FROM: U.S. DEPARTMENT OF DEFENSE
DOD Information Technology Evolves Toward Cloud Computing
By Claudette Roulo
American Forces Press Service
WASHINGTON, Jan. 14, 2013 - The Defense Department's information technology infrastructure is on a journey of consolidation, standardization, security and access, the Defense Department's principal deputy chief information officer told attendees at a cloud computing panel discussion today.
The department is reducing the number of data centers from about 1,500 to "a number far below that," Robert J. Carey said, and is implementing a coherent and consistent architecture across thousands of computing environments.
This process is taking place in part because of the current era of fiscal austerity, but also because it makes sense when it comes to securing data within the network, Carey said.
In addition, DOD, along with much of industry, is shifting toward a cloud computing posture: the collection of data and use of related computing services via remote servers accessed through the Internet. Cloud computing isn't without its risks, Carey said, but the department is moving the paradigm of security from the infrastructure to the data layer. This includes continuous monitoring and cryptography, he added.
Concentrating on securing data, rather than an entire network, is "a big shift for a big engine like DOD," Carey said.
As the department implements the joint information environment and delivers a consistent computing architecture -- which Carey noted the department does not yet have -- security becomes the discriminating factor, he said. "The access, the cost -- all those facets of the efficiency of cloud computing -- if it isn't secure enough, it will not serve us well," he added.
Carey said the way the intelligence community secures data on its networks can serve as a model for the Defense Department's joint information environment. "I look at the [intelligence community] and its transformation, and I look at [the joint information environment] and the DOD transformation, and they are very aligned," he said.
There are differences between the two communities, he said. The intelligence community doesn't have to accommodate heterogeneous data security requirements, Carey said, and the network construct within DOD is different. "We're just a little more complex," he said. "But we are working on a plan with them to take the applicable lessons learned ... into our world."
The cloud is secure today, Carey said, but only for certain types of data. In its move to cloud computing, he said, the problem the department faces is progressing from its legacy systems into an up-to-date information environment in an era of cost constraints.
"We're moving at a very deliberate pace," Carey noted. "We have lots of [pilot programs] going on to evaluate these kinds of things and to make sure we understand both the pros, cons and risks of moving into the cloud space."
Whether the department is ready to forge ahead on implementing a new information technology infrastructure hinges on whether it also ready is to make a cultural shift, he said.
"We have to take advantage of what commercial technology is bringing us, but at the same time, make sure that the people that actually ... acquire it for us are able to do so," Carey said.
The DOD IT community tends to try and avoid risk entirely rather than conduct risk management, he said, which is a problem given the rapid pace of information technology development.
"The acquisition corps is working on creating that workforce that's able to understand how fast industry is moving and proceed with a risk-management approach vice a risk-avoidance approach," he said.
Measuring risk in the cloud and the costs of risk response is a difficult task, Carey noted.
"At the end of the day, the metrics of cloud security are, at best, nebulous," he said. It isn't always easy to describe the relationship between risk reduction and purchasing, he added, but it's important for the information technology community to try.