While noting that NASA has been a pioneer in cloud computing, "having established its own private cloud-computing data center called Nebula in 2009 at the Ames Research Center (Ames)," the Office of Inspector General (OIG) audit levies four particular criticisms of its current state of cloud adoption.
The first is that governance needs to be strengthened. "We found that the Agency OCIO [office of the chief information officer] was not aware of all the cloud services NASA organizations had acquired or which service providers they used." Furthermore, only 3 of 15 agency CIOs stated that coordinating with the OCIO was necessary before moving into the cloud. In short, governance is poor if not absent.
The second is that risk management practices were ineffective. "We reviewed five NASA contracts for the acquisition of cloud-computing services and found that none came close to meeting recommended best practices for ensuring data security," says the audit. As a result, it says, "systems and data covered by these five contracts are at an increased risk of compromise."
The third is that one of the two 'moderate-impact' cloud services fails to meet security standards. "We found that the cloud service used to deliver Internet content for more than 100 NASA internal and public-facing websites had been operating for more than 2 years without written authorization or system security or contingency plans." As a result, said the audit, "A breach of this moderate-impact cloud service could result in a serious disruption to NASA operations."
The fourth is that while a contract with InfoZen meets FedRAMP standards, NASA organizations are not required to leverage the contract to obtain new cloud services.
Right now NASA spends a mere $10 million of its IT budget – or to put that into context, less than 1% of its annual $1.5 billion IT budget – on cloud computing. But within 5 years it expects that up to 75% of new programs will begin in the cloud. "As NASA moves more of its systems and data to the cloud, it is imperative that the Agency strengthen its governance and risk management practices to safeguard its data while effectively spending its IT funds."
However, all's well that ends well. OIG made six specific recommendations to NASA, and NASA in turn has agreed to comply, subject to the availability of funds from within the $1.5 billion, with all six.
16 August 2013
While rectifying these four criticisms may sound ominous for an organization as wieldy as NASA, the greater challenge is in implementing changes that scale and automate with cloud computing. As NASA moves to architect and implement its security policies, technical controls, and governance, it must leverage cloud-centric automation and tooling. It is entirely achievable to exceed FISMA standards, and leverage programs like FedRAMP to do so. Burdening forward looking cloud models with the heavy weight of yesterday’s oversight will only assure that the savings enabled by cloud computing paradigms are dissipated. Fortunately, cloud management platforms offer cloud-centric automation, governable by policy, and that are flexible enough to manage public, private, or hybrid clouds. For more information: http://www.servicemesh.com/resources/transform-it-blog/blog/five-critical-ways-to-improve-security-posture-across-clouds/
-- Bankim Tejani, Senior Security Architect, ServiceMesh
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.