Through two big cloud initiatives — Cloud One and Platform One — the Air Force aims to establish secure hosting and development environments. We get the lat...
On joining the Air Force, Bonci was enthusiastic. “It’s an honor to be here,” he said. “These are some of the most exciting and amazing mission sets. People that I get to work with are incredibly dedicated. And so I love coming to work today. I love being able to support people who are out there in harm’s way.”
Getting to the business at hand, Bonci said Cloud One is about to add to its roster of cloud service providers. Google Cloud and Oracle Cloud will become available through Cloud One brokering, joining Amazon Web Services and Microsoft Azure. Bonci said the expansion would be “transformative in its breadth and scope.”
At the same time, the Air Force IT operation plans to expand the capabilities of a companion project known as Platform One. That’s a secure development and runtime environment that “allows you to write and harden your code once and to be able to ship it out to all the different classifications and weapon systems that are available.”
Platform One operates on top of Cloud One and in the Air Force’s own data centers. Via Cloud One, Platform One interacts with commercial clouds, Bonci said. It is from Platform One that Air Force-developed applications obtain their Authority to Operate (ATOs) and the portability code that lets them run on various clouds.
Over the past couple of years, the Air Force has set up the business processes for Cloud One and taken in early adopters from around the department, Bonci said.
Now, “we are in a process of maturation,” he said, adding, “We’re moving into a phase of finding that next tranche of applications and the continual improvement of the scalability of Cloud One, just to understand how we can take on two or 3,000 more applications.” He estimated the Air Force manages 10,000 applications and not all will be appropriate to move to the cloud. Many will be retired altogether.
Bonci is also working on a more comprehensive business case to get buy-in from components who own that next tranche. They’re used to having the major commands (MAJCOMs) pay for data center operations but will have to pony up for hosting individual applications in the cloud.
Having robust core services available is part of the case. Besides direct cloud costs, applications in the next tranche are likely to need work so they’re cloud-compatible, Bonci said. The return on that investment is also part of the case.
But ROI alone is insufficient, Bonci added. “If your return on investment is only financial and not for things like risk reduction or future velocity, then yeah, it’s going to be hard to make the case.”
Bonci said the Cloud One office, at Hanscom Air Force Base in Massachusetts, seeks to tailor the cloud migration pathway for each application, depending on its characteristics.
“The Cloud One Office is able to work with an application to help make the call,” he said. For example, it might steer a dot-net application using SQL Server to Azure, and a Java application to AWS. In one case, a legacy application was moved to the cloud because an emulation program was available.
“The Cloud One onboarding process works with those applications,” Bonci said. “They have migration support on contract. Or you can bring your own migrator if that meets your financial goals.”
Cloud One works with applications not only on the technical side but also to help owners understand cloud costs. Many owners might be dealing with a commercial cloud for the first time, after having hosted their applications on an Air Force mainframe until the migration. Together, the capabilities “allow us to work with an application — tailor it, help to understand its journey, help to understand even subtle things like how do you budget for the cloud costs,” Bonci said.
Some applications will continue to require local hosting, Bonci said. For example, he cited a signal processing application on a server in Germany. Because of latency and telecommunications costs, “you can’t backhaul that to a U.S. cloud.” Like the other armed services, the Air Force also has a process for hosting applications on compact field servers.
“By and large, there is a path to cloud for a majority of applications,” he said. Either way, he added, the Air Force must have visibility into all of its applications.
The ATO process (not to be confused with air tasking order) has typically slowed down the deployment of new systems. Organizations throughout the Defense Department have been developing ways to automate ATO requirements, such as documenting the security controls in an application so they can achieve a state of continuous ATO as they develop software modules.
A challenge for the Air Force, Bonci said, is harmonizing the ATO strategies for Cloud One and Platform One. He characterized both as adding value to applications.
“Cloud One provides a large number of controls, based upon the cloud foundations and the cloud guardrails,” Bonci said. “Platform One provides a good deal of the underlying technical infrastructure to move toward a continuous ATO.” Aaron Bishop, the new chief information security officer who recently joined the Air Force from the private sector like Bonci, is working on bringing the two ATO systems together.
“We’re looking at the role of these automation tools to be able to tell us about our risk posture because that’s what an ATO is supposed to do,” Bonci said. “It’s supposed to surface and help you manage risk, and we don’t treat it that way.”
With multiple clouds running multiple applications, the question of shared services and software as a service confronts Air Force IT practitioners. Bonci made the distinction between business functions such as human resources or retiree benefits systems and operational systems that must work in contested connectivity situations. The former can withstand the occasional interruption. Bonci said the Air Force treats those as what he called shared enterprise services and include things such email, encryption services, networking and access solutions.
The Air Force is working to reduce variability among MAJCOM software stacks by promulgating enterprise services, he said. This strategy will apply to services such as identity, credential and asset management and a zero trust networking initiative coming in 2023. The ultimate goal, he said, is to offer a library of ICAM and other security functions but a simplified and consistent set of processes across the Air Force.
“Transforming business processes is a difficult human element and will take some time,” Bonci said. “But the goal is exactly that — to have that library of functions that enable us to just simplify what we do.”
To listen to and watch all the sessions from the 2022 Federal News Network DoD Cloud Exchange, go to the event page.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED