NASA’s progress in implementing cloud-computing technologies has failed to meet the standards needed to safely store data, an internal audit has found.
"We found that weaknesses in NASA’s risk management practices have impeded the Agency from fully utilising the benefits of cloud computing and potentially put NASA systems and data stored in the cloud at risk," said the Office of Inspector General for NASA.
The OIG revealed that NASA’s risk management processes were ineffective.
"We reviewed five NASA contracts for the acquisition of cloud-computing services and found that none came close to meeting recommended best practices for ensuring data security," said the audit. As a result, it said: "systems and data covered by these five contracts are at an increased risk of compromise."
NASA pioneered its own private cloud computing in 2009 with a data center called Nebula, but the agency decided to move data to public cloud in 2012 due to higher reliability and lower costs.
It was also found that it had been working with contractors that didn’t "fully address" cloud security risks.
"We found that the cloud service used to deliver Internet content for more than 100 NASA internal and public-facing websites had been operating for more than 2 years without written authorization or system security or contingency plans." As a result, said the audit, "A breach of this moderate-impact cloud service could result in a serious disruption to NASA operations.
"This occurred because the Agency OCIO lacked proper oversight authority, was slow to establish a contract that mitigated risks unique to cloud computing, and did not implement measures to ensure cloud providers met Agency IT security requirements."
Campbell Williams, group strategy and marketing director at Six Degrees Group told CBR that: "NASA may be concerned with their intellectual property falling into the wrong hands – good news if you always wanted a space shuttle or a base on the moon. But anybody outside wealthy rogue governments will have nothing to fear. No patient records, criminal records, tax records or other sensitive information about members of the public have been exposed here, to our knowledge."
He said that the audit failure is due to a lack of responsible cloud management, rather than technological incompetence.
"NASA’s litany of mistakes has nothing to do with public clouds being less secure than private/virtual private ones (they are). It’s not even about cloud. It’s barely even about technology. It’s about contracts, expectations and good governance. If you don’t know how to manage a cloud supplier and sort out the contractuals, you definitely shouldn’t be in charge of managing sensitive data. Indeed, NASA’s IT teams weren’t allowed – they broke their own rules."
Currently, NASA only spends a small fraction of its $1.5bn annual IT budget for cloud computing, but that will be set to grow as NASA has agreed to comply to the OIG’s post-audit recommendations.
"As NASA moves more of its systems and data to the cloud, it is imperative that the Agency strengthen its governance and risk management practices to safeguard its data while effectively spending its IT funds," reads the report.
