New developments in Internet-based products and services highlight information security concerns. Cloud computing is one of these new developments that causes information security concerns for the University.
The definition and limits of cloud computing are still evolving. At its simplest, cloud computing is a type of computing where both applications and infrastructure capabilities are provided to end users as a service through the Internet. Through cloud computing, entities no longer have to own their own computer hardware, infrastructure, platforms, or applications. By way of an example, software as a service (SaaS) application services are cloud computing services.
Individuals are not the only users of cloud computing services. Organizations like the University may also purchase or use free cloud-computing services to lower costs and create efficiencies.
This document identifies security and data privacy concerns that must be considered when purchasing or using cloud-computing services at the University. In this context, the University is a cloud-computing consumer.
There are a number of information security and data privacy concerns about use of cloud computing services at the University. They include:
There are also legal concerns with the use of cloud computing. A cloud-computing relationship is governed by contract law. Disputes over the terms of the contract could be costly and lengthy to resolve.
Since cloud-computing relationships are governed by contract, it is important that the following items be considered prior to entering into any contract to use or purchase cloud computing services:
All of these items should be addressed in a cloud-computing contract, as well as items that are particular to the specific infrastructure or application services that are used or purchased.
Both the University and cloud-computing vendor must understand the type of data that they might transfer back and forth because of their relationship. A contract must have clear terms that define the data owned by each party. The parties also must clearly define data that must be protected.
The contract must specifically state what data the University owns. It must also classify the type of data shared in the contract according to the University’s classification schema: Public, Sensitive, or Restricted. Units must exercise extreme caution when sharing University-classified sensitive or restricted data within a cloud computing service.
The contract must specify how the cloud-computing vendor can use University data. Vendors cannot use University data in any way that violates the law or University policies.
The University must specify particular data protection terms in a contract with a cloud-computing vendor. The University does this to create a minimum level of security for University data. A minimum level of security ensures that the University data is kept confidential, is not changed inappropriately, and is available to the University as needed.
The University should consider the following contract terms to ensure a minimum level of information security protection:
Contracting parties can use resources developed by the National Institute of Standards and Technology (NIST) to make sure that a contract includes the appropriate controls. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) has also prepared information security controls guidance.
The University has many federal laws that it must follow, these include Family Educational Rights and Privacy Act of 1974 (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act (GLBA).
State laws may also affect a relationship with a cloud-computing vendor. For instance, in Indiana the University must follow rules about disclosing Social Security Numbers (Indiana Code 4-1-10, Release of Social Security Number) and security breach notification (Indiana Code 4-1-11, Notice of Security Breach).
A relationship with a cloud-computing vendor may also be impacted by private industry regulations. For example, units at the University that accept credit cards also must follow the Payment Card Industry (PCI) Data Security Standard (DSS) issued by the major credit card companies.
Finally, cloud-computing services that use, store, or process University data must also follow applicable University policies. Such policies may include Information Technology policies and the University's data handling requirements.
At a minimum, a cloud-computing contract should address the following regulatory requirements:
When entering into a cloud-computing contract, it is also important to make sure that the contract specifies service level expectations and includes performance metrics. The University should consider the following contract terms to address service level and performance metrics:
Units or departments that are considering using cloud-computing services are strongly encouraged to contact University Purchasing and IT Networks and Security prior to entering into any contract.
In some instances, University Legal Counsel should also be consulted, as should the Institutional Review Board (IRB) if a unit or department is planning to share human subjects’ research data within a cloud computing service.
3. Related References
These guidelines were developed to support the implementation of the IT Resource Acceptable Use Policy (VII.A.2) and the Data Classification and Governance Policy (VII.B.6). Questions about this document can be addressed to firstname.lastname@example.org.
Issued September 7, 2010 from Purdue University Data Stewards Group, Security Officer's Group, and IT Networks and Security.
Revised November 21, 2011 to update URLs.