While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
Just how much does the Department of Defense rely on Microsoft SQL Server? A lot.
The Navy Marine Corps Intranet (NMCI) alone hosts 665 SQL Server databases and, of course, NCMI is just part of the DOD ecosystem. As a public affairs spokesperson for the Defense Information Systems Agency said, “[SQL Server] supports hundreds of applications, including email, content management, document management, enterprise search, business intelligence and workflow management.”
Microsoft will end support for SQL Server 2005 on April 12. Like many organizations around the world, the Defense Department has migrated to newer versions of SQL Server to keep important databases running.
For the military, in particular, it’s a unique challenge. As a massive organization with millions of members, the department leverages SQL in many different and unique ways. Being unprepared for end of support is simply not acceptable.
Look at some of the major ways DOD leverages SQL:
U.S. Army Europe uses SQL Server to screen local nationals for jobs. That database contains hundreds of thousands of employment applications, some more than 30 years old.
In 2015, U.S. Army Europe finished migrating from a homegrown screening and human resources system to Microsoft Dynamics CRM to streamline the application process.
That included translating non-English information in the database to English and making it usable for reporting and research. To do so, the Army turned to Microsoft’s Translator cloud service, which translated the database’s several thousand records into English in minutes.
SQL Server also is part of the Army’s Battle Command Common Services (BCCS), a tool that teams use in combat. “It allows them to move the business, if you will, of fighting a battle,” says Dan Craytor, who spent 21 years as an Army helicopter pilot before becoming Microsoft’s chief technology officer for DOD services.
The Army has used BCCS for about 10 years and continually upgrades it as mission requirements change. “It’s an ongoing solution that’s been very successful for them,” Craytor says. “They keep coming back and saying, ‘We’re looking for more. What can we do now?’”
Other defense applications are behind the lines. The Army Air Force Exchange System, whose 2,400-plus locations provide retail stores and restaurants on camps, posts and stations, relies on SQL Server as the back end for Microsoft Dynamics AX. Together they support applications such as point of sale, purchasing and logistics.
In both the federal and private sectors, a third party’s ability to access a database increases it’s value. It’s no surprise that that’s a common project for Microsoft, as Defense agencies work closely with contractors.
“We’ll set up a server for sharing, even on a contractor site,” Craytor says. “That’s what great about SQL: It uses Active Directory for identities, and you can allow that easy collaboration; front end it with something like SharePoint or a custom web application. There’s a tremendous amount of that across DOD.”
The ability to grant outside access highlights the importance of security and, in turn, the value of refreshing to recent versions of SQL Server.
Refreshes challenge enterprises like NMCI because of the volume of databases it use. Refreshes are also inevitable: Microsoft ended support for SQL Server 2003 in July 2015, SQL Server 2005 ends support next month, and other end-of-support dates are scheduled.
“That capital expenditure is a challenge for a lot of organizations, not just DOD,” Craytor says. “DOD wants to move to Azure SQL because they can move their databases to the cloud using SQL. They don’t have that hardware investment. They’re always going to be up to date on their software and patches. And when a refresh comes around, they don’t have to buy that, so we’ve gotten a lot of interest in that solution.”
Refreshes are also time-consuming. DOD must evaluate each new piece of software and hardware and create implementation guidelines. NMCI, for example, must wait for DISA to vet each new product and provide guidance. Then NMCI has to do engineering reviews to ensure a new SQL Server product won’t break existing applications.
“The acquisition process we use for licenses and upgrades puts us as a ‘fast follower’ industry,” says Capt. Michael Abreu, Naval Enterprise Networks Program Office program manager. “The process we use to assess new versions of software typically [puts] us at least six months to a year behind Microsoft’s cycle. That allows some of the first bugs to be worked out and some of the first patches to be released by the time we get it and start implementing at large scale.”
Approval in one branch doesn’t necessarily shorten the process when other DOD organizations consider the latest piece of software or hardware.
“If it gets approval from the Army, chances are the Air Force is going to do the same thing, and the Navy is going to do the same thing,” Craytor says. “It may be six months to a year after a product is released that they actually start deploying.”
The Defense Appropriations Bill includes acquisition reforms that could streamline that process.
“We always say, use what’s out there today because it’s probably certified,” Craytor says. “Keep planning for what’s next, especially if it has security features like SQL Server 2016 does with in-flight encryption. 2014 doesn’t have that.”