Despite spending about $10 million of its $1.5 billion annual IT budget on cloud computing, NASA has overlooked critical security measures and procedures in its implementation of public cloud, according to a report released on Monday.
The report by the NASA Office of Inspector General highlights a concerning trend across NASA’s adoption of cloud, which has left gaps in security and kept the Agency’s Office of the Chief Information Officer in the dark.
NASA was an early player in cloud computing, as it established its own private cloud data center called Nebula in 2009. After five months of testing in 2012, NASA shut down Nebula in favor of public cloud, which offered more reliability and cost savings. That same year, NASA withdrew from OpenStack.
The report shows that several NASA Centers moved Agency systems and data into public clouds without the knowledge of consent of the Agency’s OCIO. On five occasions, NASA acquired cloud services using contracts that failed to “fully address” the security risks unique to cloud.
One of two moderate-impact systems NASA moved to a public cloud operated for two years “without authorization, a security or contingency plan, or a test of the system’s security controls,” the report says.
In 2011, hackers breached networks at NASA’s Jet Propulsion Laboratory, and were able to install malware and steal private information. A report that investigated the incident also revealed other breaches that occurred in 2010 and 2011 for a total of 5,408 computer security incidents.
Government spending on public cloud is expected to reach to $5.4 billion by 2017, according to a recent IDC report. NASA estimates that within 5 years, up to 75 percent of new IT programs could start in the cloud and nearly all of its public data could be stored in the cloud.
With the focus on shifting legacy systems to cloud across government agencies, those who neglect to follow standard procedures and ensure adequate security is in place could cause the “Cloud First” initiative to crash and burn, which would be bad news for service providers who seek to win government cloud business.