Federal agencies can learn a lot from shortcomings discovered in the space agency's cloud computing practices.
NASA's Next 5 Missions
(click image for larger view)
NASA's pioneering efforts to embrace cloud computing are now revealing shortcomings that agencies may also face if they don't take a comprehensive view of what cloud migration entails. A recent audit by the Office of Inspector General found a variety of weaknesses in NASA's IT governance and risk management practices. It also concluded that the space agency hasn't fully realized the benefits of cloud computing.
Newly appointed CIO Larry Sweet responded to the findings by recommending actions that NASA should take to fix the current model, shedding a light on what other agencies might avoid as more of their IT operations move to the cloud.
Sweet said that among other actions, NASA would take new steps to develop and publish guidance on how the space agency acquires and uses cloud computing services. The agency's centers will also be required to register all purchases of cloud services with NASA's Computing Services Service Office (CSSO) to meet security requirements. The decision stems from the audit's findings that NASA's centers moved systems and data into public clouds without the CIO's knowledge or approval. The report found that on five occasions NASA acquired cloud computing services using contracts that failed to address IT security risks.
The stakes are significant. NASA projects that within the next five years up to 75% of new IT programs will begin in the cloud, and most of its public data could be stored in the cloud. And as the agency updates its legacy systems, up to 40% of them could move to the cloud. Safeguarding data will be critical during the transition, but without better oversight, NASA could face heightened risks.
The audit report made a total of six recommendations that would help "strengthen NASA's IT governance practices with respect to cloud computing, mitigate business and IT security risks, and improve contractor oversight." NASA's CSSO, established in August 2011, already oversees all computing related services, including data center consolidation and cloud computing. But Sweet admitted that CSSO is lacking in some areas and vowed to make significant changes to meet the recommendations.
Sweet said all NASA organizations would use the WestPrime contract for purchasing such services. Additionally, NASA has terminated its Web services contract with eTouch -- which manages NASA's internal and external Web portals -- and will shut down all legacy eTouch infrastructure this September. The agency is implementing a new system, managed by InfoZen.
NASA will also complete an inventory of its cloud service providers to ensure they comply with Federal Risk and Authorization Management Program (FedRAMP) provisions, a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.
As federal agencies expand to public clouds, it's important to avoid using unapproved and unsecured cloud services to prevent operational disruptions, data loss and the misuse of public funds. NASA officials agreed that cloud computing contracts must incorporate best practices and meet all FedRAMP requirements.
To eliminate confusion and miscommunication about which public clouds are acceptable, establishing a program management office responsible for cloud computing strategy and related standards is essential, according to recommendations in the audit.
The changes are expected to be completed by September 30, 2014, although Sweet said a lot will depend on NASA's budget, which is uncertain at the moment. "The recommendations are feasible; however, the implementation of the recommendations is contingent upon the availability of funds," he said.
2014 Next-Gen WAN SurveyWhile 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
Server Market SplitsvilleJust because the server market's in the doldrums doesn't mean innovation has ceased. Far from it -- server technology is enjoying the biggest renaissance since the dawn of x86 systems. But the primary driver is now service providers, not enterprises.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.