As covered in CNET, “In its move to cloud computing, NASA has experienced some difficulties meeting security guidelines. A new report by the agency’s Office of the Inspector General says that NASA needs to work on strengthening its information technology security practices.”
A few examples of poor cloud security practices include moving data into public clouds without notifying the Agency’s Office of the Chief Information Officer. Moreover, working with contractors that didn’t “fully address” cloud computing IT security risks. “In one incident, data was on the public cloud for two years without authorization or a security plan and test system. Additionally, more than 100 of NASA’s internal and external Web sites didn’t have proper security controls.”
I suspect that these issues are pretty much the norm at NASA, and in most enterprises as well. When leveraging public clouds, including public cloud storage, you have to place active security controls around information as it moves into and out of storage-as-a-service providers.
The ease of subscribing to a cloud storage service, typically in minutes, makes it just too tempting for those employees who want to take advantage of these services. NASA, and most businesses, will have to get better at implementing active security controls, or this kind of stuff will just get worse.