Computing in the Clouds

MIT 2008 Volume: 12 Issue: 10 (November)

WITH ITS AGILE, SCALABLE STRUCTURE, CLOUD COMPUTING CAN DELIVER ON-DEMAND QUALITY OF SERVICE ON EXISTING ENTERPRISE DOD AND INTELLIGENCE NETWORKS

BY Cheryl Gerber, MIT Correspondent

With its inherently agile, arbitrarily scalable structure, cloud computing can deliver on-demand quality of service—and a reduced carbon footprint—on existing enterprise DoD and intelligence networks. Use of it by the Defense Information Systems Agency (DISA) will streamline operational expenses while providing users with fast, customized self-service. The Defense Intelligence Agency (DIA), meanwhile, is using cloud computing to meet increasing demands to process large data on networks more rapidly while realizing budgetary efficiency.

“Cloud computing leapt out as the most obvious way to address enterprise large data problems,” said Ken Pierce, IT Specialist with DIA-DS/C4ISR (Directorate for Information Management and CIO, Command, Control, Communications, and Computers, Intelligence, Surveillance, and Reconnaissance), who served on behalf of the under secretary of Defense (Intelligence), in partnership with the office of Assistant Secretary of Defense for Networks and Information Integration (ASD NII) John Grimes. “Working with Mike Moore as the ASD NII representative, we looked at six different initiatives scattered across the DoD and IC, each addressing pieces of the large data problem. Our charter was to collaborate in evaluating those six and distill them into one common strategy,” Pierce said.

“Speaking from the IC side of the house, streaming full-motion video from a Predator UAV or a satellite image are huge files to deal with in terms of storage, processing and transport to a soldier in motion,” he said.

Pierce and Moore considered storage clouds, data clouds for data management and computer clouds for computational services. “We settled on a layered approach, which is computing services, over data, over storage, to create a stack of cloud services in line with industry developments like Google and Amazon,” Pierce said.

Although the idea behind cloud computing resembles how the Internet is used, Amazon’s Elastic Compute Cloud (EC2) is a pioneer in bridging the Internet and cloud computing capabilities. EC2 provides a Web service interface over resizable compute capacity that allows software developers to use Amazon’s fast, reliable servers and tools on a pay-as-you-go, as-needed basis, without having to maintain their own compute environment. Many companies view EC2 as a cloud computing platform. “EC2 is a good early commercial example of services-oriented infrastructure, or platform as a service, an offering for which users have self-service access to automatically provision IT resources,” said Robert Ames, director and deputy chief technology officer, IBM Federal.

“However, there are several flavors of cloud computing emerging, including software as a service, for which the provider gives the customer software to build applications, or process as a service for customer relationship management or fulfillment.”

Reliability is also a benefit. “The reliability enhancement from cloud computing helped us to overcome unplanned segmentation. On January 30 and February 1 of this year, when several undersea cables were cut in the CENTCOM Area of Responsibility near Alexandria, Egypt, there was unplanned cessation of data transport. With cloud computing, by doing some content staging—by storing or caching data nearer the user—we can mitigate the impact,” said Pierce.

However, a disadvantage is the added complexity of virtualization, which is inherent in cloud architecture. “When we virtualize in a cloud, it is more difficult to unwind the problem should it arise. As virtualization increases, logical complexity grows,” Pierce pointed out. “Good management of cloud computing requires centralized network operations and fortunately, DoD and the IC are well positioned here,” he said.

Virtualization essentially uses software to do the work of hardware. Many softwarebased virtual machines are segmented inside a real machine, but each software-based virtual system possesses the full capabilities of the hardware. Virtualization is more efficient and eco-friendly, although it increases software complexity per computer.

Cloud computing has evolved from the use of virtualization in hosted storage and servers to utility computing, which packages data processing, storage and software resources in an on-demand, as-needed, metered service similar to a public utility. A primary benefit is economics. Since they are, by necessity, optimized for minority peakload times, data centers are underutilized the majority of the time, when the capacity and cost of powering, cooling and maintaining them is wasted.

Utility computing allows customers to rent space on an otherwise under-utilized server, paying only for the computing they need when they need it, therefore saving on the cost and reducing the carbon footprint inherent in the power, maintenance and HVAC of their own system.

RACE SOLUTION

Two years ago, DISA began awarding contracts to vendors to build a utility computing solution called the Rapid Access Computing Environment (RACE), a procurement system to streamline the buying process that is now evolving into cloud computing. Hewlett- Packard, Cluster Resources, Apptis, Sun Microsystems and Vion have won contracts to provide the infrastructure, which includes HP’s ProLiant server blades, implementation services and on-site operations management using HP software, an IBM mainframe and an array of operating systems, starting with Windows and Red Hat Linux, later adding IBM AIX, HP-UX and Sun Solaris, among other platforms.

HP has provided managed services for DISA since 2005, in its pre-RACE environment. “It was a natural evolution for DISA to go from utility to cloud computing to provide DISA customers with quicker services. In the pre-utility environment, it took months with a request attached to an e-mail. Then, with utility computing, it took days to provision a hosting environment for a customer. With cloud computing, it takes only hours,” said Rick Fleming, a business consultant who was the DISA customer relationship manager at HP Federal Consulting and Integration.

DISA expanded RACE from utility to cloud computing by providing a Web-based portal for internal users with a secure Common Access Card, a shopping cart interface and subscription billing.

One of the challenges DISA faced was giving authenticated, credentialed users access to the system. However, the use of Army Knowledge Online (AKO) and Defense Knowledge Online (DKO) single-sign-on programs smoothed the path.

“By using the AKO, DKO security services that were already approved, we didn’t have to develop a separate authentication capability—just an interface to the existing one” said Colonel Joe Means, RACE program manager at DISA.

DISA is also using the Global Information Grid (GIG) Federated Development and Certification Environment (FDCE) as part of an ongoing DoD, IC and Department of Homeland Security transformation to a merged, joint net-centric organization that works more collaboratively with common rules and standards on the GIG. “GIG FDCE provides the software tools loaded on top of the RACE infrastructure to be used by customers,” said Alfred Rivera, director of DISA’s computing service directorate.

For Linux developers on the RACE, DISA provides the LAMP stack, a software development environment with Linux, Apache, My SQL and PHP or Perl scripting utilities that is an open source toolkit for Website design and building, similar to the tools and utilities for Windows developers.

DISA launched Phase 1 of RACE in October. Phase 1 is the pilot or test and development program, introducing the foundation of the infrastructure that includes the HP and VMWare virtualized server environment with memory, storage and a choice of the Windows or Linux operating system stack. “It’s a self-service, a la carte menu,” said Rivera.

The biggest initiative in Phase I will be to grow to a Phase II secure production environment in the Defense Enterprise Computing Center. “In Phase II, you have actual users of the services across DoD who are using those applications,” said Rivera. “Phase II will introduce optional storage services for additional software development and backup of data, the Solaris environment and an early version of Linux on an IBM mainframe.”

Once DISA launches Phase II of RACE in full production mode, it will serve a potential user base of 3 million DoD personnel, allowing them to submit their computing needs and gain access to a fully functional environment.

RESOURCE SCHEDULING

To establish this new model of computing, it is necessary to use software to mitigate the added complexity. In August, for example, DISA purchased Cluster Resources’ Moab Utility and Hosting Suite to run on HP systems in RACE. Moab provides policydriven, on-demand provisioning of computer resources with optimized scheduling of requests.

“Moab requests dynamic modifications to all server farms and data centers. It understands not only the current state of the system but also the future states of the system and the impact that decisions will have on those future states,” said Dave Jackson, chief executive officer of Cluster Resources.

“If there is a network or storage failure, Moab can auto-detect and replace resources instantly so the system can continue to run uninterrupted. Moab Adaptive takes steps to prevent problems that would violate a service level agreement (SLA) in the future by using adaptive technology to repurpose resources in order to prevent an SLA violation,” said Jackson.

Personnel using RACE will use a customized version of Moab Access Portal for Clouds to request resources graphically from anywhere with Web access. The portal interfaces with Moab Cloud Service, which analyzes data collected from HP and government tools to evaluate resource availability, enforce SLA constraints, validate payment, then orchestrate the environment.

DoD and DISA are developing cloud computing globally by deploying CollabNet’s Cubit 2.0, an application life cycle management solution that simplifies the global collaboration of software development. “Cubit provisions the servers and virtual machines that are used for the build and testing of software and provides cost accounting of usage. It uses the leading virtualization product, VMWare ESX, to provision virtualized machines. Cubit Manager is the central orchestration engine to provision a Windows, Linux or Solaris machine,” said Mike Kochanik, CollabNet vice president of worldwide market development in the company’s virtualization and infrastructure practice.

Cubit creates three more virtual servers per machine in order to use 80 percent of the machine’s unused capacity. “It renders the return on investment of the server three times higher,” said Kochanik. “In addition, operational expenses receive improved ROI as the cost of power, cooling and administering these servers is shared by the addition of virtual servers,” he said.

Kochanik stressed the growing importance of reducing the carbon footprint of servers. “We’ve seen studies that show the three-year cost of electricity per server will exceed the purchase cost of the server by 2009,” he said.

HYBRID APPROACH

Apptis, a leading federal integrator with an existing managed service contract with DISA, is developing what it calls a hybrid approach to cloud computing, which repurposes a customer’s existing, internal infrastructure that is underutilized to render it more efficient by cloud-enabling its applications. Apptis is also exploring an external cloud offering, for which the solution would be located outside the customer’s domain but supplied by a trusted federal provider in compliance with security mandates.

“We have seen the need for cloud computing when a client has an existing infrastructure and all of a sudden, there is massive demand on the application, whether it is Web-based or transaction-based, and the client’s existing infrastructure is not capable of supporting the surge,” said Tim May, Apptis senior vice president of corporate development. “That’s where we are seeing them contemplate the use of existing internal resources combined with an external cloud that is trusted and complies with federal needs for security,” he said.

Implementing cloud computing is mostly about the software. “You don’t have to change the hardware architecture to take advantage of an external cloud. You have to evaluate applications to see if they are cloud-ready and potentially cloud-enable them,” said Phil Horvitz, Apptis chief technology officer.

One of the chief enablers of cloud computing is service-oriented architecture (SOA), which allows applications to share data. But there is a difference between the structure of SOA and cloud computing. “The goal of SOA is to break monolithic applications into applet services so that you can reassemble them to meet different needs without having to recreate functions,” said Herb Kelsey, managing director, SBU (Sensitive but Unclassified) advisers. “This allows you to be more specific about quality of service.

“The goal of cloud computing is to decouple the application itself from the infrastructure to redefine how an application meets a specific quality of service,” Kelsey said. Another big driver of cloud computing is the promise of peta-scaling, extending to trillions of kilobytes. “Cloud computing holds the promise of extending scalability out to ever greater levels. It has a deep sense of scalability and flexibility at once, with three to six orders of magnitude of difference between what we’re used to handling and where we’re headed—from giga-scale to peta-scale,” said Bob Lozano, chief strategist and founder of Appistry.

To help achieve peta-scaling in cloud computing, IBM and Google are working together to provide cloud infrastructure to universities to broaden the skill base of the massively parallel programming methods used widely in Web 2.0 applications. They are using Hadoop, an open source platform inspired by Google’s MapReduce and File System technologies, to accomplish massive scale computing.

“We view Hadoop as the key enabler, driven by the shared innovation of IBM, Yahoo and others in the open source software community, who are optimizing the platform to ingest and present information effectively in the petascale,” said Ames.

Appistry offers a linchpin technology for cloud computing, called the Enterprise Application Fabric, a cloud application platform for developing and managing large-scale, selfhealing cloud applications rapidly on commodity hardware. GeoEye, the commercial satellite remote sensing company, uses EAF to process mission-critical satellite imagery in volume and scale.

CLOUDY FUTURE

Despite all these developments, however, cloud computing still has a long way to go. As with any new technology, there are no standard methods of interoperating between clouds, nor are there best practices for migrating applications to cloud environments. “The Network- Centric Operations Industry Consortium (NCOIC) is now taking an interest in developing these areas. The NCOIC recently formed an Enterprise Cloud Computing group to address current mission requirements and to identify key areas of concern,” said Kevin Jackson, director, business development at Dataline, a cloud computing integrator.

Although DoD and the IC have a strategic advantage using secure private clouds, as a result of a strictly enforced security policy, the use of public clouds presents a risk. “Hackers have long experience with cloud computing, using this model to exploit malware as a service, such as a botnet, which builds the cloud by propagating across unsuspecting computers. In fact, botnets are nothing more than cloud architecture,” said the DIA’s Pierce.

But even internally, security with this new technology is an issue. “Cloud computing puts a strain on current security processes, since the cloud infrastructure is dynamic and not directly associated with the applications,” said Kelsey. “The current way to get security approval is to state exactly what hardware and applications need approval. You can’t do that with the cloud because the infrastructure is always changing to constantly meet changing mission demands,” he said.

As a newly emerging technology, no guidelines have been established. “The real question is: Where is the cloud STIG—the Security and Technical Implementation Guide? That’s what we have for wireless and other technologies, and we will need a similar guidance document for cloud computing,” Kelsey said.

“It is true that the chief impediment to the further growth of cloud computing is policy. But that changeable environment is even harder to write policy for because the policy has to be written to manage risk by balancing it with mission needs dynamically and globally,” said Jackson.

DoD policies will need to be updated to take full advantage of cloud computing. One example is the certification and accreditation (C&A) process by which computers are allowed to be used on any DoD network. “C&A was designed to certify and accredit a single application. It needs to be augmented to accommodate SOA and cloud computing, as the current C&A doesn’t include the infrastructure but focuses on the software,” said CollabNet’s Kochanik.

A policy upgrade also could abet the process of transforming to a merged net-centric organization that works collaboratively with common standards on the GIG.

“Current policies were written at a time when applications were built and deployed on isolated networks, or black box networks, so the policy has to change to be more inclusive of network- centric concepts,” said Kochanik. ♦

ON THE ROAD WITH CLOUD COMPUTING

While cloud computing has gained such rapid popularity, users must continue to address the cyberrelated threats and ensure that the security implications continue to be addressed. One company that has addressed these threats is Nortel Government Solutions (NGS), with its Secure Portable Office (SPO).

Nortel Government Solutions’ SPO and VPN Gateway is the cornerstone to this transformation within the work force. The NGS VPN Gateway is a secure access network appliance that utilizes SSL VPN technology to connect remote users to protected applications and data. Using browser-based access secured by SSL, the VPN Gateway enables access from any PC without requiring preinstalled software on the end point. The VPN Gateway solution includes extensive security controls that protect networks against malware attacks originating from the end user devices, as well as controls to prevent retention of confidential information on privately owned PCs.

The combination of clientless access with security controls makes the SPO an ideal solution for delivering secure access to users connecting from unmanaged, nonnative PCs.

The SPO:

• Uses a USB stick for portable client environment to efficiently launch personalized suite of enterprise applications on any Windows PC.
• Protects the temporary work environment.
• Does a forensic wipe of the PC device and leaves no trace or presence.
• Is built around new functions of Nortel VPN Gateway and can be easily activated within a current VPN Gateway. 

The SPO and VPN Gateway supports digital certificate-based authentication and authorization, including CAC card-based systems. The VPN Gateway provides an innovative VPN solution that combines VPN access with smartcard authentication using USB compatible flash memory/smartcard tokens. The smartcard token is a CAC compliant smartcard with integrated card reader. The user does not require a separate card reader to access the CAC credential. This system offers a wonderful support element to augment the benefits of the current deployed CAC/PIN system.

Further, the smartcard token does not require the user to install new drivers or have administrative rights to the host PC. As a result, the smartcard token is fully portable. The NGS SPO token includes a lightweight VPN client that automatically establishes the CAC authenticated session with the VPN Gateway. VPN Gateway policy controls deliver access to the applications and resources authorized for that user, at the time of connection and based on security checks on the host PC. The user is presented with a very clear menu of choices (such as OWA or other selected applications) from the USB client. The NGS SPO is accountable in the same manner as the STU III key, requiring personal control but not a crypto-logical level of protection.

Additionally, SPO provides an innovative approach to securing remote access that leverages advances in portable flash memory technology with SSL VPN. A flash memory token equipped with NGS’ SPO software client is all an end user needs to securely connect from any PC.

SPO features and benefits include strong two-factor authentication; single sign on; easy provisioning and easy maintenance; client-server application support; advanced security features; and comprehensive application support.

As the network perimeter becomes more porous, and viruses, Trojan horses, worms and other security threats occur with evermounting frequency, enterprises are increasingly applying security controls to laptops, desktops and handheld endpoints. Endpoint security and policy compliance are at the forefront of every IT administrator’s agenda. This is even more crucial to the reliability and integrity of the government networks, data and applications. ♦