[ISN] NASA falls short on its cloud computing security

http://news.cnet.com/8301-1009_3-57596053-83/nasa-falls-short-on-its-cloud-computing-security/ By Dara Kerr Security & Privacy CNET News July 29, 2013 In its move to cloud computing, NASA has experienced some difficulties meeting security guidelines. A new report by the agency’s Office of the Inspector General says that NASA needs to work on strengthening its information technology security practices. “We found that weaknesses in NASA’s IT governance and risk management practices have impeded the Agency from fully realizing the benefits of cloud computing and potentially put NASA systems and data stored in the cloud at risk,” the report reads. A few examples of poor practices include NASA moving data into public clouds without notifying the Agency’s Office of the Chief Information Officer and also working with contractors that didn’t “fully address” cloud computing IT security risks. In one incident, data was on the public cloud for two years without authorization or a security plan and test system. Additionally, more than 100 of NASA’s internal and external Web sites didn’t have proper security controls. “This occurred because the Agency OCIO lacked proper oversight authority, was slow to establish a contract that mitigated risks unique to cloud computing, and did not implement measures to ensure cloud providers met Agency IT security requirements,” the report reads […]