NASA's cloud audit holds value for all
The recommendations can be leveraged by any organization that wants to more effectively adopt cloud-computing services
Computerworld - NASA's Office of the Inspector General (OIG) recently audited and evaluated the efficacy of the space agency's efforts to adopt cloud-computing technologies. The resulting report, "NASA's Progress in Adopting Cloud-Computing Technologies," includes six recommendations "to strengthen NASA's IT governance practices with respect to cloud computing, mitigate business and IT security risks and improve contractor oversight." While the recommendations are specific to NASA, their underlying concepts can be leveraged by any organization that wants to more effectively adopt cloud-computing services.
RECOMMENDATION Require that NASA organizations use the WestPrime contract or a contract that helps ensure risks are mitigated and FedRAMP requirements are met when acquiring cloud-computing services.
The adoption of public cloud computing services entails a paradigm shift from a traditional, technically managed approach in which an organization builds and maintains technology solutions in-house, to a contractually managed approach where an organization pays someone else to do all that off-site. As a result, NASA OIG accurately recognizes that effective risk mitigation requires developing contracts that address the specific risks of cloud computing, including but not limited to those related to infrastructure/security, service-level agreements, data protection, access and location, and vendor relationship.
The OIG evaluated existing public cloud-computing contracts at NASA in comparison with best-practice risk-mitigation measures, particularly as recommended by the Federal CIO and Chief Acquisition Officer Councils. The OIG identified one existing contract (WestPrime) that effectively accomplished these goals, four contracts where NASA agreed to the cloud vendor's standard contract terms and conditions without negotiating any revisions, and a fifth where NASA negotiated the terms of the contract with the cloud service vendor, but with limited success.
Except for the WestPrime contract, the OIG found that:
* None of the contracts reviewed included language to effectively address the roles and responsibilities of the vendor and customer, reporting of service level metrics, e-discovery mechanisms, data retention and destruction policies, or data privacy requirements.
* Only one of the contracts included penalties for not meeting service levels.
* And only two of the contracts included a guaranteed level of service availability, defined security incident detection and handling practices, or required third-party evaluation/certification of the cloud vendor's IT infrastructure and security.
It should come as no surprise that the standard vendor contracts did not come close to best practices for meeting customer data security needs. When placing sensitive data or business-critical functions in the cloud, it is essential for customers to negotiate contract terms and conditions that effectively address their needs. Otherwise, the customer's data and access to the service could be inappropriately put at risk. To effectively do this typically requires having appropriate processes in place for a customer to understand its needs and manage these processes.
Other columns by Thomas Trappler
- NASA's cloud audit holds value for all
- Who can pry into your cloud-based data?
- Does your cloud vendor protect your rights?
- Software licensing in the cloud
- For credit card handlers, cloud computing guidelines just got clearer
- Regulations and the cloud: HIPAA modification provides clarity
- Certification programs are making it easier to know all about a cloud vendor
- The do's and don'ts of safeguarding cloud-based data with encryption
- For a good cloud contract, start with an RFP
- It takes a team to create a good cloud contract
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- CIOs Deliver Productivity Breakthroughs with Intelligent Digital Signage Retailers have long recognized the influence that digital signage provides over a shopper's point-of-purchase decision making process.
- Oracle Fusion Financials Cloud Service Modern organizations are under intense pressure to provide accurate, reliable, and speedy financial information to business decision-makers. Furthermore, complying with global standards has...
- Cloud for Business Managers in Midsize Organizations: The Good, the Bad & the Ugly Read this independent research report to learn how business managers around the world are using Cloud applications.
- Cloud Computing eGuide In this eGuide, CIO, Computerworld, and InfoWorld offer advice, tips, news, and predictions regarding cloud implementations in the coming year and beyond. Read...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- Video surveillance for IT: maximum image quality, minimum bandwidth Join us on Thursday, May 8th at 1 p.m. EST when Willem Ryan, Senior Product Marketing Manager at Avigilon, will discuss how IT... All Cloud Computing White Papers | Webcasts