By Sheshagiri Anegondi (Sheshu)
NASA projects that within 5 years up to 75% of new IT programs will begin in the cloud and nearly 100% of the Agency’s public data could be stored in the cloud. Moreover, as legacy systems are modernized, up to 40% of them could be moved to the cloud. (from the audit report)
With a view to understand the effectiveness of managing the delivery of cloud-computing services, an audit was carried out. The interesting aspect of the audit shows the importance of contracts to address business & security risks.
The adoption of public cloud computing services entails a paradigm shift from a traditional, technically managed approach in which an organization builds and maintains technology solutions in-house, to a contractually managed approach where an organisation pays someone else to do all that off-site.
Some of the points reviewed in the audit were:
- Defined roles & responsibilities of parties
- Guaranteed system availability levels
- Reporting of service level metrics
- Penalties for not meeting service levels
- E-discovery requirements
- Data retention & destruction policies
- Data Privacy Requirements
- Defined incident handling procedures
NASA failed the cloud audit. The audit report shows that standard vendor contracts did not come close to the best practices that NASA emphasised. There is no surprise in this at all. It is important that enterprises take utmost care while contracting for cloud and SaaS implementations. The audit has made recommendations on how to go forward with future cloud contracts.
The copy of the report can be found at http://oig.nasa.gov/audits/reports/FY13/IG-13-021.pdf