DoD does not have the software talent and cannot afford acquiring it in the next few years. DoD does not have the capital or the time to construct several billion dollar cloud data centers. DoD migration into the cloud environment can be only incremental. There are thousands of legacy applications that can be relocated to the cloud only gradually. DoD must rely on a hybrid approach during the transition of legacy systems from the current environment. During such transmission the capacity of any cloud operations would be vastly under-utilized.
The structure of current DoD operations shows a great diversity in meeting security requirements. From a less demanding security standpoint, there are $4.6 billions of business applications that may be easier to relocate. War fighting applications, ranging from NIPRNET to SIPRNET, are $11.7 billions. These are demanding and must migrate into a cloud only under conditions that guarantee no loss of data. In addition there are applications that are compartmented and would always remain off the cloud, running on DoD organic assets. However, the overarching problem for DoD is the $15 billions devoted to its infrastructure. DISA and diverse Agencies have attempted to support every security requirement for every DoD application and has not succeeded so far to deliver a unified approach.
One of the options that DoD should explore now is the hosting of its diverse requirements in commercial operations that deliver secure hosted clouds. In such arrangements commercial firms offer IaaS, PaaS or SaaS services. DoD would run network control centers and manage the high performance LANs and WANs that are necessary to access the Internet from DoD controlled client computers. The consequences of pursuing such policies would be a hybrid arrangement. It would lend itself to evolutionary migration while relieving DoD of the need to acquire the intellectual property for cloud operations. This would also avoid making huge investments for capital assets.
Another option is for DoD to hire a leading contractor to develop and build the required cloud capacity. The cost of such a program would exceed some of the largest weapon projects, with attendant risks. None of the existing IT contractors have the experience in building cloud operations. While DISA is trying to position itself as the provider of DoD computing it would be burdened by the same limitations as IT contractors.
How hosted DoD clouds would function will require the institution of new policies. Here are few guidelines:
1. Business applications and generic services such as e-mail, open source office applications, collaboration systems, calendars, etc. could proceed along lines that have ben already established by GSA. *
2. The concept of operations for applications that exclude warfare would be IaaS. Multiple vendors, each with several data centers, would offer hybrid and interoperable services. This would allow DoD to relocate applications as needed. DoD Services will continue to exercise control through component-specific methods.
3. The concept of operations for applications that include warfare, but not intelligence, would be PaaS. DoD Services would continue to exercise control through component-specific operations except that databases will not be hosted commercially.
The shifting of the cost for cloud software and for cloud capital from DoD to secure commercial vendors offers a path how security can be increased while costs are reduced.
To conceive of such a plan will require an oversight organization. With the relocation of the position of the Assistant Secretary of Defense for Networks and Information Integration from the Office of the Secretary of Defense to DISA (which is managed by USCYBERCOM) the accountability for the planning of network defenses is in place.
With the rising emphasis on cloud computing as the solution to security while budgets are shrinking the need for action is here.