NASA Cloud Computing: Security Concerns Hover
In the rush to embrace cloud computing, enterprises of all sizes can face serious stumbling blocks, including concerns about how to implement the technology and best practices to follow, which ultimately affects security.
The same goes for government agencies, including NASA.
In audit results released Feb. 7, the Office of Inspector General for NASA found that the space agency has started to embrace the cloud as a way of maximizing its IT resources. However, there were also several problems with how the technology is being implemented, including that many of the agency's employees were using unauthorized and unsecured cloud services for their work.
For years, enterprises and their CIOs have struggled with "shadow IT" -- unauthorized employee use of technology such as Dropbox, Box or Google's cloud apps. While it's easy for someone to use his or her credit card to buy a subscription, download the software and then upload data to a third-party service, this use of cloud apps also carries a significant security risk. (See Cisco Helps Businesses Address Shadow IT.)
Complicating the issue for NASA is that cloud services used by the federal government must adhere to a series of security guidelines and accreditations established in 2014, known as the Federal Risk and Authorization Management Program or FedRAMP.
In 2016, NASA spent $1.4 billion on IT. In the report, the inspector general found that since 2013, the agency's CIO office has made three FedRAMP-compliant cloud computing services available and approved 19 others for use.
In addition, NASA has moved about 1% of its data to the cloud -- a small but significant shift at the agency.
"NASA uses cloud computing to address a number of important functions, including large-scale computational services to support science programs and storage of large data sets associated with high-resolution mapping of planetary surfaces, as well as for more routine services like website hosting and document storage," according to the report.
Despite that progress, the inspector general still identified 20 cloud services that were not listed on the FedRAMP registry. Additionally, the CIO's office found an additional eight cloud apps that were not approved. Here's one example from the report:
"For example, one service we discovered -- TeamViewer -- provides the capability for 'automatic discovery' of nearby contacts and devices to make collaboration and interaction easier, as well as 'file transfer' that allows users to share files of any size using convenient methods such as file manager, contextual menus, drag and drop, and a file box that can link to cloud storage providers. This capability could allow sensitive data to be accessed by unauthorized individuals."
While using these types of cloud services is easy and they do provide a level of simplicity, the audit also found that NASA did little to curb their use, especially when it came to uploading data to these services.
"There are no controls in place preventing Agency personnel from accessing and storing NASA data in unapproved cloud services," according to the audit.
A sampling of 12 different services found that most of them did not contain FedRAMP controls, and three of the apps -- Apple's iCloud, Box and Dropbox -- were not authorized for use within NASA's network.
The inspector general made a series of recommendations to the CIO's office about how to improve security, and use cloud services that meet the standards of FedRAMP. However, the report noted that NASA's CIO had other concerns.
"We spoke to the CIO about the use of unapproved cloud services by Agency personnel. She told us she is focused on establishing enterprise cloud computing solutions that will provide personnel with the services they need and believes users will naturally adjust to using approved services once the cloud culture at NASA is more mature," according to the report. "Accordingly, she indicated she is not overly concerned about smaller scale uses of unapproved services."
CALLING ALL CLOUD, NFV AND SDN COMPANIES: Make sure your company and services are listed free of charge at Virtuapedia, the comprehensive set of searchable databases covering the companies, products, industry organizations and people that are directly involved in defining and shaping the virtualization industry.