Lost in space? NASA “fell short” on cloud security, report finds

NASA is no stranger to peering into nebulae in space – but the space agency found itself perplexed by the more Earthbound puzzle of cloud computing security, according to a report by the Office of the Inspector General.

“We found that weaknesses in NASA’s IT governance and risk management practices have impeded the Agency from fully realizing the benefits of cloud computing and potentially put NASA systems and data stored in the cloud at risk,” said the report, NASA’s Progress in Adopting Cloud-Computing Technologies.

“NASA spends about $1.5 billion annually on its portfolio of information technology (IT) assets – which includes more than 550 information systems that control spacecraft, collect and process scientific data, provide security for IT infrastructure, and enable Agency personnel to collaborate with colleagues around the world,” the report said.
The report found that NASA had put data at risk by moving it into public clouds without notifying security officers. In one incident, data was on a public cloud for two years without authorization or any security plan, according to a report by CNET.
More than 100 of NASA’s internal and external websites did not have proper security controls. NASA is seen as a pioneer in government use of cloud computing, according to a report by GovInfo Security.

The space agency launched its Nebula cloud computing project in 2008, described as, “an open-source cloud computing project and service developed to provide an alternative to the costly construction of additional data centers whenever NASA scientists or engineers require additional data processing.”

NASA shut Nebula in 2012 when it was discovered that public clouds, such as those offered by Amazon were more reliable and cost-effective.

The space agency has long been a target for hackers, with hackers in China reportedly breaking into Jet Propulsion Laboratory systems and gaining “full control” over them, according to a 2012 report by the Office of the Inspector General.

“As NASA expands its use of public cloud services, it is imperative that the Agency strengthen its governance and risk management practices to mitigate the chance that Agency operations may be disrupted, data lost, or public funds misused,” the report concluded.