Technology News

latest updates from easySERVICE™

NASA’s public cloud contracts slammed over wrong security controls



NASA has made decent savings by moving some data center loads to public clouds, but poor oversight and stock vendor contracts are exposing the organisation to unwanted risk, according to a study published on Monday.

An audit by the NASA Office of Inspector General (OIG) of the space agency’s early dip into public cloud computing has found shortcomings in its migration to date, noting it has lacked oversight and adequate contractual arrangements.

NASA of course, along with Rackspace, contributed the IP to launch cloud foundation OpenStack and in 2012 ditched its Nebula private cloud in favour of Azure and Amazon Web Services after a five-month study found the latter more efficient.

NASA only spends $10m of its $1.5bn annual IT budget on cloud computing, but up to 75 percent of new IT programs are projected to begin in the cloud within five years, while nearly all of the agency’s public data could be moved to the cloud, the audit said. Also, up to 40 percent of its legacy systems could move to the cloud, it added.

According to the report, NASA’s Office of the CIO was not aware of all cloud services that various NASA organisations had acquired or which service provider they used. In most cases, migration to public clouds was not coordinated through a central office.

The auditors reviewed five NASA contracts finding that “none came close to meeting recommended best practices for ensuring data security” when assessing whether the contracts allowed contractor performance to be measured, reported, and enforced and whether they addressed federal privacy, discovery, and data retention and destruction requirements.

In four cases NASA relied on the cloud providers’ standard contracts, which did not satisfy those requirements. The one contract NASA did pen, however, also failed to ensure that federal IT security requirements were met.

“As a result, the NASA systems and data covered by these five contracts are at an increased risk of compromise,” NASA’s OIG noted.

In addition, one unnamed third-party cloud service that delivers more than 100 NASA internal and public facing websites had been operating for more than two years without written authorisation or security and contingency plans. An annual test of the service had not been completed despite the risk of a “serious disruption” to NASA operations if a breach of the “moderate-impact” cloud service were to occur. 

While NASA satisfied the government’s ‘cloud first’ initiative by moving several services the cloud, helping deliver savings of $1m a year, it has now agreed to accelerate plans flesh out its cloud strategy.

Share your thoughts in the comments below and don’t forget to like this post.

Source: Associated Press


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: