Cloud Computing and Information Security
As cloud computing options proliferate for individuals and large organizations, it is increasingly important for both to make informed choices about appropriate use of cloud services, taking into consideration both benefits and risks.
To assist in making this assessment, faculty and staff can see at a glance whether or not it is permissible to maintain a specific data type in a U-M or external vendor cloud service by viewing the Sensitive Data Guide to IT Services.
What is Cloud Computing?
Cloud computing has several distinct characteristics that distinguish it from a traditionally-hosted computing environment:
Cloud services, sometimes called "software as a service" (SaaS), "infrastructure as a service" (IaaS), or "platform as a service" (PaaS), facilitate rapid deployment of applications and infrastructure without the cost and complexity of purchasing, managing, and maintaining the underlying hardware and software.
Organizations and institutions are increasingly driven to cloud computing as a way to increase functionality, lower cost, and enhance convenience to users by making the services and resources available anywhere there is an internet connection. With cloud computing, users have readily available a suite of applications, features, and infrastructure that would normally require significant investment if provided in the traditional in-house computing environment.
U-M and the Cloud
There are different ways in which cloud computing is being introduced to U-M students, faculty, staff, and researchers. Individuals across campus routinely access cloud applications or services on their smartphone or laptop. Faculty are increasingly using cloud computing applications as class or laboratory tools to supplement or even replace campus-provided resources. U-M researchers work frequently with other researchers across the globe and share data in the cloud.
As part of the NextGen Michigan initiatives, the university is implementing a full service environment and shared internal cloud by migrating from current servers to new virtual servers. The most significant of these new services are M+Box, M+Google, MiDatabase, and MiServer:
Proper Use of Cloud Computing Services at U-M
Cloud computing should not be used for information that is private, personal, or sensitive, unless there is a contractual agreement between U-M and the service provider that protects the confidentiality of the information and data. A contractual agreement is a formal contract that would typically be reviewed by the Office of General Counsel.
U-M engages in research, teaching, and business activities that encompass a variety of regulated sensitive data. There are important institutional and individual responsibilities for compliance to ensure that such data are properly protected. Faculty, researchers, and staff (including student employees and students conducting research) need to assess whether federal and state laws, contractual obligations, and/or grant restrictions limit the ability to store institutional or research data in cloud computing services.
Sensitive and Regulated Data: Permitted and Restricted Uses establishes mandatory expectations for complying with statutory and regulatory requirements related to protecting sensitive regulated data. The standard references the following Standard Practice Guide Policies:
Please refer to the Sensitive Data Guide to IT Services to determine where storage of sensitive data is permitted in the U-M computing environment and among current U-M cloud computing service providers.
Security and Privacy
The integrity, availability, and maintenance of appropriate confidentiality of institutional data is critical to U-M's reputation and to minimizing institutional exposure to legal and compliance risks. Much of the challenge in deciding whether cloud computing is desirable and appropriate for an institution like U-M is determining whether a prospective cloud computing vendor has adequate physical, technical, and administrative safeguards as good as or better than the local on-campus systems.
While cloud computing services have numerous potential benefits, there are also potentially significant privacy and security considerations that should be accounted for before collecting, processing, sharing, or storing institutional or personal data in the cloud. Consequently, institutions should conduct careful risk assessment prior to adoption of any cloud computing service.
Specific risks and challenges to consider include:
Information Assurance Consultation Available to U-M Cloud Computing Users
Faculty, staff, researchers, and departments can consult with Information and Infrastructure Assurance (IIA) staff when considering adopting cloud computing services and/or infrastructure.
To begin the process, contact firstname.lastname@example.org.
Other Higher Education Guidance