Cloud Computing Consumer Guidelines 

1.   Introduction: 

New developments in Internet-based products and services highlight information security concerns. Cloud computing is one of these new developments that causes information security concerns for the University.

The definition and limits of cloud computing are still evolving. At its simplest, cloud computing is a type of computing where both applications and infrastructure capabilities are provided to end users as a service through the Internet. Through cloud computing, entities no longer have to own their own computer hardware, infrastructure, platforms, or applications. By way of an example, software as a service (SaaS) application services are cloud computing services.

Individuals are not the only users of cloud computing services. Organizations like the University may also purchase or use free cloud-computing services to lower costs and create efficiencies.

This document identifies security and data privacy concerns that must be considered when purchasing or using cloud-computing services at the University. In this context, the University is a cloud-computing consumer.  

2.   Guidelines: 

There are a number of information security and data privacy concerns about use of cloud computing services at the University. They include:  

• Loss of University control of data, leading to a loss of security or lessened security
• Loss of privacy of data, potentially due to aggregation with data from other cloud consumers
• University dependency on a third party for critical infrastructure and data handling processes
• Potential security and technological defects in the infrastructure provided by a cloud vendor
• No University control over the third parties that a cloud vendor might contract with
• Loss of the University’s own competence in managing the security of computing infrastructure

There are also legal concerns with the use of cloud computing. A cloud-computing relationship is governed by contract law. Disputes over the terms of the contract could be costly and lengthy to resolve.  

Since cloud-computing relationships are governed by contract, it is important that the following items be considered prior to entering into any contract to use or purchase cloud computing services: 

• Data Definition and Use
• General Data Protection Terms
• Compliance with Legal and Regulatory Requirements
• Service Level Expectations and Performance Metrics. 

All of these items should be addressed in a cloud-computing contract, as well as items that are particular to the specific infrastructure or application services that are used or purchased.

Data Definition and Use

Both the University and cloud-computing vendor must understand the type of data that they might transfer back and forth because of their relationship. A contract must have clear terms that define the data owned by each party. The parties also must clearly define data that must be protected.

The contract must specifically state what data the University owns. It must also classify the type of data shared in the contract according to the University’s classification schema: Public, Sensitive, or Restricted. Units must exercise extreme caution when sharing University-classified sensitive or restricted data within a cloud computing service.

The contract must specify how the cloud-computing vendor can use University data. Vendors cannot use University data in any way that violates the law or University policies.

General Data Protection Terms

The University must specify particular data protection terms in a contract with a cloud-computing vendor. The University does this to create a minimum level of security for University data. A minimum level of security ensures that the University data is kept confidential, is not changed inappropriately, and is available to the University as needed.

The University should consider the following contract terms to ensure a minimum level of information security protection: 

• Data transmission and encryption requirements
• Authentication and authorization mechanisms
• Intrusion detection and prevention mechanisms
• Logging and log review requirements
• Security scan and audit requirements
• Security training and awareness requirements

Contracting parties can use resources developed by the National Institute of Standards and Technology (NIST) to make sure that a contract includes the appropriate controls. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) has also prepared information security controls guidance.

Compliance with Legal and Regulatory Requirements

The University has many federal laws that it must follow, these include Family Educational Rights and Privacy Act of 1974 (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act (GLBA).   

State laws may also affect a relationship with a cloud-computing vendor. For instance, in Indiana the University must follow rules about disclosing Social Security Numbers (Indiana Code 4-1-10, Release of Social Security Number) and security breach notification (Indiana Code 4-1-11, Notice of Security Breach). 

A relationship with a cloud-computing vendor may also be impacted by private industry regulations. For example, units at the University that accept credit cards also must follow the Payment Card Industry (PCI) Data Security Standard (DSS) issued by the major credit card companies. 

Finally, cloud-computing services that use, store, or process University data must also follow applicable University policies.  Such policies may include Information Technology policies and the University's data handling requirements.

At a minimum, a cloud-computing contract should address the following regulatory requirements: 

• FERPA language if student data is used or transmitted between the parties (units or departments will also need to notify the Office of the Registrar if they plan to share student information within a cloud computing service).
• GLBA language if financial data is used or transmitted between the parties (units or departments will also need to notify the Chief Information Security Officer they plan to share financial information within a cloud computing service).
• HIPAA language if health information is used or transmitted between the parties (units or departments will also need to notify the Director of the HIPAA Privacy Office at the University if they plan to share health information within a cloud computing service).
• Language protecting the intellectual property rights of the University.
• Language requiring the cloud-computing vendor to notify the University, in advance and prior to responding, if it receives any court order, subpoena, discovery request, or any request of any kind seeking access or production of any University data.
• Language requiring a cloud-computing vendor to cooperate with security incident investigation so that the University can meet its own regulatory notification requirements.
• Language requiring a cloud-computing vendor to assist the University with third party litigation that occurs because of the cloud-computing relationship.
• Language requiring a cloud-computing vendor to notify the University if the security of any cloud-computing service is compromised in a breach and any University data is potentially exposed.
• Language requiring the cloud-computing vendor to assist with entering into a cloud services contract and exiting a cloud services contract.
• Language regarding contract termination and return or destruction of University owned data.

Service Level Expectations and Performance Metrics

When entering into a cloud-computing contract, it is also important to make sure that the contract specifies service level expectations and includes performance metrics. The University should consider the following contract terms to address service level and performance metrics: 

• Language regarding service availability time and service outages 
• Language regarding routine maintenance timeframes 
• Language regarding hardware upgrades to cloud-computing services 
• Language regarding software updates to cloud-computing services 
• Language regarding changes to the cloud-computing services 

Units or departments that are considering using cloud-computing services are strongly encouraged to contact University Purchasing and IT Networks and Security prior to entering into any contract.  

In some instances, University Legal Counsel should also be consulted, as should the Institutional Review Board (IRB) if a unit or department is planning to share human subjects’ research data within a cloud computing service. 

3.   Related References 

• University IT Policies are available at: http://www.purdue.edu/policies/information-technology.html
• Standards supporting the implementation of this and other University IT Policies are available at: http://www.purdue.edu/securepurdue/bestPractices/  
• International Organization for Standardization. ISO/IEC 27002: 2005, Information Technology – Security Techniques - Code of Practice for Information Security Management. (2007).
• National Institute of Standards and Technology (NIST), Special Publication 800-53 (Rev.3): Recommended Security Controls for Federal Information Systems and Organizations (2009).
• National Institute of Standards and Technology (NIST), Special Publication 800-145: The NIST Definition of Cloud Computing (2011).

These guidelines were developed to support the implementation of the IT Resource Acceptable Use Policy (VII.A.2) and the Data Classification and Governance Policy (VII.B.6). Questions about this document can be addressed to itap-securityhelp@purdue.edu.

Issued September 7, 2010 from Purdue University Data Stewards Group, Security Officer's Group, and IT Networks and Security.

Revised November 21, 2011 to update URLs.