In its move to cloud computing, NASA has experienced some difficulties meeting security guidelines. A new report by the agency’s Office of the Inspector General says that NASA needs to work on strengthening its information technology security practices.
“We found that weaknesses in NASA’s IT governance and risk management practices have impeded the Agency from fully realizing the benefits of cloud computing and potentially put NASA systems and data stored in the cloud at risk,” the report reads.
A few examples of poor practices include NASA moving data into public clouds without notifying the Agency’s Office of the Chief Information Officer and also working with contractors that didn’t “fully address” cloud computing IT security risks. In one incident, data was on the public cloud for two years without authorization or a security plan and test system. Additionally, more than 100 of NASA’s internal and external Web sites didn’t have proper security controls.
“This occurred because the Agency OCIO lacked proper oversight authority, was slow to establish a contract that mitigated risks unique to cloud computing, and did not implement measures to ensure cloud providers met Agency IT security requirements,” the report reads.
According to the report, NASA had five contracts for cloud hosting and none of these “came close” to meeting data security requirements.
NASA began its own private cloud computing at a data center called Nebula located at its Ames Research Center in 2009. But, due to better reliability and and the lower cost of public cloud computing, the agency decided to move its data to public clouds in 2012.
Over the past year, NASA spent less than 1 percent of its $1.5 billion annual IT budget on cloud computing. However, moving forward, the agency plans to dedicate much more to cloud security and initiatives. Within the next five years, NASA is planning to have up to 75 percent of its new IT programs begin in the cloud and 100 percent of the agency’s public data stored in cloud.
“As NASA moves more of its systems and data to the cloud, it is imperative that the Agency strengthen its governance and risk management practices to safeguard its data while effectively spending its IT funds,” reads the report.