Cloud Services at the University
Cloud computing is the use of an outsourced, third-party information service or remote infrastructure to store and manage information. These services can offer University units more efficient and effective tools for administrative processes, usability, research, or scholarly collaboration. Units may acquire cloud services as necessary to support their business functions.
Cloud service considerations
Although cloud services can facilitate certain business practices or satisfy unit needs, they present information security risks. Before contracting a cloud service vendor to access, process, store, or transmit University information, thoroughly evaluate the following:
- The sensitivity of the information
- The criticality of the system
- Any applicable legal, regulatory, contractual, policy, or other restrictions
In cases where contract personnel routinely (or will routinely) access University information to provide services, a Contractor Confidentiality Agreement may be appropriate.
Considerations for sensitive data
Cloud services that will process, store, or transmit sensitive data are subject to the following policy restrictions. Sensitive data includes personally identifiable information (PII; for example, Social Security numbers, bank account information, etc.) as well as federally regulated information.
- The service must only be used if a formally-reviewed contract is in place to address all relevant data risks, including legal, regulatory, and compliance risks and breach indemnification. Sensitive data may not be stored in personal, non-University accounts or services or in self-provisioned services.
- Sensitive data must be encrypted in storage and transmission.
- Access to sensitive data must be tightly controlled.
- Access must be granted only to those with a legitimate need to know.
- Access must be reviewed regularly, and unnecessary or inappropriate access must be promptly revoked.
- Users must authenticate to the service or system storing the data. Authentication must be handled by a University-approved service, such as CAS or Shibboleth.
- Two-factor authentication is highly recommended.
- The unit must review the vendor's security controls and practices annually. This requirement may be satisfied by vendor audits, such as an SSAE 16 audit.
Carefully consider the following before storing data on any non-UD server:
- Privacy rules and regulations (FERPA, HIPAA, etc.)
- The safety of confidential personally identifiable information (PII) such as SSNs, bank account information, etc.
- Whether you can require two-factor authentication and use UD authentication systems to restrict access
- Whether you can tightly control file sharing
- Best practice is to not share files with anyone by default
- Be aware that sharing via web links is not secure; anyone who finds the link could access your data
- Whether you can tightly control who can grant access and the kind of access (e.g., read, write) given to collaborators
- The value of your intellectual property to your department and to the University
- Requirements imposed by non-UD owners of intellectual property you are using
- Research restrictions, including but not limited to:
- human subject privacy regulations
- grant restrictions
- export restrictions
- confidentiality agreements
If you have questions about whether a cloud-based offering (like Dropbox.com or any public or private cloud-based service provider) is an appropriate tool for your information technology needs, contact your departmental IT support staff or the IT Support Center.
Cloud service acquisition
University units must acquire cloud services through an official acquisition process. This process, which is unit-led, involves UD IT in assessing the security requirements of the data to be accessed, processed, stored, or transmitted and the need for a written contract governing vendor obligations.
Depending on the confidentiality and criticality of the information your unit intends to process, store, or transmit through a cloud vendor, a contract may be required. Generally, a contract will be required unless the information being processed, stored, or transmitted is neither critical nor confidential.
Additional concerns, such as legal or contractual requirements that apply to the University or to University information, may also restrict how and when University information may be processed, stored, and transmitted by cloud service vendors.
To begin the cloud service acquisition process, email IT Security.
The process for acquiring cloud services involves three steps:
Step 1: Complete the Cloud Service Requisition Questionnaire
The Cloud Service Requisition Questionnaire is a standard internal questionnaire that assists your unit in describing the cloud services you want to acquire and how they'll affect your unit and the University.
The Cloud Service Requisition Questionnaire helps IT Security, Procurement Services, and General Counsel understand your unit's needs and identify what questions the vendor may need to answer.
Step 2: Complete the Cloud Vendor SAQ
After your unit completes the Cloud Service Requisition Questionnaire, you will submit the Cloud Vendor Security Assessment Questionnaire (Cloud Vendor SAQ) to the vendor for completion.
The Cloud Vendor SAQ helps IT Security, Procurement Services, and General Counsel understand how the vendor will protect University information on behalf of your unit and the University.
The Cloud Vendor SAQ should be attached to the request for proposal (RFP) if one is issued. The Cloud Vendor SAQ must be completed regardless of whether or not an RFP is involved in the vendor selection process.
Depending on the risks to University information from the proposed service, vendor security whitepapers or other documentation may be an acceptable substitute for the Cloud Vendor SAQ.
Step 3: Select a vendor and negotiate and sign a contract
After your unit selects a cloud service vendor, the terms and conditions of the cloud service must be reviewed. IT Security, Procurement Services, and General Counsel will assist your unit in negotiating a contract and must review all agreements for cloud services.
Many free or low-cost cloud services are governed by a non-negotiable, click-through terms of service document. However, depending on system criticality, information confidentiality, and/or legal or regulatory requirements, a negotiated contract and a vendor security assessment may be required.
For individual contractors working with University information, a Contractor Confidentiality Agreement may be required.