NASA's Office of the Inspector General (OIG) recently audited and evaluated the efficacy of the space agency's efforts to adopt cloud-computing technologies. The resulting report, "NASA's Progress in Adopting Cloud-Computing Technologies," includes six recommendations "to strengthen NASA's IT governance practices with respect to cloud computing, mitigate business and IT security risks and improve contractor oversight." While the recommendations are specific to NASA, their underlying concepts can be leveraged by any organization that wants to more effectively adopt cloud-computing services.
Require that NASA organizations use the WestPrime contract or a contract that helps ensure risks are mitigated and FedRAMP requirements are met when acquiring cloud-computing services.
The adoption of public cloud computing services entails a paradigm shift from a traditional, technically managed approach in which an organization builds and maintains technology solutions in-house, to a contractually managed approach where an organization pays someone else to do all that off-site. As a result, NASA OIG accurately recognizes that effective risk mitigation requires developing contracts that address the specific risks of cloud computing, including but not limited to those related to infrastructure/security, service-level agreements, data protection, access and location, and vendor relationship.
The OIG evaluated existing public cloud-computing contracts at NASA in comparison with best-practice risk-mitigation measures, particularly as recommended by the Federal CIO and Chief Acquisition Officer Councils. The OIG identified one existing contract (WestPrime) that effectively accomplished these goals, four contracts where NASA agreed to the cloud vendor's standard contract terms and conditions without negotiating any revisions, and a fifth where NASA negotiated the terms of the contract with the cloud service vendor, but with limited success.
Except for the WestPrime contract, the OIG found that:
* None of the contracts reviewed included language to effectively address the roles and responsibilities of the vendor and customer, reporting of service level metrics, e-discovery mechanisms, data retention and destruction policies, or data privacy requirements.
* Only one of the contracts included penalties for not meeting service levels.
* And only two of the contracts included a guaranteed level of service availability, defined security incident detection and handling practices, or required third-party evaluation/certification of the cloud vendor's IT infrastructure and security.
It should come as no surprise that the standard vendor contracts did not come close to best practices for meeting customer data security needs. When placing sensitive data or business-critical functions in the cloud, it is essential for customers to negotiate contract terms and conditions that effectively address their needs. Otherwise, the customer's data and access to the service could be inappropriately put at risk. To effectively do this typically requires having appropriate processes in place for a customer to understand its needs and manage these processes.
Establish a cloud-computing program management office with authority to promulgate cloud-computing strategy and related standards and approve, coordinate, and oversee Agency-wide acquisition of cloud-computing services.
The ease with which cloud-computing services can be acquired by a business process owner (often the only thing needed is a credit card) can result in traditional IT and procurement controls being bypassed. While business process owners may value this agility, they may not be well versed in the risks associated with the use of cloud-computing services, or how best to mitigate them.
For these reasons, it can be important for the customer to establish enterprisewide resources responsible for:
* Developing best practices for the use of cloud-computing services that reflect and are aligned with the organization's policies, practices and unique tolerance for risk; and
* Providing guidance in the acquisition of cloud-computing services.
Direct all NASA CIOs to review FedRAMP and take necessary action to ensure their existing and planned cloud-computing services meet FedRAMP requirements.
While this recommendation is focused on the federal FedRAMP standard, in a more general sense, any customer organization should ensure awareness of the contract and strategy resources discussed herein. For this reason, it can be important for the resources noted above to also provide education to end users regarding these issues.
Ensure any movement of moderate- or high-impact NASA systems to public clouds conforms with Federal and Agency IT security requirements.
For any customer organization, it is important to conduct sufficient advance analysis before moving a particular function to the cloud. The business owner of these functions may be insufficiently aware of the risks to conduct this analysis on their own. For this reason, it is important for the resources noted above to also be available to provide advice in evaluating which systems or data are appropriate for use in a public cloud environment.
Require the cloud service provider or broker to develop NIST compliant security and contingency plans and conduct a test of the system's security controls.
Ensure that the responsible Information Security Officer review IT security documentation and control tests and authorize the system for operation, as appropriate.
These last two are combined because, not only do they each address appropriate infrastructure and security practices, they're also examples of ongoing actions that need to be taken after the contract has been negotiated. One thing that distinguishes the acquisition of cloud computing services from other acquisitions is that the customer's work doesn't end upon completion of the initial order and associated contract. In fact, that's when the hard work begins, since the customer must now ensure that the cloud vendor's service complies with the requirements established in the contract on an ongoing basis. For this reason, it is important that the organizational resources provisioned when adopting a cloud-computing service include resources for ongoing vendor relationship management.
The various resources noted above may most effectively take the form of an IT vendor management lead or office responsible for coordinating organizational engagement with cloud vendors throughout the useful life cycle of each engagement. Without the provision of such resources, data or functions may be deployed to the cloud in contradiction of legal, policy or business requirements, exposing the organization to unexpected or unnecessary risks.