Energy managers in a fog about labs in the cloud, audit finds

Eighteen months into a cloud computing experiment at two Energy Department laboratories some officials remained shrouded in fog: Managers at the two headquarters offices were unaware their labs were in the cloud, according to an agency review.

Officials in the National Nuclear Security Administration and the Office of Science "stated that their sites were not utilizing cloud computing," Energy auditor Daniel Weeber said in a report released Wednesday.

But in fact, they were.

The haziness at headquarters about the project prompted the auditors to call for Energy to "enhance its management and coordination efforts when implementing cloud computing services."

Energy managers risk wasting time and money by buying, developing and implementing duplicate cloud computing applications, "absent effective coordination and leadership," said Weeber, director of the department's environment, technology and corporate audits division.

During a five-month audit, Weeber also discovered Energy "had not yet prepared policies and procedures governing security and other risks."

That doesn't mean there were security breeches. "Our review did not reveal material issues with the Department's limited use of cloud computing services," Weeber reported. But he said Energy "should consider" setting security policies before it gets too much further into the business of cloud computing.

"Without adequate planning, there is an increased risk that users may utilize cloud computing products and services on the Department's networks, unnoticed, without undergoing adequate security evaluations," Weeber wrote.

The Obama administration has been pushing government agencies to adopt cloud computing. A 25-point implementation plan the Office of Management and Budget issued requires all federal agencies to implement at least one cloud computing initiative by December 2011.

In late 2009, Energy launched the Magellan project, a $32 million experiment to see whether cloud computing could help the department meet the enormous demand of scientific computing. The project is being carried out by the Argonne National Laboratory in Illinois and the Lawrence Berkeley National Laboratory in California.

Cloud computing enables numerous users to tap the computing resources they need, such as networks, servers, storage and applications, by sharing pooled resources. Sharing avoids the cost of buying hardware and software and setting up separate computer systems. Rather, users buy access to computing and to particular software only when they need it.

But sharing also raises security questions, and so far, Energy has "not developed or implemented formal policies or procedures related to acquisition and security of cloud computing services," Weeber wrote.

Even without formal security policies, Energy is using cloud computing at four sites -- Argonne and Berkeley, the Pacific Northwest National Laboratory, and Los Alamos National Laboratory, Weeber said.

He urged the department to consider guidance issued by the National Institutes of Standards and Technology and the Federal Risk and Authorization Management Program to appropriate develop security policies.

The Magellan project is expected to continue until September. Results so far, indicate that not all computing projects are ideal for the cloud, an Argonne official said.

Projects that require substantial parallel computing, or extensive communication, or synchronization among different nodes are not great candidates for the cloud. But projects that can be divided into multiple parts that can run independently, such as sequencing strands of DNA, work well in the cloud, the official said.