If you are considering working with or storing sensitive university data using cloud services (including Software as a Service, Infrastructure as a Service, Platform as a Service), you must:
- Choose a cloud service that complies with laws, regulations, and U-M IT policies for your data type, in addition to addressing considerations of cost savings, functionality, and efficiency.
- Use that service in ways that recognize you have a shared responsibility with the cloud provider to properly safeguard and protect the security and privacy of sensitive university data.
Choose a Secure Cloud Service
U-M has contractual agreements with some cloud service providers for services that comply with the laws, regulations, and policies that apply to some types of sensitive data. These agreements are typically reviewed and approved by Procurement Services, Information Assurance, and the U-M Office of General Counsel. Choose a service that meets your administrative, teaching, research, and/or clinical requirements and that provides appropriate protection for your data type.
U-M Provided or Contracted-for Services
- Sensitive Data Guide. Use the guide to make informed decisions about where to safely store and share sensitive university data using services hosted by the university or covered by U-M contractual agreements with third-party providers.
- Virtualization & Cloud Computing. Review this list of services provided by or through Information & Technology Services (ITS). Some of these services require use of two-factor authentication (see Systems that Require Duo).
U-M units planning to adopt a new cloud product or service must include Information Assurance (IA) early in the planning process so that IA can perform an information security review. Ultimately, U-M—not the vendor—is responsible for securing institutional data and the privacy of its community members.
- Request IA consultation by contacting the ITS Service Center.
- Third-Party Vendor Security & Compliance. Work with U-M Procurement Services and IA to select a vendor that meets compliance requirements, include IT security and privacy in your vendor contract, and plan to manage ongoing vendor security compliance.
Use Cloud Services Securely
Follow guidance from Information Assurance about secure use of cloud services.