Will the Pentagon’s decision to award the contract to a single supplier make it less secure?

Sometime soon, the US Department of Defense (DoD) will make its decision on where to award the $10 billion Joint Enterprise Defense Infrastructure (JEDI) cloud computing contract.

The successful bidder will walk away with the biggest cloud customer in the world, as 3.4 million government users and four million devices are due to be migrated from private servers into the cloud.

The 10-year deal is said to account for a quarter of all the cloud business in the world – and not only that, it is widely expected to position the winner perfectly for future US government deals.

It’s a two-horse race between Microsoft and Amazon Web Services (AWS), both of which have invested massively in specialist government services and already have extensive government deals.

In 2013, for example, AWS signed a deal with the CIA to build a private cloud for the intelligence community in a move that CIA chief information officer John Edwards described as “the best decision we’ve ever made”.

Meanwhile, the US intelligence community uses Microsoft Azure Government, Office 365 for US Government, and Windows 10.

But while the potential business is enormous, public sector bodies tend to have the strictest requirements when it comes to the cloud.

“Government agencies handle more data, and more sensitive data, than almost any other organization,” says Julia White, Microsoft’s corporate vice president for Azure.

“In addition, governments must operate within strict regulations, meeting the most stringent requirements for security and privacy.”

As a result, it’s understandable that governments – which have generally been slower than commercial companies in adopting the cloud – are often reluctant to look beyond the major players when evaluating tenders.

And in the UK, too, where the government has had a ‘cloud first’ policy since 2013, it is large firms like Microsoft and AWS that dominate.

Across the pond

In order to streamline the procurement process, the UK’s G-Cloud initiative introduced a set of framework agreements with suppliers, as well as an online store.

But while this was claimed to be a way of helping smaller cloud businesses win government contracts, the fact is that most of the business is going to AWS or Azure.

As Tom Read, the chief digital and information officer at the UK Ministry of Justice, commented last year: “Ignore me if you’re going to get offended – Amazon is probably better at hosting than you.”

One major reason is the level of security required when handling confidential government data.

In the US, for example, even Microsoft doesn’t yet have Defense Information Systems Agency (DISA) level six security approval, though it’s expected to achieve this by the time the JEDI contract is awarded.

Security has become a sensitive issue in this particular deal, with several cloud vendors – including Oracle, Microsoft, IBM, Dell, Hewlett-Packard, Red Hat, and VM Ware – claiming that the Pentagon’s decision to award the contract to a single supplier will make it less secure.

The Pentagon has stuck to its guns, saying that multiple clouds would actually increase security risks and limit data availability.

Centralization could also increase the potential dangers of outages, such as the incident that hit Microsoft Azure and Office 365 late last year.

After login problems caused by multi-factor authentication (MFA) issues, users all around the world – including the UK parliament – found themselves unable to log on for more than 15 hours.

Additional security concerns

IBM and Oracle have argued that centralization could also make the DoD cloud both easier to hack and vulnerable to power outages – charges that AWS denies.

“Today the AWS Cloud spans 60 availability zones within 20 geographic regions,” a spokesperson tells The Daily Swig.

“By offering multiple availability zones, which are isolated but connected through low-latency links, customers can easily deploy their applications in AWS regions and maintain high availability.

“AWS also designs its data centers with significant excess bandwidth connections so that if a major disruption occurs, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites, minimizing the impact on customers.”

However, Maribel Lopez, a technology industry analyst and strategic advisor at Lopez Research, warned that using a single supplier isn’t the best strategy for the long term.

“While it’s normally a good idea to dual source cloud services, most companies start a project with one provider to understand the process, fine-tune requirements, and then look for ways to introduce a second provider.

“Once the government has a firm handle on how it’s working, it may choose to diversify the workloads across the cloud,” she told The Daily Swig.

Lopez added: “So in the short term, it doesn’t surprise me that the government is using one cloud. In the long term, this should move to a multi-cloud strategy. Multi-cloud strategies ensure innovation, diversity, and cost-effective appropriate pricing.”