Blog Post

NASA bungles data security in the cloud, but at least it reached the cloud

NASA gets the private cloud — remember, it helped get OpenStack off the ground — and it embraces the public cloud too, but perhaps it’s been a bit trigger happy. In jumping onto public clouds in the past few years, it has not met standards for ensuring the security of data, according to a report released Monday from the agency’s Office of Inspector General.

Multiple NASA facilities stuck data into public cloud environments but didn’t get the OK from NASA’s office of the chief information officer. That sounds like good old shadow IT on a large scale, similar in some ways to the act of putting documents on Box or Dropbox without company approval. But when NASA spins up cloud resources, the stakes could be higher if data were to get into the wrong hands — just as hackers’ access to data from defense contractor QinetiQ North America sent up red flags.

We’ll be talking about just these sorts of issues during a panel on cloud security at GigaOM’s Structure:Europe conference in London on Sept. 18-19.

According to the report from NASA’s inspector general, one of the “moderate-impact systems” that NASA ported to the cloud was deployed for two years with no previous approval, security plan or a test of system’s security controls.

Management is to blame for at least some of the issues. NASA’s office of the CIO “was slow to establish a contract that mitigated risks unique to cloud computing.” And the office didn’t quickly come up with a cloud strategy to figure what data can and should be stored in a public cloud. In addition, the CIO’s office didn’t know about two of the eight companies that were providing cloud services to NASA groups.

Procurement wasn’t perfect. Of five contracts the inspector general’s office reviewed, not one met “recommended best practices for ensuring data security.” The contracts did not meet requirements or comply with policies on data privacy, data retention and e-discovery. Now data stored under those contracts are “at an increased risk of compromise,” according to the report.

At least the OIG can praise NASA for trying to save money. The agency met the Office of Management and Budget’s Cloud First mandate to move many IT services to the cloud by June 2012.

Among other recommendations, the OIG suggests that NASA’s CIO form a cloud-computing management office that can develop a solid strategy and keep track of deployments.