Cloud Service Concerns
What is the "cloud"?
The "cloud" is any computing environment that provides one or more defined services such as application services, database services, file storage services, virtual server services, etc. While most people think of the cloud as a service hosted by someone else, we could easily set up a private cloud on the University's own systems. However, for the remainder of this discussion, we will use the term "cloud" to specifically refer to an externally hosted cloud service.
A very common use of cloud services is for file storage that can be shared by an individual's multiple devices or by groups of individuals collaborating on a project. Aside from hugely expanded memory and storage capacities, there is little new in the technologies used to provide file sharing and synchronization services - file sharing among groups of users has been around for decades. The new part is that these services are more likely to be hosted in another organization's data center.
Today, people often have multiple computing devices, e.g., computers, tablets, smartphones. As a result, there is a strong need for easy-to-use mechanisms that can allow a person to access files from any of his or her devices. Many vendor products, such as Google Drive, Microsoft's OneDrive, Apple's iCloud Drive, Dropbox, Box.com, and many others, have attempted to address this need by hosting your information in the cloud. Using these services to hold information that is public in nature can be very useful, but using the same services for information that is sensitive in nature could pose a problem.
The concern about storing YOUR private data in the cloud
Before storing private, potentially sensitive, information in the cloud, you should understand how the cloud service protects your information. But where would that information be found? Have you read any end-user license agreements lately? The primary function of most end user license agreements with outside services is to protect the service provider against liability. There is little in the agreement that mentions how they intend to protect your data. They may indicate that your data is encrypted, but for most cloud services, the vendor has the keys to decrypt your files! Any compromise of their systems or the actions of a rogue, privileged employee could easily expose your data.
The concern about storing the UNIVERSITY'S private data in the cloud
In any University, there are many pieces of information that are processed and stored that could be deemed as sensitive, and when handling such data, we must ensure appropriate controls are in place to protect such data from being viewed by unauthorized individuals, regardless of where the data resides: on-campus or in the cloud. The policy of all of the University of Houston's campuses requires us as users of University information to know the sensitivity of the information that we use, and to protect it accordingly. We determine the information's sensitivity by communicating with the department responsible for collecting, managing and classifying that information. You can learn more about how data is classified at UHCL and all of the University of Houston's component campuses on the How Sensitive is the Information You Use? page.
Data elements that are protected by law or contract include but are not limited to the following:
- Student information (The Family Educational Rights Privacy Act - "FERPA", or Buckley Amendment)
- Health information (The Health Insurance Portability and Accountability Act - "HIPAA") and The Health Information Technology for Economic and Clinical Health Act - "HITECH")
- Financial information (The Gramm-Leach-Bliley Amendment - "GLBA")
- Credit card information (The Payment Card Industry Data Security Standard - "PCI-DSS")
- Information subject to state and federal privacy laws
Any organization that is subject to any of the above laws or contracts is required to diligently protect the information covered by the law or contract in the prescribed manner. When using our own, University-based systems to store covered information, we are required to follow strict rules regarding:
- How our systems are physically protected
- How they are administered
- How privileges to access the data are authorized and granted
- How individuals who are to access the information are vetted
- How the systems are monitored for inappropriate activity
- How data breaches are addressed, etc.
When we hand over protected information to an organization in the cloud, the above laws and contracts still consider US accountable for the security of the protected data and, as such, we are required to obtain satisfactory answers to all of the above questions from any organization that will hold even one piece of our sensitive data. Accomplishing this requires us to enter into a contract with the cloud-based service provider that spells out:
- What kind of information might be stored
- To what laws and contracts it is subject
- What we are requiring them to do to protect our data (Note - Rather than spelling out hundreds of security recommendations, most organizations ask cloud providers to adhere to an industry-recognized standard, most notably SSAE16, ISO 27000, etc.)
- How they will dispose of our data once our contract ends
- How they prove on an annual basis that they comply with our requirements (Note - This is typically addressed by requiring the service provider to submit the cover sheet of their annual audit against our agreed upon industry-recognized standard indicating that they are in compliance.)
If we do not perform our due diligence in vetting our service providers and holding them accountable for meeting the data protection standards to which we are subject, the financial and reputational impact of a data breach to the University could be enormous.
What if you need to use the cloud for a legitimate University business purpose?
Contact the UHCL Information Security Office through the OIT Support Center at extension 2828 or supportcenter@uhcl.edu. We will work with you to review your business requirements and determine what in-house and cloud-based facilities are available to address your business requirements. If we determine that a cloud service is the most appropriate way to address the business need, we will work with the University of Houston System's Information Security Office and the Office of Contracts Administration to negotiate an appropriate contract with the cloud service provider to ensure that the University's interests are protected.