Home Cloud Computing and Information Security
Cloud Computing and Information Security
As cloud computing options proliferate for individuals and large organizations, it is increasingly important for both to make informed choices about appropriate use of cloud services, taking into consideration both benefits and risks.
What is cloud computing?
Cloud computing has several distinct characteristics that distinguish it from a traditionally hosted computing environment:
Cloud services, sometimes called "software as a service" (SaaS), Infrastructure as a Service (IaaS) or "platform as a service" (PaaS), facilitate rapid deployment of applications and infrastructure without the cost and complexity of purchasing, managing, and maintaining the underlying hardware and software.
Organizations and institutions are increasingly driven to cloud computing as a way to increase functionality, lower cost, and enhance convenience to users by making the services and resources available anywhere there is an Internet connection. With cloud computing, users have readily available a suite of applications, features, and infrastructure that would normally require significant investment if provided in the traditional in-house computing environment.
Proper Use of Cloud Computing Services at U-M
Cloud computing should not be used for information that is private, personal or sensitive, unless there is a contractual agreement between U-M and the service provider that protects the confidentiality of the information and data. Staff that use cloud computing services for university work are responsible for ensuring that sensitive information is not placed or stored in the cloud.
A specific type of sensitive data is data that is subject to federal or state legislative or regulatory requirements.
U-M engages in research, teaching, and business activities that encompass a variety of regulated sensitive data. There are important institutional and individual responsibilities for compliance to ensure that such data are properly protected.
Faculty, researchers, and staff (including student employees and students conducting research) need to assess whether federal and state laws, contractual obligations, and/or grant restrictions limit the ability to store institutional or research data in Google Apps.
The Office of the CIO has issued the following standard that establishes mandatory expectations for complying with statutory and regulatory requirements related to protecting sensitive regulated data:
frequently asked questions about what categories of sensitive regulated data can or cannot be maintained in cloud computing environments generally and the U-M Google environment specifically.
To assist in making this assessment, faculty and staff can see at a glance whether a specific data type is permissible or not to be maintained in a U-M or external vendor cloud service by viewing these tables.
Security and Privacy
The integrity, availability, and maintenance of appropriate confidentiality of institutional data is critical to U-M's reputation and to minimizing institutional exposure to legal and compliance risks. Much of the challenge in deciding whether cloud computing is desirable and appropriate for an institution like U-M is determining whether a prospective cloud computing vendor has adequate physical, technical, and administrative safeguards as good as or better than the local on-campus systems.
While cloud computing services have numerous potential benefits, there are also potentially significant privacy and security considerations that should be accounted for before collecting, processing, sharing, or storing institutional or personal data in the cloud. Consequently, institutions should conduct careful risk assessment prior to adoption of any cloud computing service.
Specific risks and challenges to consider include:
U-M Cloud Computing Privacy and Data Security Task Force
A campus task force was charged in 2009 to identify best practices and formulate a set of recommendations to guide campus adoption of cloud computing services. The committee submitted its final report in May 2010.
Information Assurance Consultation Available to U-M Cloud Computing Users
Faculty, staff, researchers, and departments can consult with Information and Infrastructure Assurance (IIA) staff when considering adopting cloud computing services and/or infrastructure.
To begin the process, contact email@example.com.
U-M and the Cloud
U-M has established a number of institutional agreements that expand the range of cloud computing services available to U-M community members. The most significant of these new ventures include:
There are different ways in which cloud computing is being introduced to U-M students, faculty, staff, and researchers. Individuals across campus routinely access cloud applications or services on their smartphone or laptop. Faculty are increasingly using cloud computing applications as class or laboratory tools to supplement or even replace campus-provided resources. U-M researchers work frequently with other researchers across the globe and share data in the cloud.
As part of the NextGen Michigan initiatives, the university is implementing a full service environment and shared internal cloud by migrating from current servers to new virtual servers.
Additional External ResourcesOther Higher Education Guidance
Last modified: January 31 2013.