Cloud Services at the University
Cloud computing services allow the University to outsource information processing, software hosting, or infrastructure elements to dedicated third-party providers. These services can potentially provide flexible, efficient, and effective tools for University activities, including research and scholarly collaboration. Units may acquire cloud services to support their missions and increase their capabilities.
However, the outsourcing of information processing and other services presents risk to the University. Cloud services should be thoughtfully selected and implemented to ensure that their associated risks are managed appropriately. IT will partner with you to evaluate the risks associated with cloud services and negotiate a contract that will allow you to realize the value of the service without unnecessary exposure to its risks.
To get started with a new cloud service, download these tools, complete them, and return them to firstname.lastname@example.org:
- Secure UD Vendor Service Request (.xlsx): For you to complete
- HEISC Cloud Vendor Assessment Tool (.xlsx): For the vendor to complete
Faculty members who are interested in integrating an LTI tool or other resource with Canvas, the University's learning management system, can follow a streamlined process managed by IT Academic Technology Services.
Vendors who provide high-risk services to the University must be managed on an ongoing basis to ensure that they continue to manage risk acceptably. Normally, this is done through annual reviews, such as requesting copies of current certifications and audits.
For services in which contract personnel work directly with University information, annual Secure UD Contractor Confidentiality Agreements help ensure that those personnel are aware of their responsibilities to the University.
Considering cloud service risks
When selecting a cloud service and provider, consider the following risk factors (these questions are also part of the Secure UD Vendor Service Request):
- How much of the University will be impacted by the service? The greater the number of individuals, units, or functional areas affected, the greater the risk in the service.
- How critical is the service to your unit's needs? Services that perform critical or mission critical functions need greater guarantees of availability and functionality.
- How many University end users will the service accommodate? The greater the usership of a service, the greater the need for training and service availability.
- What is the highest classification of data that will be involved in the service? The more sensitive the data involved, the higher the risks associated with its disclosure.
- Is the service or any of the data involved subject to legal, regulatory, or other requirements? Requirements such as these are a quick and easy way to gauge risk. Consider whether the service is subject to:
- The Common Rule
- ITAR, EAR, or other export restrictions
- Funding agency or data use agreements