can’t have their personnel spending time searching the Internet for information on how to use a certain cloud-based tool. They need access to experts who are available and accessible 24/7. Guaranteed uptime and robust SLAs are paramount for defense agencies, which can’t afford to be without mission-critical computing resources for extended periods of time.

And lastly, defense agencies should demand clear product road maps in order to know where their cloud solution is headed. Enterprise-ready cloud solutions should have a long-term vision and coherent development process that matches defense needs and risk tolerance.

The lesson

Look before you leap into the cloud, because not all “best of breed” solutions are created to support the needs of defense environments. Evaluate which applications are good targets for the cloud by looking at the sensitivity of the data the application maintains, and then map your risk tolerance to the cloud providers security features and deployment model that best meets your needs (public, private and hybrid).

Conducting the right research on the front end will prevent any hidden surprises, helping you choose the best solution for your agency’s unique mission. 

Reader Comments

Thu, Jun 28, 2012 EricE

Wow - I've read some luddite chicken little anti-cloud pieces in the past, and while overall the article is not technically incorrect... Really? For email, all the major vendors (Google, Microsoft, Amazon, associated resellers) have FISMA compliant government only semi-private clouds that I guarantee offer better archiving, discovery and records management than 90% of the in house agency solutions out there today. Probably complying more fully with all the security regulations as well. For anyone to even hint that an agency is going to just go to Google.com and sign everyone up for the same Gmail account you get at home is, I really hope, preposterous! And even with all that, the providers are doing it cheaper than in house because once they get FISMA, OMB A-130, Clinger Cohen and the rest of the hodge podge of federal information security regulations figured out, their done! They can leverage that, just like they leverage their standard service offerings, across all of their government customers. It's not rocket science nor smoke and mirrors pie in the sky fantasizing either. Now, once you get past email, things get more interesting but FedRAMP is your friend and starting place (mandatory too) for figuring out if a potential cloud solution is a good fit. But this article seems like it woudl have been far more appropriate three years ago when cloud was completely new and uncharted territory, not here in 2012.

Tue, Jun 19, 2012

As usual, they miss one of the key issues, accessibility under worst case scenarios. If there is a major natural or man made disaster, that's when we need the information the most and that guarantee isn't there with the cloud. Aside from the possible physical interuptions of service, the cloud is run by civilians with family and other concerns that may keep them from doing what needs to be done regardless of the risks involved.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above