NASA cloud strategy slammed over security failings

NASA's cloud computing strategy has been criticised for poor planning and security.

A report by the agency's Office of the Inspector General has made six recommendations to enable NASA to smarten up its cloud data act.

NASA canned a 2009 private cloud data initiative in favour of public cloud systems in 2012 based on cost and performance issues, but according to the Inspector General the systems chosen did not come up to the mark.

At one point, the report says, 100 of NASA's internal and external websites did not have proper security controls.

The Inspector General says NASA should establish a cloud computing programme management office with authority to "promulgate cloud-computing strategy and related standards" and "approve, coordinate and oversee Agency-wide acquisition of cloud-computing services".

NASA organisations are also now required to use an approved existing cloud contract or an alternative to ensure that data risks are mitigated, and they must also ensure "any movement of moderate- or high-impact NASA systems to public clouds conforms with Federal and Agency IT security requirements".

All NASA CIOs must also make sure their existing and planned cloud computing services meet FedRAMP security regulations, and they must also require cloud service provider or brokers to develop NIST-compliant security and contingency plans and conduct a test of the system’s security controls.

Finally, NASA must also ensure that "the responsible information security officer reviews IT security documentation and control tests and authorise the system for operation, as appropriate".

The Inspector General says NASA has accepted all the recommendations and that many of them have already been adopted.