Home Cloud Computing and Information Security

Cloud Computing and Information Security

As cloud computing options proliferate for individuals and large organizations, it is increasingly important for both to make informed choices about appropriate use of cloud services, taking into consideration both benefits and risks.

• What is cloud computing?
• Proper Use of Cloud Computing Services at U-M
• IT Standard: Sensitive Regulated Data: Permitted and Restricted Uses
• Security and Privacy
• U-M Cloud Computing Privacy and Data Security Task Force
• Information Assurance Consultation Available to U-M Cloud Computing Users
• U-M and the Cloud
• Additional External Resources

What is cloud computing?

Cloud computing has several distinct characteristics that distinguish it from a traditionally hosted computing environment:

• Users often have on-demand access to scalable information technology capabilities and services that are provided through Internet-based technologies.
• These resources run on an external or third party service provider's system instead of on locally hosted servers unlike traditional systems directly under the user's personal or institutional control; cloud computing services are fully managed by the provider.
• Typically, many unaffiliated and unconnected users share the service provider or vendor's infrastructure.
• Using cloud services reduces the need to carry data on removable media because of network access anywhere, anytime.

Cloud services, sometimes called "software as a service" (SaaS), Infrastructure as a Service (IaaS) or "platform as a service" (PaaS), facilitate rapid deployment of applications and infrastructure without the cost and complexity of purchasing, managing, and maintaining the underlying hardware and software.

Organizations and institutions are increasingly driven to cloud computing as a way to increase functionality, lower cost, and enhance convenience to users by making the services and resources available anywhere there is an Internet connection. With cloud computing, users have readily available a suite of applications, features, and infrastructure that would normally require significant investment if provided in the traditional in-house computing environment.

Proper Use of Cloud Computing Services at U-M

Cloud computing should not be used for information that is private, personal or sensitive, unless there is a contractual agreement between U-M and the service provider that protects the confidentiality of the information and data. Staff that use cloud computing services for university work are responsible for ensuring that sensitive information is not placed or stored in the cloud.

• Sensitive data are defined in SPG 601.12, Institutional Data Resource Management Policy. For additional information, visit Data Classification.
• A contractual agreement is a formal contract that would typically be reviewed by the Office of General Counsel.

A specific type of sensitive data is data that is subject to federal or state legislative or regulatory requirements.

U-M engages in research, teaching, and business activities that encompass a variety of regulated sensitive data. There are important institutional and individual responsibilities for compliance to ensure that such data are properly protected.

Faculty, researchers, and staff (including student employees and students conducting research) need to assess whether federal and state laws, contractual obligations, and/or grant restrictions limit the ability to store institutional or research data in Google Apps.

The Office of the CIO has issued the following standard that establishes mandatory expectations for complying with statutory and regulatory requirements related to protecting sensitive regulated data:

To assist in making this assessment, faculty and staff can see at a glance whether a specific data type is permissible or not to be maintained in a U-M or external vendor cloud service by viewing these tables.

Security and Privacy

The integrity, availability, and maintenance of appropriate confidentiality of institutional data is critical to U-M's reputation and to minimizing institutional exposure to legal and compliance risks. Much of the challenge in deciding whether cloud computing is desirable and appropriate for an institution like U-M is determining whether a prospective cloud computing vendor has adequate physical, technical, and administrative safeguards as good as or better than the local on-campus systems.

While cloud computing services have numerous potential benefits, there are also potentially significant privacy and security considerations that should be accounted for before collecting, processing, sharing, or storing institutional or personal data in the cloud. Consequently, institutions should conduct careful risk assessment prior to adoption of any cloud computing service.

Specific risks and challenges to consider include:

• Vendor transparency and inadequate or unclear service level agreement
• Privacy and confidentiality of personal, sensitive, or regulated data and information
• Legal and regulatory compliance
• Cyber security and support for incident forensics
• Records preservation, access, and management
• Service availability and reliability

U-M Cloud Computing Privacy and Data Security Task Force

A campus task force was charged in 2009 to identify best practices and formulate a set of recommendations to guide campus adoption of cloud computing services. The committee submitted its final report in May 2010.

Information Assurance Consultation Available to U-M Cloud Computing Users

Faculty, staff, researchers, and departments can consult with Information and Infrastructure Assurance (IIA) staff when considering adopting cloud computing services and/or infrastructure.

To begin the process, contact 4help@umich.edu.

U-M and the Cloud

U-M has established a number of institutional agreements that expand the range of cloud computing services available to U-M community members. The most significant of these new ventures include:

• Box.net pilot – Box.net provides a storage solution for U-M students, faculty, and staff to store and share files online. It's part of a two-year agreement between Internet2, U-M, and several other peer institutions.
• Google Apps for Education – U-M will begin its migration to Google collaborative tools, including e-mail and calendaring, in 2012.

There are different ways in which cloud computing is being introduced to U-M students, faculty, staff, and researchers. Individuals across campus routinely access cloud applications or services on their smartphone or laptop. Faculty are increasingly using cloud computing applications as class or laboratory tools to supplement or even replace campus-provided resources. U-M researchers work frequently with other researchers across the globe and share data in the cloud.

As part of the NextGen Michigan initiatives, the university is implementing a full service environment and shared internal cloud by migrating from current servers to new virtual servers.

Additional External Resources

• Carnegie Mellon University - Guidance on the Use of Gmail and DropBox
• Cornell University - Outsourcing and Cloud Computing for Higher Education
• Indiana University - Use of Cloud Computing
• Michigan State University - "Cloud Computing" Services: Appropriate use of online software tools such as Google Apps, Gmail, and Microsoft Live Office
• University of Minnesota Google Apps Acceptable Use and Data Security
• Ohio State University - Cloud Computing Guidelines for Teaching, Administrative Support, and Research
• University of Pennsylvania - Cloud Computing: Opportunities Used Safely
• Purdue University - Cloud Computing Consumer Guidelines
• University of Texas at Austin - Export Guidance Concerning Cloud Computing and Remote Digital Data Storage

• Educause - Cloud Implementation
• Educause - Legal and Quasi-Legal Issues in Cloud Computing Contracts