NASA's public cloud contracts slammed over wrong security controls, lack of oversight

NASA's public cloud contracts slammed over wrong security controls, lack of oversight

Summary: An audit of NASA's cloud computing has found a dearth of solid contract management and measurement at the organisation.

SHARE:

NASA has made decent savings by moving some datacentre loads to public clouds, but poor oversight and stock vendor contracts are exposing the organisation to unwanted risk, according to a study published on Monday.

An audit by the NASA Office of Inspector General (OIG) of the space agency's early dip into public cloud computing has found shortcomings in its migration to date, noting it has lacked oversight and adequate contractual arrangements.

The audit (PDF) only covers a small component of NASA's overall computing infrastructure, but one that is expected to play an increasingly important role in the near future and could be under threat if NASA does not build a more coherent cloud computing strategy. 

NASA of course, along with Rackspace, contributed the IP to launch cloud foundation OpenStack and in 2012 ditched its Nebula private cloud in favour of Azure and Amazon Web Services after a five-month study found the latter more efficient.

NASA only spends $10m of its $1.5bn annual IT budget on cloud computing, but up to 75 percent of new IT programs are projected to begin in the cloud within five years, while nearly all of the agency's public data could be moved to the cloud, the audit said. Also, up to 40 percent of its legacy systems could move to the cloud, it added.

According to the report, NASA's Office of the CIO was not aware of all cloud services that various NASA organisations had acquired or which service provider they used. In most cases, migration to public clouds was not coordinated through a central office.

Increased risk of compromise

The auditors reviewed five NASA contracts finding that "none came close to meeting recommended best practices for ensuring data security" when assessing whether the contracts allowed contractor performance to be measured, reported, and enforced and whether they addressed federal privacy, discovery, and data retention and destruction requirements.

In four cases NASA relied on the cloud providers' standard contracts, which did not satisfy those requirements. The one contract NASA did pen, however, also failed to ensure that federal IT security requirements were met.

"As a result, the NASA systems and data covered by these five contracts are at an increased risk of compromise," NASA's OIG noted.

In addition, one unnamed third-party cloud service that delivers more than 100 NASA internal and public facing websites had been operating for more than two years without written authorisation or security and contingency plans. An annual test of the service had not been completed despite the risk of a "serious disruption" to NASA operations if a breach of the "moderate-impact" cloud service were to occur. 

NASA's web portal (WestPrime) contract with provider InfoZen from 2012 complied with the Federal Risk and Authorization Management Program (FedRAMP), however, the template was not rolled out to other parts of the agency, the audit said.

While NASA satisfied the government's 'cloud first' initiative by moving several services the cloud, helping deliver savings of $1m a year, it has now agreed to accelerate plans flesh out its cloud strategy. 

NASA's recently appointed CIO Larry Sweet agreed with the six recommendations form the audit report, including implementing an enterprise-wide cloud computing strategy, widely using the WestPrime contract, ensuring security compliance and testing are done on all cloud services. Sweet noted that the recommendations are feasible but implementation was 'contingent upon the availability of funds'.

Topics: Cloud, Government US, Nasa / Space

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Well

    Since the NSA seems to be the biggest threat to cloud computing security, maybe they figure they got their bases covered.
    ossoup
    • Ummm, did you miss an "A"...

      this article is about NASA, not NSA...relevance?
      wizard57m-cnet
  • As the Chinese proved...

    ... when they hacked the backdoor put into gmail years ago, secret backdoors or "lawful intercept" systems create a pretty bad security risk to cloud computing and the Internet in general. If you supposedly need to serve a warrant, I'm not sure there should be back door intercept systems, since they seem to make the warrants just for show and when they're convenient.
    ossoup
  • Cloud isn't an either-or proposition

    Cloud computing does not have to mean sacrificing security in exchange for efficiency gains. In fact, cloud management platforms exist that allow government and enterprise IT organizations to ensure cloud security compliance through a dynamic policy engine that addresses a wide variety of security concerns across cloud providers. For more information: http://www.servicemesh.com/resources/transform-it-blog/blog/five-critical-ways-to-improve-security-posture-across-clouds/

    -- Bankim Tejani, Senior Security Architect, ServiceMesh
    BankimTejani