NASA Fails in Cloud Computing Security

The space agency NASA has been increasingly moving data to the cloud but according to a new report from the agency’s Office of the Inspector General, NASA needs to work on strengthening its information technology security practices.
“We found that weaknesses in NASA’s IT governance and risk management practices have impeded the Agency from fully realizing the benefits of cloud computing and potentially put NASA systems and data stored in the cloud at risk,” the report reads.

 In 2009 Nasa began its own private cloud computing at a data center called Nebula, located at the Ames Research Center but in 2012 the agency decided to move its data to public clouds due to more reliability and lower costs.
However since moving data NASA has had difficulties in meeting the proper security requirements. For example the agency has been moving data into public clouds without notifying the Agency’s Office of Chief Information Officer. It has also been working with contractors that did not “fully address” cloud computing IT secuirty risks. More than 100 of Nasa’s internal and external Web sites did not have proper security controls.
“This occurred because the Agency OCIO lacked proper oversight authority, was slow to establish a contract that mitigated risks unique to cloud computing, and did not implement measures to ensure cloud providers met Agency IT security requirements,” the report reads.
Going forward, Nasa plans to dedicate more of its $1.5 billion annual IT budget on cloud computing. Within the next five years the agency is planning to have up to 75 percent of its new IT programs begin in the cloud and 100 percent of the agency’s public data stored in the cloud.
“As NASA moves more of its systems and data to the cloud, it is imperative that the Agency strengthen its governance and risk management practices to safeguard its data while effectively spending its IT funds,” reads the report.