Cloud computing in its simplest form, refers to information technology services, accessed via the Internet, where the location of the infrastructure is unknown to the user. Some examples of cloud services are Microsoft Hotmail, Gmail, Facebook, Dropbox, and YouTube, although there are many more and most of these popular cloud services are free.
There are several significant issues with the use of public cloud computing services for University business, for instance:
- The University does not have access to those file locations. If an employee became suddenly unavailable, that employee’s department would not have access to those files or documents stored in the cloud.
- Legal compliance is another significant issue; the University has legal obligations that cannot be addressed if electronic communications, files and documents are stored outside of University provided/endorsed resources.
- When using “free” services there are generally no terms and conditions that protect the user or the University. The risks can be high when using the cloud to store or transmit sensitive data or information protected by laws or regulations. Many times these risks include possible loss, theft and corruption of data or exposure of data to unauthorized users.
- There are no guarantees that the documents and files held in the “cloud” are maintained locally or even in the United States.
- It is often unclear whether cloud providers are obligated to inform their users of a data breach. In most cases they are generally not required to tell you or the University if they experience a security breach.
Here are some examples of University data or information considered sensitive or restricted that could pose risks and/or concerns if stored in the cloud:
- Student information that is not considered directory information
- All student information for students who have asserted FERPA
- Patient information
- Personally identifiable information that could lead to identity theft or have a negative impact on an individual’s finances (e.g., name, DOB, SSN, credit card numbers, bank account numbers)
- HR/personnel records
- Certain types of research data or information governed by requirements of a specific grant (e.g., unpublished research or data collected as part of a research project)
- Account names (i.e., login credentials) and passwords
At this time, the Division of IT strongly advises IT professionals and University administrators to discourage if not prohibit faculty and staff from using public cloud services for University related activities such as e-mail or storage of work related documents and files. The Division of IT is continually working to reduce cost and improve services. Cloud service providers are viewed by DoIT as an opportunity to improve and enhance service offerings. DoIT is actively working to identify cloud service providers that are able and willing to accept essential contractual and service-related terms and conditions.
While not recommened for business use, cloud services remain popular for personal items. Following these best practices can help keep your data where you intended for it to be.
- Users should always use a different user ID and password for authentication to any system. Also use a password with complexity (upper case, lower case, numbers and special character or visit Password Security Best Practices for tips on creating a secure password. Never use your University user id or password for any services outside MU.
- Ensure your operating system is up to date with system patches and updates. Some cloud based exploits rely on un-patched systems, visit Best Practices.
- When using a shared computer, consider the information that can be left in temporary file locations on the local computer. These can include items with identifying information, or credentials that can be stored in temporary files and sometimes in clear text.
- To ensure a secure connection to remote resources, require that the access be encrypted. This can be done using https:// or an encrypted VPN connection. By accessing resources via an unencrypted connection, you can run the risk of contents being read by anyone who might gain access.
- Accessing remote resources with a personal mobile device are not recommended. Care should be taken when accessing drop box or cloud resources using a mobile device do to the lack of security measures usually implemented on these types of devices. Click here to learn more about Mobile Device Best Practices.
- You should back up files stored in a cloud, dropbox and similar remote storage applications. The loss of data by the cloud provider can be costly in time and money.
- Consider the ramifications of the personal data that you might store in a shared cloud, dropbox and similar remote storage application environments. Storing private data such as financial records, medical records or photos could put you at risk, your identity or personal information could be stolen.
Last updated: February 01, 2015