RSS FeedBlogs
RSS FeedSubscribe to this blog
About Author
Forrester Analysts

Forrester Research is a technology and market research company that provides pragmatic advice to global leaders in business and technology.



NASA flunked its cloud computing audit. Are you next?

Could you answer your auditor's basic questions?

Article comments

Ok, so NASA failed an audit. Don’t we all? I think it is important to understand the government’s cloud computing adoption timeline before passing judgment on NASA for failing to meet its cloud computing requirements.

As someone who has read NASA’s risk management program (and the 600 pages of supporting documentation), I can say that this wasn’t a failure of risk management policy or procedure effectiveness.

Clearly, this was a failure of third-party risk management’s monitoring and review of cloud services.

The Cloud Is Nebulous

Back in 2009, NASA pioneered cloud technology with a shipping container-based public cloud technology project named Nebula -- after the stellar cloud formation. (I love nerd humour, don’t you?)

During 2009, NASA, to determine if current cloud provider service offerings had matured enough to support the Nebula environment, did a study. The study proved that commercial cloud services had, in fact, become cheaper and more reliable than Nebula. NASA, as a result of the study, moved more than 140 applications to the public sector cloud environment.

In October of 2010, Congress had committee hearings on cybersecurity and the risk associated with cloud adoption. But remember, NASA had already moved its non-critical data (like or the daily video feeds from the international space station, that are edited together and packaged as content for the NASA website) to the public cloud in 2009. That is before anyone ever considered the rules for such an adoption of these services.

Audit Recommendations

NASA’s auditors had recommendations regarding cloud oversight failures. NASA’s failures are teachable moments for companies that are already in the cloud with no governance around how the technology is deployed. How would your organisation address the following recommendations from your auditors?

1. Establish a cloud-computing program management office with authority to promulgate cloud-computing strategy and related standards and approve, coordinate, and oversee agency wide acquisition of cloud-computing services.

  • For cloud governance to work, someone must have the authority and requirement to oversee the process for acquiring cloud technology.

2. Require the cloud service provider or broker to develop NIST-compliant security and contingency plans and conduct a test of the system’s security controls.

  • When your data is out of your control, things like continuity, redundant monitoring, disaster recovery, and disposal of data become very important.

  • Any framework will do, it doesn’t need to be NIST. But one thing is clear: Monitoring adherence to the framework is part of due diligence for cloud services.

3. Ensure that the responsible Information Security Officer review IT security documentation and control tests and authorise the system for operation, as appropriate.

  • This one seems like a no-brainer. Before going live in production, harden and secure the application and infrastructure environment.

It’s important to remember that giving your services to a cloud provider does not mean less governance and risk management for you -- it actually requires more governance and risk management from you.

Posted by Renee Murphy

Source: NASA REPORT NO. IG-13-021 (ASSIGNMENT NO. A-12-022-00)

Enhanced by Zemanta


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
* *