NASA is having some trouble making a move into the cloud. In a review by NASA's inspector general, the space agency discovered that many of its ongoing cloud initiatives were severely lacking on security — and some had even left sensitive data at risk. Looking over five contracts that NASA had for cloud hosting, the review found that "none came close" to meeting the practices it set forth for ensuring proper data security. NASA seemingly failed to write those security procedures into its contracts with cloud hosting services, and in two cases had used those hosts to hold data that, if compromised, could have had "serious adverse effects" on the space agency.
"None came close" to meeting security guidelines
The review also found that NASA had at times moved entire systems onto public cloud servers, and did so without the appropriate internal oversight. "Even more troubling," the report notes, "a test of security controls on [NASA's websites] had never been undertaken." More than 100 internal and external NASA websites were determined to be operating without security systems — though many of those major issues have since been addressed. Even so, the review still notes that a better job needs to be done of keeping data secure.
This isn't the first instance of NASA being unprepared when it comes to cybersecurity. The agency has had its data compromised before, and last year it had difficulty securing sensitive information held on employees' laptops. NASA is now considering beginning an office dedicated to managing its cloud computing initiatives and their security. It could be an important change going forward: over the next five years, NASA expects that 75 percent of its new IT programs will be based in the cloud.