While the economic case for cloud computing is compelling, the security challenges it poses are equally striking. IT Services has compiled these guidelines to help the UC San Diego community better understand the security ramifications, variations, and contract provisions of cloud computing services.
The cloud can refer to
- External data storage hosted online by third parties or by your own department. Examples include services like Flickr, where you upload photos to share and access from anywhere with an Internet connection, or Dropbox, where you can upload a document from one computer and access it from another or share it with other people.
- Software as a service, where you use a centrally stored copy of applications programs rather than keeping an individual copy on your computer. Think of Google Drive, or what used to be called a client/server software model.
- Infrastructure as a service, where virtual machines share the same piece of hardware but have separate identities and users.
Cloud services all have some aspect of the computing experience is stored or managed elsewhere, generally by a third party.
There are several ways of deploying cloud computing, including:
- Private cloud: the third party is on your own campus or location (such as the San Diego Supercomputer Center data center, IT Services data center)
- Community cloud: the third party is a consortium of cloud users who run the service for the good of the members (such as UC Path, Georgia State University system data center)
- Public cloud: the third party offers services over the network and is external to your institution (such as Box, Microsoft Windows Live, Google Apps, and Apple’s iCloud)
- Hybrid cloud: a combination of two or more clouds that are bound together with an additional tool (such as local SharePoint and LYNC sites integrated with Microsoft Office 365)
Depending on the cloud service, the benefits of cloud computing are numerous. They include:
- Economies of scale that might allow you to increase or decrease the IT services based on your needs. For example, faculty and staff might have the option to increase their file storage space or CPU processing power based on their usage. Cloud computing could be used for "on-demand self-service," which allows you to obtain, configure, and deploy services for yourself with limited assistance from your IT department.
- Increased access to information any time you have access to an Internet connection. It also means that sharing that project with peers is easier.
- Reduced capital costs in your budget for hardware, software, and licensing fees. However, enterprise-level cloud computing is generally not free and costs can be hidden. For example, capital cost reduction could be offset by increased Internet costs from higher bandwidth use. Some universities have reported that high-network-traffic servers could incur as much as four times the cost as on-premise servers due to the vendor’s charge for the network traffic that traverses the Internet. If UC San Diego's traffic exceeds the capacity of our current connection, the campus will have to pay to install additional capacity. That cost may be considerable and could affect NGN charges. IT Services monitors traffic impacts as customers adopt cloud service models.
Before using cloud computing at UC San Diego, consider the following challenges:
Cloud computing technology allows cloud servers to reside anywhere. As a result, you may not know the physical location of the server used to store and process your data and applications. For UC San Diego research and grants, this is a critical issue due to data governance requirements. However, many cloud service providers allow you to specify where data is to be located.
Many cloud providers store data or have applications used by multiple clients in the same space. This is called multi-tenancy of data and is one of the characteristics associated with cloud computing. Some providers have multi-tenant applications that are secure, scalable, and customizable. Even so, security and privacy issues are still often concerns at UC San Diego.
Transparent cloud security policy
Some providers have less transparency than others about their information security policy, citing proprietary policy. This may create conflict with UC San Diego's interests in having a provider that is compliant with your security needs.
Cloud data ownership
Some providers' contract agreements state that they own the data stored in the cloud computing environment. They resolve questions like how the data removed or returned to you when the contract ends and whether the data deleted or preserved when you close your account.
As a public research university, UC San Diego is required to comply with the Federal Department of Education Family Educational Rights and Privacy Act (FERPA). Additionally, when handling healthcare related records and information, UC San Diego faculty and staff must comply with the Health Insurance Portability and Accountability Act (HIPAA). Furthermore, faculty, staff, and students who are funded by, and work for, restricted funding agencies (such as Department of Defense and Department of Energy) must observe federal regulations for export control and only use cloud computing services that store data on US soil. In addition, some projects fall under Federal Information Security Management Act (FISMA) regulations and must adhere to applicable federal policies and procedures.
Since data may be commingled and scattered around multiple servers and geographical areas, IT Services encourages you to consider disaster recovery plans. In traditional hosting environments, you know the location of your data exactly and can rapidly retrieve it in the event of disaster. In the cloud computing model, the provider may outsource capabilities to third parties, who may also outsource the recovery process.
Before moving servers in the cloud or using a cloud computing service, system administrators and other IT professional staff need to be vigilant to IT security threats and ensure that the privacy of faculty, staff, students, visiting scholars, and patients is protected. All UC San Diego units and departments must verify and ensure that the information in the cloud is secure before moving services to the cloud. Security and business risks should be identified and addressed throughout the lifecycle of the services in the cloud. Established policies and guidelines by UC San Diego and the UC Office of the President regarding IT security should be observed and followed when moving IT services to the cloud.
An active security team at UC San Diego regularly monitors campus traffic and scans machines to identify attacks, vulnerabilities, and patch status to detect problems before they affect campus resources. When cloud services are used, UC San Diego's security team is unable to rely on network monitoring to detect or prevent compromises. This increases reliance on either the third party's security practices or on the customer having the skills and making the effort to verify and monitor access and status of their cloud resources. This tends to lead to a decrease in overall security.
Too few people are aware of the security threats that are emerging in regards to cloud computing. Nevertheless, you are responsible for ensuring that sensitive data (defined as any data that is regulated by law or limited by contractual agreements) or data critical to UC San Diego business processes will remain authentic, accurate, available, and will satisfy specific compliance requirements. It is essential for you to understand your current risk and what information you need to look for in a cloud provider before moving your data in that direction.
Whether or not to host data in the cloud can be an overwhelming decision. IT Services has created this flow chart to help you to determine if your data is right for cloud computing. This is the first step in evaluating your data, security, and liability needs but this is by no means the last step.
Click to enlarge workflow chart.
Once you have detemined your data needs in regards to clouding computing, take a look at the Cloud Recommendations to find a cloud provider.
A UC-approved service agreement is required for non-UC systems that store, receive, process, or publish sensitive data or that are used for essential university business processes. Work with your procurement and contracts departments to establish a service agreement employing UC-approved terms and conditions that address information security and privacy requirements, including encryption.
Since many UC-approved agreements do not protect unencrypted sensitive data, delete sensitive data whenever possible. If you must store it, encrypt it.
If going outside of UC San Diego, IT Services recommends using a University of California Office of the President (UCOP) contracted provider for cloud services.
UC San Diego cloud providers may address some concerns associated with cloud computing, but are not guaranteed to address all. Discuss the issues important to you with your proposed local provider.
The following recommendations and strategies are intended to assist units in their approach to evaluating the prudence and feasibility of leveraging cloud services.
Units considering cloud services must identify and understand the risks and benefits of the service. Recognize that vendor security failures will potentially involve or at least reflect on the university. Consider the security and privacy objectives of confidentiality, integrity, availability, use control, and availability and determine what would happen if these objectives were not met. Honestly compare costs of the internal and external services, including costs to manage the vendor relationship, and costs of integrating the service with existing internal services and processes.
Consult with appropriate data stewards in all cases during the evaluation process. Consider whether it is also appropriate to consult with:
- Campus Counsel
- The UC San Diego Information Data Security and Privacy Council (ISPC)
Lower risk candidates
When considering university services that may be delivered using cloud technology, ideal candidates are those that are non-critical to operations, involve public information, and otherwise would require significant internal infrastructure or investment to deliver or continue delivering internally. These are likely to represent the best opportunities for maximizing benefit while minimizing risk.
University services that are critical to the operation of the university or involve differentiating or core competencies and/or involve sensitive or critical information or intellectual property are necessarily higher-risk candidates and require careful scrutiny.
Consider "internal cloud" alternatives
Due to the decentralized nature of the university some duplication of effort is inevitable. Units should consider leveraging internal cloud-like services when looking for ways to reduce cost. For example, units managing their own email servers and/or server hardware should consider migrating to institutional email solutions or a virtual server solution.
Negotiate and sign a vendor contract
Although it may seem like third party solutions that are low-cost or no-cost share some of the same functionality as an enterprise-level solution, IT Services recommends that you do not use an off-the-shelf product without signing a service level agreement (SLA) that addresses the audit principles in the cloud recommendations document. Products such as Dropbox are geared for consumer use, not for educational, research, or enterprise-level use.
IT Services recommends you utilize an existing UC approved contract when possible (see the Cloud Computing Providers section of this page) or work with a vendor and your procurement department to obtain an SLA that provides various terms and conditions specific to the higher education community and the security and legal considerations of that community. UC policy states that you cannot sign an agreement without Procurement being involved.
As a reminder, a University of California Office of the President (UCOP) contract does not automatically go into effect because you use a product. For example, even though UCOP has a contract with Google, signing up for a free account with Google your department is not covered under that contract.
Obtain a contract or service level agreement with the vendor in all cases. For non-critical services involving public data, it may be possible to leverage a cloud service without such an agreement if the vendor is willing to provide adequate assurances. However, services critical to the university and/or those involving sensitive data or data critical to university business processes must not be provided by a cloud vendor without an appropriate agreement in place. Purchasing, Campus Counsel, and the UC San Diego Information Data Security and Privacy Council (ISPC) must be consulted when drafting such agreements.
Proportionality of safeguards
Vendor physical, technical, and administrative safeguards should be equal to or better than those in place internally for similar services and information. Areas to explore with the vendor include privileged user access, regulatory compliance, data location, data segregation, recovery/data availability, change management, user provisioning and de-provisioning, personnel practices, incident response plans, and investigative/management support, as well as the issues identified in the previous section. Scrutinize any gaps identified.
Perform due diligence to determine the viability of the vendor/service provider. Consider such factors as vendor reputation, transparency, references, financial (means and resources), and independent third-party assessments of vendor safeguards and processes.
Cloud services should not be engaged without developing an exit strategy for disengaging from the vendor or service and integrating the service into business continuity and disaster recovery plans. Determine how you would recover your data from the vendor, especially in cases where the vendor shuts down.
Proportionality of analysis/evaluation
The depth of the above analysis and evaluation and the scope of risk mitigation measures and required vendor assurances must be proportional to the risk involved, as determined by the sensitivity level of the information involved and the criticality or value to the university of the service involved.
IT Services highly recommends that your cloud product interfaces with UC San Diego's Single Sign On (SSO) to authenticate.This generally implies compatibility with InCommon/Shibboleth.
Educate yourself and users on compliance requirements
Most cloud products, even after you sign a contract, do not cover electronic protected health information (ePHI), Family Educational Rights and Privacy Act (FERPA), or other sensitive data. Be aware of the limitations of the product and educate those using the product regarding what can and cannot be uploaded and shared. IT Services does not recommend you share this type of data in the cloud. UC legal counsel will continue to participate in contract negotiations as needed to reduce the risk of transporting, processing and storing this type of data. Avoid putting the university at risk.
Many of us use the cloud in our personal lives through services like Google Mail and Drive, Apple or Microsoft's cloud, and Flickr. Free/low-cost services often seem like good options to meet our business (and personal) needs. Know when you use these services, your data is in someone else's hands.
The click-to-accept agreements that these services use have not been reviewed or approved by UC and may introduce security risks for your information. UC San Diego privacy and security policies apply to all university data, whether it is on UC or non-UC systems. It is your individual responsibility to take privacy and security into consideration when making decisions about when it is and is not appropriate to use free/low-cost services. Your privacy, and the privacy of everyone using the free or low-cost application or service, is dependent on the non-UC company. Do not assume that privacy, security, or business continuity protections will meet UC's standards.
- Do not use external information systems or services for anything that you are not prepared to disclose or lose. It is best to assume that whatever information goes to or through the service may become public. This includes records of activities of those using the service, such as who used the service, what they used it for, and when.
- Do not use non-UC information systems or services to collect personal information. If you want to, you must ensure that California Information Practices agency requirements are met: CA Civil Code 1798.14-1798.23.
- Do not expect to be informed if a subpoena, search warrant, or other legal instrument is presented to the company to obtain information about you or others using the service. This is true even if a UC-approved agreement is in place. While some organizations will try to direct the requester to you/the University first, there is no guarantee that this will happen, and the vendor may even be forbidden from disclosing the request.
If any of these raise possibilities are concerning, it might not be appropriate to use a non-UC service without a UC-approved agreement in place.
When you sign up to use free or low-cost services, you may be agreeing to terms and conditions, terms of service, and acceptable use policies that are different from UC San Diego's or UC's. The company can hold you to what you agree to, even if it is just a click-to-accept agreement. Also, if the service is free you will probably have little or no recourse against the vendor if something goes wrong or they do something you do not agree with.
It is essential to ensure that university data remains the property of the university. Whenever you put data on a commercial service, ensure that the terms do not conflict with university policy in terms of data ownership.
Availability of Data
Do not expect to get your information back if the company has a disruption in service, is acquired, changes business models, or goes out of business. Keep local copies/backups of any critical data or records just to be safe.
You may be required to produce records relating to University business, including email, instant messages, or files, regardless of whether those records are stored on university or non-university systems or services. Using a non-UC service may make it more difficult for you to comply.
Deleting data and accounts
There is no guarantee that deleted content or accounts will really be deleted. It may take a while before the content or the account is completely flushed from all of the company's archives. Practices will also vary as to how long accounts may remain idle before the account and associated data are destroyed.
If use of an application or service is required, you must make sure that it is accessible to users with disabilities. Ask the vendor whether their product is Section 508 compliant and test it to make sure that it is. More information about web accessibility and testing web sites for accessibility can be found at the Web Accessibility site hosted by UCOP.
Before entering into a cloud contract, we strongly advise you to do your research. Here are some additional resources: