NASA Struggles to Fix Network Security Holes

This spring, the National Aeronautics and Space Administration asked me to participate in an intensive review panel assessment of projects aimed at helping the space agency track who has an electronic identity on its systems. NASA wants to be able to manage user accounts, agencywide, on every application, file server and network.

Without that capability, the “orphan accounts” of people who have retired, been fired or even died pose a risk to NASA’s information security. Unfortunately, there’s nothing unusual about this because most large organizations manage online identities and accounts in a fragmented way.

Still, can you imagine the scandal if some serious hacker break-in—perhaps even access to information of value to terrorists, industrial spies or Chinese rocket scientists—was traced to the use of a password that a retired employee’s grandson found written down on a little piece of paper in the old man’s wallet?

The last thing NASA needs right now is a black eye of any kind. In fact, the quality of its management is frequently under fire, and its information management is no exception. This past March, an internal audit report from the NASA inspector general’s office warned that the agency’s decentralized management of information systems and security is making those services “less efficient, cohesive and effective” because of the lack of centralized planning and authority. Identity and account management is one of the prime examples.

Deputy CIO Scott Santiago, NASA’s point man on security issues, says improved identity and account management was one of the first goals he set when he took charge of information security in 2000. Since then, homeland security mandates have turned up the heat by requiring federal agencies to do a better job of reliably identifying everyone with access to either their facilities or their computer systems. When I ask Santiago whether he can point to any specific security breach that exploited an orphan account, I don’t really expect a straight answer. He replies: “Let’s just say there have been some challenges from the recent past that would have been mitigated if we’d had this infrastructure in place.”

The review panel is being sponsored by the NASA Integrated Services Environment (NISE) project. An umbrella over several projects related to identity management, NISE aims to unify this particular aspect of NASA’s information systems.

Established in December 2003, NISE pulled together efforts to establish a central user directory, automate computer account management, and integrate existing applications and directories. Through cooperation with the physical security organization that guards NASA’s facilities, the agency plans to make the screening process behind issuing a security badge drive the creation of online identities as well. That means it will be possible to trace a worker’s online identity back to that person’s background check, fingerprints and other security data. At the same time, NASA wants to tighten up the process for creating and deleting accounts on specific systems, not only for on-site employees and contractors but also for scientists and others who log in remotely.

The NISE account management system was scheduled to go live this month, but it represents only the beginning of an integration process expected to take years. Like most established organizations, NASA has accumulated many applications that include their own database of user names and passwords. In fact, the agency estimates it has some 2,500 applications currently in use, many of them managing user account data in isolation.

A key issue: When an employee retires, or a contractor transfers to another assignment, how are that person’s accounts turned off? In the absence of centralized tracking, it’s virtually impossible for a systems administrator to say for sure that every log-in on every system has been deactivated.

Further complicating matters, employees and contractors—the 80,000 workers who wear a NASA badge and work at one of its 10 major space centers, or at headquarters—are actually a minority of the computer users with an account on some space agency system. There are also the scientists who log in remotely from universities around the world, as well as corporations and foreign space agencies that partner with NASA on specific projects. Because the creation of these accounts hasn’t been tracked systematically, NASA can only offer a “best guess” at the total number of users: about 275,000.