Remote sites such as Army bases, ships afloat or Expeditionary forces present challenges how to architect DoD for the delivery of enterprise-wide computing services. Management complexity, inadequate infrastructure and a lack of administrative resources prevent DoD from operating a consistent, scalable and secure computing and communication service. Placing virtualized “edge servers” at thousands of local DoD installations should be the preferred way of dealing with these issues.
Most of the existing DoD’s computing power now resides outside of DISA’s mega centers. Geographically distributed servers and desktops have been hard to manage, difficult to protect, and costly to maintain. When new computing facilities are needed, they must be obtained through headquarters, causing lengthy turnaround times for acquiring added capacity. Inconsistent hardware platforms and operating system variants make it impossible to provide enterprise-wide support for applications. Limited local budgets inhibit investment in business continuity solutions or in redundant hardware, which increases downtime. Consequently the management of distributed computing is performed by hundreds of subcontractors who do not have the funding to conform to increasingly costly security policies. Meanwhile, local site management has the incentive to requisition excessive capacity for its computing needs. As result assets can be under-utilized and manpower over-staffed while at other places service quality can suffer.
By virtualizing copies of servers to remotes site (to the “edge”) while managing the master virtual computers centrally, organizations can leverage existing data center resources, reducing cost and downtime. Administrators at network control centers can deploy copies of servers as well as desktops, in the form of virtual machines, across thousands of sites in minutes to respond to local needs. Administrators can also apply remote management methods to monitor and maintain high levels of service across multiple remote and branch offices, including patch management, which reduces local needs for specialized personnel. Under conditions of failure the central administrators can relocate any virtual computer to a back-up site, thus eliminating both scheduled as well as unscheduled downtimes. Hard to maintain security protection can be then administered centrally so that rapid responses to new security threats can be distributed to every “edge” location instantly.
By managing thousands of distributed servers at remote sites, the central staff can minimize setup and trips to the remote place, which are often hard to reach. Servers and desktops can be upgraded, patched and backed-up from the enterprise level network control centers, increasing the success rates while reducing testing costs.
Though different “edge” servers will host different virtual machines, each with a different mix of applications, templates will be available for the distribution of copies of virtual machines in order to preserve consistent ways for managing widely dispersed operations. Establishing a limited number of standardized deployment platforms across DoD will simplify troubleshooting, patch management, hardware refresh cycles, upgrades, migrations and support of legacy operating systems.
With thousands of DoD “edge” locations, each operating location will run only a limited number of applications. Consequently security will be greatly improved. Security compromises from insiders will be restricted to only a small numbers of exposures. It will be hard to launch an insider attack from an “edge” server against data centers. More elaborate and expertly staffed defenders at the data center will detect unauthorized accesses automatically.
When hardware fails on the “edge” the network control center can rapidly recover and restart virtual machines at an alternative site thereby reducing unplanned down time. Since all virtual computers are encapsulated as complete systems it easy to replicate an entire “edge” set-up from the datacenter. Unlike in case of a physical environment, a virtualized remote operation does not need to duplicate remote office infrastructure in the datacenter for disaster recovery. All that is needed is for DoD to have the capacity to host virtual machines and a recent copy of what was contained in an “edge” installation.
“Edge” servers can be also constructed as plug-and-play virtual appliances for rapid deployment. The software at a new site should boot in a matter of minutes. Not only does this decrease the time it takes to start-up remote offices, but it also decreases potential support issues related to incorrectly configured software or hardware. Ultimately DoD should have the capacity to set up a new “edge” server operation as quickly as it takes to set up a source of power supply – in a matter of hours and not weeks or months.
In distributed deployments of DoD systems to the “edge”, losing Wide Area Network connectivity to the data center will not disrupt business operations at the “edge” location. Because the basic functions of virtualization are already included the “edge” server will continue to run without interruption. The virtual software will continue to protect the local user’s client devices until operations are automatically restarted and re-synchronized once the connection is re-established. This capability is critically important under combat conditions, on ships at sea or when a cyber-attack succeeds temporarily.
Summary
DoD with its varied and diverse operations must find a cost effective solution that will scale with rapidly changing needs of cyber operations. With the virtualization of application packages to “edge” locations DoD will be able to improve security while managing its complex environment. The new architecture that places most of DoD’s processing on the “edge” can deliver flexibility, availability and protection.
No comments:
Post a Comment
For comments please e-mail paul@strassmann.com