DHS cloud computing: Homeland Security’s model private cloud strategy

I feel very comfortable that our private cloud services are just as secure as our other applications that live within our data centers.

Richard Spires, CIO, Department of Homeland Security

DHS is in the process of establishing private cloud services to manage sensitive data as part of its effort to consolidate more than 40 data centers into two enterprise data centers at separate locations. One data center, located at NASA’s Stennis Space Center in Mississippi, is managed by Computer Sciences Corp. The other, in Clarksville, Va., is owned and operated by Hewlett Packard.

“We are hosting our private cloud services out of those two centers,” said DHS Chief Information Officer Richard Spires. “They back up each other so we have redundancy where we need it for mission-critical applications. If one were to go down, we could shift mission-critical operations from one to the other.”

The DHS cloud computing initiative is moving nine different services to its private cloud, including legacy email systems, collaboration environments that improve information sharing, and authentication services across the department.

The department’s private cloud model, using two commercially managed data centers — one of which is located at a government-owned facility — offers the strong sense of security and control provided by a private cloud, but also stands to yield the cost savings expected from a public cloud.

“I feel very comfortable that our private cloud services are just as secure as our other applications that live within our data centers and are not part of our private cloud services,” Spires said. At the same time, “all those services [are] priced as if we went through a publicly based cloud. So we buy the email on per email box basis, just as if we went to an Amazon or Microsoft or something on the outside.”

In a white paper about cloud computing on the federal CIO Council’s website, Spires said “early projections” put DHS cost savings at 8% to 10% once the transition to private cloud services is complete. “Not only does the move to our private cloud model eliminate redundancy and reduce costs, it also bolsters information security,” he said.

Spires advised managers at other federal agencies who are migrating applications or services to a private cloud — or who are considering it — to work with their chief information security officers to integrate security standards into their private cloud services.

“What we’ve done [is to] set up a set of standard controls that have been endorsed by our CISO, Bob West, for our private cloud” under Federal Information Security Management Act requirements, he said. FISMA classifies federal systems into low-, medium- and high-risk categories, each level having its own requirements.

A second part of the department’s cloud computing strategy involves moving its public-facing websites to public clouds over the next few years. Through a General Services Administration procurement vehicle, DHS recently awarded its first task order to migrate the department’s non-sensitive, public-facing websites to a public cloud provider, Spires said.

“We hope to take more advantage of public cloud-based services as we get more comfortable with the security model and feel comfortable that we can start to migrate some of our sensitive data to a public cloud,” he said. “Right now, we essentially want to cut our teeth on using our outward facing websites since there’s no sensitive data on those sites.”