| ||||||||||
| ||||||||||
Current Filter: >>>>>> Is NASA's data lost in space? Editorial Type: Networking Date: 10-2013 Views: 4902 Key Topics: Networking Security Cloud SLAs Data Protection G-Cloud Key Companies: Six Degrees Group Rackspace NASA Key Products: OpenStack Key Industries: Government | |||
| A recent report has revealed that it’s not just the cloud over Cape Canaveral that’s been troubling NASA of late, writes Campbell Williams, group strategy and marketing director, Six Degrees Group NASA's own auditor has recently rated its cloud computing deployments very poorly in a report that raises some interesting questions on the use of the cloud at the space agency. I'd encourage you to read the NASA report itself, if you have time, as it's genuinely interesting and can be found here www.nasa.gov. I won't repeat the content of the article and report but will summarise thus: in short, of the five cloud provider contracts NASA has in place, none addresses the business and IT security risks of public cloud and none meet "best practices for data security"; moreover, much of the information was moved onto the public cloud by various parts of NASA without knowledge or consent from the CIO's office. This throws up a few points.
A Bit of History – NASA and Cloud This was a logical move for Rackspace, leveraging their storage expertise. It is a less obvious play for NASA (the only clouds in space are made of dust) and one can only assume that Rackspace has no plans for building rockets. This history is useful mainly to make the point that NASA is far from a Johnny-come-lately in cloud, far from it; rather they are one of the pioneers. So they really ought to know better.
Single v Multi-Tenant or Public v Private However, we would strongly argue that for deployments such as this, a multi-tenanted virtual private cloud, with customised contracts and bespoke SLAs, would have been a far better fit than off-the-shelf, one-size-fits-all, public cloud technology.
Does NIST Mean "Not If Strategic Technology"? The most damning part of the NASA audit was, for me, the table that outlined the contractual status of the five cloud deals (presumably from five different providers) they had in place. NONE had defined roles and responsibilities. NONE had service level reporting metrics. NONE had data retention and destruction policies. NONE had data privacy requirements. You really must read the report – it’s a brilliant “what not to do guideâ€. By NIST’s own admission, there are only two types of cloud contract: negotiated (like all managed hosting providers offer on a fixed term) and predefined, non-negotiable contracts. In their own words: “Under a predefined contract, the contract terms are prescribed by the cloud provider. As such, these contracts typically do not impose requirements on the provider beyond meeting a base level of service and availability. Nor do they address Federal IT security, privacy, data production, or retention and destruction requirements. Furthermore, the provider is often empowered to modify the contract unilaterally without notifying the customer.†By definition, ALL self-service public clouds fall into this category. After all, the SP isn’t going to allow you to write your own contract terms and SLA so it’s invariably lowest common denominator. Yet it’s these same “users must serve themselves or it’s not real cloud†environments that our governments seem so enamoured with, at the cost of data protection, sovereignty, security and common sense.
Reducing Cost is Usually a Bad Driver in Isolation Value – that hard-to-define blend of quality and price – should always be the aim, with defined outcomes preceding it. Rarely is one supplier the best and the cheapest. But it is a beautiful thing when you deliver a new technology project that adds value, enhances efficiency, improves competitiveness – in short, makes your organisation better – and then it also delivers it at a lower price point. But if all you do is change how you deploy tech in order to reduce cost, the business breaks, you break the law, you get sacked, do you still care about the cost saving? A wiser man than me, Oscar Wilde, once opined that a cynic is one “who knows the price of everything and the value of nothingâ€. It’s important not to be cynical with IT procurement; it’s too important to be viewed merely as a cost centre to be slashed if possible.
It’s Not About Technology, It’s About Supplier Management
Good News for Wannabe Doctor Evils However, the object lesson is clear. The UK government has swallowed the NIST definition hook, line and sinker too, so the risk is there. Happily, our civil service with the CESG security regulations – the likes of IL2, IL3, etc – is well on top of things. But caveat emptor – if people are encouraged to serve themselves in a cloud world, then public cloud platforms could give us the new “CD-ROM left on train†or “documents left in park bin†headlines.
Focus on Your Core Competencies | ||
Like this article? Click here to get the Newsletter and Magazine Free! | |||
Email The Editor! OR Forward Article | Go Top | ||
PREVIOUS | NEXT |