In the past, the NASA security team was brought in at the end of a project. "IT security was always saying no to me," he said. "I'd say, 'What are you talking about? 'Not secure' is meaningless. What do you mean?'"

In the cloud project, Soderstrom said his team rewrote the security process to bring the experts in at the beginning. And he said, he set one major rule for the security team; they could not say, "No Tom, that's a stupid idea. You can't do it," he said.

"They can say, 'OK, Tom. I hear what you're trying to do. How about this way in order to secure it?'," he said. "So instead of the buck stops here, the buck starts here with security."

Changing the way NASA approached security took three years of slow culture change, but it was worth it, Soderstrom said.

Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at , or subscribe to . His e-mail address is .