NASA has a shadow IT problem

NASA OIG found 28 unauthorized cloud services operating in the space agency


It’s not often enterprises get direct evidence of a shadow IT operation but a recent audit of NASA’s IT realm came up with 28 unsanctioned cloud services operating in its environment.

NASA’s own CIO office found eight such services while the NASA Office of Inspector General discovered another 20, as part of an overall cloud security audit done by the NASA OIG.

+More on Network World: NASA’s “Human Computers” and the Hidden Figures movie story+

In the report the OIG stated: “The utilization of cloud services without NASA approval or awareness places Agency data stored there at unnecessary risk. For example, one service we discovered –TeamViewer –provides the capability for “automatic discovery” of nearby contacts and devices to make collaboration and interaction easier, as well as “file transfer” that allows users to share files of any size using convenient methods such as file manager, contextual menus, drag and drop, and a file box that can link to cloud storage providers. This capability could allow sensitive data to be accessed by unauthorized individuals. Similarly, Huddle, another unapproved service that facilitates collaboration among team members, allows files to be shared easily across devices, locations, and teams outside of NASA’s firewall, and therefore could result in the same type of unauthorized access,” the OIG stated.

+More on Network World: The weirdest, wackiest and coolest sci/tech stories of 2016+

Such shadow IT operations are one major challenge facing federal, public and private entities in the interconnected world.

Gartner recently wrote that: “One thing has become clear in the past few years, shadow IT is here to stay. As digital business evolves, the IT department will make fewer technology decisions, and individual business units will begin selecting technology for their teams. In fact, Gartner predicts that through 2017, 38% of technology purchases will be managed, defined and controlled by business leaders.”

In the NASA situation, the OIG noted that using a government purchase card and web browser, employees can easily purchase low-cost subscription licenses to cloud computing services and easily obtain applications that allow them to transmit, process, and store large amounts of data without the CIO’s or Chief Information Security Officer’s involvement or awareness. Indeed, in some cases, cloud storage services are free.

NASA uses cloud computing to address many important functions, including large-scale computational services to support science programs and storage of large data sets associated with high-resolution mapping of planetary surfaces, as well as for more routine services like website hosting and document storage, the OIG report stated.

“In contrast to the traditional data center model that requires a significant initial investment in IT hardware and infrastructure, cloud computing allows NASA scientists and engineers to use only the resources needed to complete a particular project or function,” the OIG stated.

The OIG stated that since 2013 NASA has established three Federal Risk and Authorization Management Program (FedRAMP)-approved cloud computing services for Agency use and has moved approximately 1.2% of its data into these environments. However, much of the Agency’s cloud computing activity occurs outside of these FedRAMP-approved services. With NASA’s increasing use of the cloud, it is imperative the Agency strengthen its risk management and governance practices to safeguard its data.

The NASA CIO said its office has issued policy memorandums and related guidance requiring personnel to utilize only cloud computing services approved by the Agency and has made the cloud services registry of approved cloud services available via an internal NASA website. However, there are no controls in place preventing agency personnel from accessing and storing NASA data in unapproved cloud services, the OIG stated.

+More on Network World: Cisco launches tool to uncover shadow IT in the enterprise+

“Moreover, at the time of our audit NASA was not using Cloud Access Security Broker tools that could help identify all cloud computing services in use across the Agency,” the OIG stated.

In September 2016, NASA approved the purchase of a Cloud Access Security Broker tool, but it is unclear whether the Agency will implement the full functionality of the tool, which includes the ability to restrict access to unauthorized cloud computing services.

“We spoke to the CIO about the use of unapproved cloud services by Agency personnel. She told us she is focused on establishing enterprise cloud computing solutions that will provide personnel with the services they need and believes users will naturally adjust to using approved services once the cloud culture at NASA is more mature. Accordingly, she indicated she is not overly concerned about smaller scale uses of unapproved services,” the OIG stated.

Check out these other hot stories:

IBM and Ericsson tout 5G array advance for IoT, virtual reality

Juniper founder, CTO Sindhu cuts role to focus on startup

How to catch a 400lb drone traveling at full speed

Cisco: Faulty clock part could cause failure in some Nexus switches, ISR routers, ASA security appliances

US Immigration and Customs Enforcement nabs $20M in fake sports gear ahead of Super Bowl 51

IRS warns on ever-changing “dangerous W-2 phishing scam”

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2017 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)