NASA IG Reports Fundamental Challenges with Agency’s Cloud Adoption
Published: July 31, 2013
As a pioneer in cloud computing, National Aeronautics and Space Administration (NASA) established its Nebula cloud computing data center at Ames Research Center in 2009. Despite the agency’s position as an early adopter of cloud technology, a recent report from NASA’s Inspector General (IG) highlights fundamental governance and risk management issues that will impair the effectiveness of future cloud efforts.
Over the past several years, NASA’s cloud efforts have included:
Nebula (Private Cloud-Computing Initiative) – Established in 2009, the Nebula private cloud was established at Ames Research Center. Nebula provided computation and storage services until it was decommissioned in April 2012.
OpenStack (Software for Managing Private Clouds) – NASA partnered with Rackspace, a publicly held, cloud-computing company, to launch OpenStack, an open-source software project, in July 2010.
Mission-related services – Marshall Space Flight Center has used cloud computing to support experiments for the International Space Station, conduct environmental monitoring, and hosting a website for spacecraft design and planning.
NASA Shared Services Center (NSSC) – By contracting with a cloud service provider to provide a suite of applications to make information available to employees via website, NASA has reduced call center costs for financial management, human resources, IT and procurement services that it provides to employees.
NASA has also invested in public cloud capabilities to host collaboration sites for software upgrades and other innovations. Amidst all this activity, NASA also satisfied the OMB Cloud-First initiative by migrating several IT services to cloud the cloud. While the agency was able to recognize benefits of cloud adoption and pursue the technology in a range of areas, it seems that rapid adopt has come at a price.
On July 29, 2013, NASA’s IG released the results of an audit conducted to evaluate implementation of an agency-wide governance model and practices to assess security and risks with cloud-computing models. Some of the issues included:
· NASA’s OCIO had no knowledge of Centers moving systems and data into public clouds.
· Cloud services were acquired on five occasions using contracts that did not address or mitigate business and IT risks.
· One of two moderate-impact systems migrated to a public cloud operated for years without authorization, security, or contingency plans.
· The agency OCIO lacked oversight authority and lagged in establishing contracts that would ensure cloud providers met IT security requirements.
· Although a contract was signed to acquire cloud services addressing key business and IT security risks, NASA Centers have not been required to use the contract or to implement similar terms in cloud service contracts.
At the time of the audit, less than one percent (around $10 million) of NASA’s IT budget was being spent on cloud computing. The agency anticipates that figure to increase over the next five years, as “up to 75 percent of new IT programs could begin in the cloud, and nearly 100 percent of the Agency’s public data could be moved to the cloud.” In addition, modernization of legacy systems could result in 40 percent of those systems migrating to cloud environments. So, resolving problems identified by the audit is important to improving and securing future adoption.