Quite a few federal computing imperatives come into play when Defense agencies make a decision to move an application or a set of services to a commercial cloud service provider. Or to multiple providers. Operators have compliance issues, just as with the FedRAMP program or some domain-specific requirement such as HIPAA. Data classification means a lot of thought is due security and network architecture decisions. There’s also the need think about disaster recovery and continuity of operations.
These multiple requirements “can add a [lot] of different layers to the complexity of a cloud migration task,” said Jeff Luckett, technical lead for the Naval Research and Development Establishment (NRDE) cloud contract at GDIT.
In a talk for the DoD Cloud Exchange, Luckett said that any cloud migration must proceed from a careful selection of the application and the data associated with it, measured against the compliance and security requirements it might have. He said GDIT has built a series of frameworks that aid migration in part by automating security processes such as vulnerability scans and host intrusion prevention.
With what Luckett called inheritance models, GDIT can speed deployment by shortening and automating the authority-to-operate, or ATO, process. The company’s brokerage model abstracts many of the cloud-specific security services required for an ATO.
“That is big push in the cloud brokerage space, where a master account will actually control a lot of different accounts under it. Through that control, they’re exerting policies that enforce best practices down to the program cloud accounts. So that leaves the programs less to worry about on the security front,” Luckett said.
The NRDE in general and Naval Information Warfare Center (NIWC) Pacific in particular, are working with GDIT to get the inheritance models, automated ATO and application of security policies to work with Navy’s DevSecOps output, Luckett said.
“We’ve been working very closely with the cybersecurity representatives all the way up and down the chain, to make sure that we’re getting the right information out of tool chains for software-building security,” he said. “So that these programs can benefit across the board, we’re trying to knock out that 90% of the mundane work that goes along with” security assurance and code testing.
The Navy and GDIT has also been collaborating on a telework initiative, Luckett said, resulting in a remote desktop application for NIWC Pacific.
“That kind of revolutionized how we do development with them, because that really broadens the labor pool and the accessibility of the system and the network,” Luckett said.