One of the great challenges in IT systems engineering is trying to simultaneously achieve constraints that are constantly in tension with each other. My company, The Aerospace Corporation, operates a mid-sized federally-funded research and development center (FFRDC) in the aerospace and defense industry. A key challenge we are focusing on this year is transitioning to “digital”—moving our legacy paper-based business processes to the intranet and the internet, and automating as much manual work as we can. Our role in the defense industry and in operating an FFRDC presents unique challenges in terms of security and affordability. Thus, our question: how can we develop and deploy effective, user-friendly business applications in a highly security-conscious environment without breaking the bank?
One way we’ve tried to address these concerns is by taking advantage of cloud services where possible. Cloud-based software-as-a-service applications are updated frequently by vendors and help us stay on top of the latest updates and capabilities. Cloud applications and infrastructure exploit economies of scale to help us control cost and maximize value. Achieving security in the cloud has been the most important piece of the puzzle for us.
One of the best things the government has done in this regard is the establishment of the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP provides a consistent set of security standards for doing federal government work in the cloud, along with an assessment and authorization process that is used to accredit cloud services. Through negotiations with our government customers, we have established agreements that FedRAMP accredited cloud technologies can be used to store and process our unclassified business and technical data. Many large application vendors now offer their services and applications in FedRAMP clouds (sometimes colloquially known as “government clouds”). This has opened the door to move many of our key business services into the cloud—we now use cloud services for email, calendaring, customer relationship management, travel booking and accounting, IT service management, applicant tracking, cluster computing, learning management, and more. A challenge we face is that FedRAMP accreditation for new services takes time, so capabilities in FedRAMP clouds often lag their commercial-cloud counterparts by months or years. Early in our experience, vendor representatives were often under-informed about which services were available in the government (vs. commercial) cloud, but after a few years of working with them, we’ve substantially increased clarity on this.
At Aerospace, we layer additional security on top of many of our services and endpoints, both on-premises and in the cloud. For example, we use a combination of on-premises and cloud-federated access management products to centralize authentication. Integrating these with the dozens of technologies and services we offer is a constant challenge. Often, authentication is one of the most complicated parts of integrating two applications via an application programming interface (API). Having a separate authentication system on top of the application’s default mechanism makes this integration even harder. Our identity and access management team collaborate closely with our application development and IT services groups to work through these issues on a case-by-case basis.
"Cloud applications and infrastructure exploit economies of scale to help us control cost and maximize value"
We have a mobile workforce geographically distributed across numerous sites, and access to our applications and services on mobile devices is a constant demand. We enable this, securely, by using typical commercial smartphones that have a mobile device management (MDM) suite installed. The MDM suite allows us to “partition off” phone apps, storage, and network connections to isolate and protect corporate data on the phone device and ecosystem. The MDM gives us the ability to centrally manage our phones—blocking unwanted apps, remotely wiping phones that are lost or stolen, and enforcing security policies. To date, the biggest drawback has been that native apps for some of our key services are not MDM-enabled, and thus can’t route their traffic through our secure gateways. We are currently testing a new secure tunnel component from our MDM vendor that can create per-app virtual private networks. This will bring native app support to our corporate services, and our users can’t wait.
As a not-for-profit corporation whose growth is constrained by government mandates, we have an incentive and an obligation to maximize the value of every IT dollar spent. One way we address this is by using open-source applications and services where appropriate. We include open-source applications in our analyses of alternatives when we are implementing a new capability, and often end up implementing a blend of proprietary, commercially-supported open-source, and self-supported open-source technology to satisfy different use cases. For example, our financial and IT service management workflows are largely supported by traditional, commercial products that are leaders in their domains. For custom business applications, we are investing in using a commercially supported open-source workflow engine that will help us offer capabilities to our entire user base without incurring outsized license costs or vendor lock-in risk.
Going digital while maintaining our high-security standards in a cost-constrained environment isn’t easy, and there are constant, difficult choices to make in setting the right balance. We achieve it through staying on top of technology, constantly communicating with our customers about security, and employing good systems engineering. It’s worth it for the satisfaction that comes when we make someone’s job easier, and find solutions to difficult problems.