Cloud Services at the University
Cloud computing services allow the University to outsource information processing, software hosting, or infrastructure elements to dedicated third-party providers. These services can potentially provide flexible, efficient, and effective tools for University activities, including research and scholarly collaboration. Units may acquire cloud services to support their missions and increase their capabilities.
However, the outsourcing of information processing and other services presents risk to the University. Cloud services should be thoughtfully selected and implemented to ensure that their associated risks are managed appropriately. IT, Procurement Services, and the Office of General Counsel will partner with you to evaluate the technological, legal, and other risks associated with cloud service vendors and negotiate a contract that will allow you to realize the value of the service without unnecessary exposure to its risks.
Acquiring a cloud service
Units are free to identify cloud services that support their needs and missions. When your unit is interested in acquiring one of these services, contact IT to initiate the process. A contract review team (CRT)—comprised of specialists from IT, Procurement Services, and the Office of General Counsel—will partner with you to review the requested service, perform a risk assessment, and negotiate a favorable contract by following this general process:
- Documentation: Collect your cloud service application materials and send them to IT.
- Risk assessment: Your CRT will review your application materials and perform a risk assessment.
- Contract negotiation: Your CRT will assist you in negotiating a mutually agreeable contract for your desired cloud service.
- Approval: You'll sign the contract, begin vendor onboarding, and pay for the service with the assistance of your CRT's Procurement Services representative.
Greater detail about your role in the cloud service acquisition process is available in the full procedure.
Vendors who provide high-risk services to the University must be managed on an ongoing basis to ensure that they continue to manage risk acceptably. Normally, this is done through annual reviews, such as requesting copies of current certifications and audits. For services in which contract personnel work directly with University information, annual Contractor Confidentiality Agreements help ensure that those personnel are aware of their responsibilities to the University.
Considering cloud service risks
When selecting a cloud service and provider, consider the following risk factors (these questions are also part of the Secure UD Vendor Service Request):
- How much of the University will be impacted by the service? The greater the number of individuals, units, or functional areas affected, the greater the risk in the service.
- How critical is the service to your unit's needs? Services that perform critical or mission critical functions need greater guarantees of availability and functionality.
- How many University end users will the service accommodate? The greater the usership of a service, the greater the need for training and service availability.
- What is the highest classification of data that will be involved in the service? The more sensitive the data involved, the higher the risks associated with its disclosure.
- Is the service or any of the data involved subject to legal, regulatory, or other requirements? Requirements such as these are a quick and easy way to gauge risk. Consider whether the service is subject to:
- The Common Rule
- ITAR, EAR, or other export restrictions
- Funding agency or data use agreements