NASA's public cloud contracts slammed over wrong security controls, lack of oversight

An audit of NASA's cloud computing has found a dearth of solid contract management and measurement at the organisation.

NASA has made decent savings by moving some datacentre loads to public clouds, but poor oversight and stock vendor contracts are exposing the organisation to unwanted risk, according to a study published on Monday.

An audit by the NASA Office of Inspector General (OIG) of the space agency's early dip into public cloud computing has found shortcomings in its migration to date, noting it has lacked oversight and adequate contractual arrangements.

Read this

Google, NASA use quantum computing lab to advance machine learning, AI

The research lab will be home to a 512-qubit quantum computer built by Canadian company D-Wave Systems.

Read More

The audit (PDF) only covers a small component of NASA's overall computing infrastructure, but one that is expected to play an increasingly important role in the near future and could be under threat if NASA does not build a more coherent cloud computing strategy. 

NASA of course, along with Rackspace, contributed the IP to launch cloud foundation OpenStack and in 2012 ditched its Nebula private cloud in favour of Azure and Amazon Web Services after a five-month study found the latter more efficient.

NASA only spends $10m of its $1.5bn annual IT budget on cloud computing, but up to 75 percent of new IT programs are projected to begin in the cloud within five years, while nearly all of the agency's public data could be moved to the cloud, the audit said. Also, up to 40 percent of its legacy systems could move to the cloud, it added.

According to the report, NASA's Office of the CIO was not aware of all cloud services that various NASA organisations had acquired or which service provider they used. In most cases, migration to public clouds was not coordinated through a central office.

Increased risk of compromise

The auditors reviewed five NASA contracts finding that "none came close to meeting recommended best practices for ensuring data security" when assessing whether the contracts allowed contractor performance to be measured, reported, and enforced and whether they addressed federal privacy, discovery, and data retention and destruction requirements.

In four cases NASA relied on the cloud providers' standard contracts, which did not satisfy those requirements. The one contract NASA did pen, however, also failed to ensure that federal IT security requirements were met.

"As a result, the NASA systems and data covered by these five contracts are at an increased risk of compromise," NASA's OIG noted.

In addition, one unnamed third-party cloud service that delivers more than 100 NASA internal and public facing websites had been operating for more than two years without written authorisation or security and contingency plans. An annual test of the service had not been completed despite the risk of a "serious disruption" to NASA operations if a breach of the "moderate-impact" cloud service were to occur. 

NASA's web portal (WestPrime) contract with provider InfoZen from 2012 complied with the Federal Risk and Authorization Management Program (FedRAMP), however, the template was not rolled out to other parts of the agency, the audit said.

While NASA satisfied the government's 'cloud first' initiative by moving several services the cloud, helping deliver savings of $1m a year, it has now agreed to accelerate plans flesh out its cloud strategy. 

NASA's recently appointed CIO Larry Sweet agreed with the six recommendations form the audit report, including implementing an enterprise-wide cloud computing strategy, widely using the WestPrime contract, ensuring security compliance and testing are done on all cloud services. Sweet noted that the recommendations are feasible but implementation was 'contingent upon the availability of funds'.