Skip to main content

System Status: 

Cloud Security and Your Data

Be aware of the security risks involved in hosting data on external cloud servers including file ownership, privacy, breaches, and security.

Cloud storage defined

External cloud storage is where data is stored and hosted online by third parties. Examples of services you may have used include:

  • Uploading photographs to Flickr
  • Uploading files to Dropbox
  • Creating documents to Google Drive and Docs
  • Remotely backuping your computer to a web-based service

Flickr, Dropbox, and Google act as third parties to host your data, which allows you to quickly retrieve them from any computer.

What to know before storing information in an external cloud

IT Services recommends that you use caution when storing information with unsecured cloud service provider. Before storing data on a non-UC San Diego server or with a third-party with whom your department or the university does not have a negotiated contract, consider the following:

Privacy rules and regulations (like the Family Educational Rights Privacy Act [FERPA], and the Health Insurance Portability and Accountability Act [HIPAA])

  • The safety of personal, non-public information like Social Security numbers or credit card information
  • The value of the intellectual property of the data to you, your department, and the university
  • Grant requirements regarding security and intellectual property, human subject privacy regulations, and confidentiality agreements
  • Critical nature of the information

If the data you put in the cloud would violate any of the above issues if released, IT Services recommends not using an unsecured cloud provider.

If you choose use a cloud provider, make sure your contract and terms of service address these concerns completely. Most (if not all) cloud providers available to the general public do not address these concerns.

IT Services recommends that you negotiate a contract with a provider that addresses these security concerns, such as San Diego Supercomputer Center's (SDSC) cloud storage solutions. More information is available the Alternatives section of this page.

Privacy and security

If the university does not have a contract with the cloud provider, weigh the risks of data loss, data corruption, lack of availability, and disclosure of the data. Be conservative about storing critical information in the cloud. Without an appropriate contract, you should only use cloud storage for information that can be replaced with little or no consequence.

Think about the following when deciding whether to put data in the cloud:

  • The provider may or may not be able to deliver effective service consistently.
  • The provider may or may not have effective management controls in place to cover oversight of third parties, adequate insurance, disaster recovery, and business continuity plans.
  • The provider may be bought by another company. That sale could affect data ownership, disaster recovery, privacy policies, and other issues that might affect UC San Diego data stored with a cloud service provider.

It can be appropriate to use cloud providers to store non-critical, non-confidential, or non-sensitive information. However, IT Services urges faculty, staff, and researchers (including graduate students) to assess the relevance of federal privacy regulations, federal law, contractual obligations, and grant restrictions before moving university-related files and data to any cloud provider.

The university is regulated in many areas. These regulations come with requirements on how data can be accessed and where it can be stored. For example, it is not appropriate to store data regulated by the Health Insurance Portability and Accountability Act (HIPAA) or the Family Educational Rights and Privacy Act (FERPA) on cloud services.

Research

Think about the following when considering using cloud providers to store research data:

  • Human subject research may involve the collection of private information or a promise of privacy or confidentiality to research participants. Do not assume that any cloud provider is a secure environment for such data.
  • Many cloud providers locate some of their servers outside the United States for financial reasons. Because you do not know the physical location of the servers on which a provider stores your information, exercise caution if any of the information you store in the cloud is subject to any international or export restrictions.
  • Research data with restrictions on the participation of foreign nationals, restrictions on publication (prior approval or prior review), or restrictions imposed by non-disclosure agreements should not be stored on a commercial cloud service.

Intellectual Property 

UC San Diego is frequently entrusted with intellectual property owned by others as part of collaborative research or in the course of conducting university business. These owners generally provide guidelines on appropriate use and protection of that data. Consult those guidelines to determine if your cloud provider’s information security meets the intellectual property owner's requirements.

Alternatives

Departments within UC San Diego have started to address cloud computing security issues by negotiating contracts with providers to ensure that all security concerns and risks have been adequately addressed.

SDSC provides an affordable way to store, share and archive information with the their Cloud Storage solutions

If you have a contract with an outside vendor and you would like to point a UC San Diego DNS name or IP address to their service, you need the approval of your Vice Chancellor and are subject to these rules (PDF). For more information, check out the Registering a UC San Diego Domain Name

Be aware that standard cloud computing contracts are written in the supplier's favor and often require lengthy negotiations to customize for UC's needs. To reduce the risks, time and resources associated with such efforts, the UC system-wide Technology Acquisition Support (TAS) group has developed a UC Cloud Computing Contract Template for use at all campuses. This template was vetted by numerous key UC-wide stakeholder groups and has been approved for UC-wide use by the University of California Office of the President's Office of General Counsel. For the latest, editable copy, contact your TAS representative, Kyle Barber.

For more information, contact IT Services Security at security@ucsd.edu.