Cloud Services at the University
Cloud computing is the use of an outsourced, third-party information service or remote infrastructure to store and manage information. These services can offer University units more efficient and effective tools for administrative processes, usability, research, or scholarly collaboration. Units may acquire cloud services as necessary to support their business functions.
Cloud service considerations
Although cloud services can facilitate certain business practices or satisfy unit needs, they present information security risks. Before contracting a cloud service vendor to access, process, store, or transmit University information, thoroughly evaluate the following:
- The sensitivity of the information
- The criticality of the system
- Any applicable legal, regulatory, contractual, policy, or other restrictions
Information confidentiality and criticality concerns are central to all data management processes, including the sharing of data with third parties or the outsourcing of data management tasks.
Carefully consider the following before storing data on any non-UD server:
- Privacy rules and regulations (FERPA, HIPAA, etc.)
- The safety of confidential personally identifiable information (PII) such as SSNs, bank account information, etc.
- Whether you can require two-factor authentication and use UD authentication systems to restrict access
- Whether you can tightly control file sharing
- Best practice is to not share files with anyone by default
- Be aware that sharing via web links is not secure; anyone who finds the link could access your data
- Whether you can tightly control who can grant access and the kind of access (e.g., read, write) given to collaborators
- The value of your intellectual property to your department and to the University
- Requirements imposed by non-UD owners of intellectual property you are using
- Research restrictions, including but not limited to:
- human subject privacy regulations
- grant restrictions
- export restrictions
- confidentiality agreements
If you have questions about whether a cloud-based offering (like Dropbox.com or any public or private cloud-based service provider) is an appropriate tool for your information technology needs, contact your departmental IT support staff or the IT Support Center.
Cloud service acquisition
University units must acquire cloud services through an official acquisition process. This process, which is unit-led, involves UD IT in assessing the security requirements of the data to be accessed, processed, stored, or transmitted and the need for a written contract governing vendor obligations.
Depending on the confidentiality and criticality of the information your unit intends to process, store, or transmit through a cloud vendor, a contract may be required. Generally, a contract will be required unless the information being processed, stored, or transmitted is neither critical nor confidential.
Additional concerns, such as legal or contractual requirements that apply to the University or to University information, may also restrict how and when University information may be processed, stored, and transmitted by cloud service vendors.
To begin the cloud service acquisition process, email IT Security.
The process for acquiring cloud services involves three steps:
Step 1: Complete the Cloud Service Requisition Questionnaire
The Cloud Service Requisition Questionnaire is a standard internal questionnaire that assists your unit in describing the cloud services you want to acquire and how they'll affect your unit and the University.
The Cloud Service Requisition Questionnaire helps IT Security, Procurement Services, and General Counsel understand your unit's needs and identify what questions the vendor may need to answer.
Step 2: Complete the Cloud Vendor SAQ
After your unit completes the Cloud Service Requisition Questionnaire, you will submit the Cloud Vendor Security Assessment Questionnaire (Cloud Vendor SAQ) to the vendor for completion.
The Cloud Vendor SAQ helps IT Security, Procurement Services, and General Counsel understand how the vendor will protect University information on behalf of your unit and the University.
The Cloud Vendor SAQ should be attached to the request for proposal (RFP) if one is issued. The Cloud Vendor SAQ must be completed regardless of whether or not an RFP is involved in the vendor selection process.
Depending on the risks to University information from the proposed service, vendor security whitepapers or other documentation may be an acceptable substitute for the Cloud Vendor SAQ.
Step 3: Select a vendor and negotiate and sign a contract
After your unit selects a cloud service vendor, the terms and conditions of the cloud service must be reviewed. IT Security, Procurement Services, and General Counsel will assist your unit in negotiating a contract and must review all agreements for cloud services.
Many free or low-cost cloud services are governed by a non-negotiable, click-through terms of service document. However, depending on system criticality, information confidentiality, and/or legal or regulatory requirements, a negotiated contract and a vendor security assessment may be required.