The Defense Department's needs are diverse and have become even more disparate amidst the post-SolarWinds landscape.
The Pentagon’s abandonment of the Joint Enterprise Defense Infrastructure, or JEDI, contract was an anticlimactic demise for the once visionary single-cloud network.
As far back as 2019, the Defense Department acknowledged that 10% of its cloud would stay with Amazon Web Services and Google; but on paper JEDI’s benefits were clear. It would have been a streamlined, unified approach for DOD’s unclassified and classified networks. Teams would only have to understand and master one solution. And the reduced complexity of a single cloud would theoretically minimize the accessibility of DOD’s network vulnerabilities.
However, the protracted legal battle pushed JEDI past viability. While the cloud titans fought for their slice of the pie, other actors within the federal government, most significantly the intelligence community, transitioned to a multi-cloud network. As a result, the decision to retire JEDI is best seen as an inevitable step toward DOD’s multi-vendor destiny.
In fact, it will now pursue a diametrically different solution through the Joint Warfighter Cloud Capability, called JWCC, a multi-vendor indefinite-delivery, indefinite-quantity contract. Now, Amazon, Microsoft, Google and other cloud vendors may each get a piece and provide their clouds for one of the most complex and sensitive networks on earth.
During the two-year delay, the premise of single cloud networks faced its own battles. It was common for senior management from both public and private sectors to erroneously view a single cloud as infallible. In reality, this was repeatedly disproven. Vulnerabilities found in on-premise networks were replicated or dragged onto the cloud. Meanwhile, these overtaxed cyber and network teams aren’t failsafe themselves; to deploy at scale, cloud administrators do everything from the command line to the scripting, and 99% of cloud security failures over the next five years will be caused by human error, according to Gartner in 2017. These weaknesses are amplified by recent devastating ransomware incidents, which have eroded perceptions of federal security inside the beltway. So, while multiple clouds do add to the complexity of a network, a single cloud was never a silver bullet.
The Pentagon’s multi-cloud future offers both promise and peril. DOD’s needs are diverse and have become even more disparate amidst the post-SolarWinds landscape we find ourselves in. Some vendors are demonstrably better at some things than others: often developers prefer Azure, whereas many give Google Cloud the gold from an artificial intelligence perspective. By utilizing the best parts of each vendor, DOD teams can tailor their own cloud best suited for both their classified and unclassified networks. But an experienced Amazon Web Services architect is unlikely to possess the same understanding of Microsoft Azure, and vice versa. And while Amazon Web Services and Google’s virtual private clouds may share the same nomenclature, their configurations are poles apart. Those extremely rare architects who are cloud solution polyglots are likely employed in the private sector with salaries higher than what the federal government could offer.
And complexity remains the eternal enemy of security. By combining different vendors and teams of engineers, the Pentagon has opened a Pandora's box. Its cyber defenders must be essentially multi-lingual to work seamlessly within and between different cloud networks. And because a ‘lingua franca’ between vendors is impossible for now, it’s even harder to find engineers with some level of fluency in each to fully understand their network environments. Cyber teams are rarely experts on all aspects of every cloud network, regardless of what leadership may assume.
While the cloud titans had both the time and the money to scrap it out over JEDI ad infinitum, our nation’s national security had neither. Abandoning the contract was both a necessity and an inevitability. The Pentagon’s multi-cloud future must now draw on the best of every solution in the market without compromising on security.
Wayne Lloyd is chief technology officer of Federal at RedSeal.