- What is the “cloud”?
- What kind of services and applications are considered cloud services?
- Isn’t the cloud more reliable, efficient and less expensive?
- What are the risks of using the cloud?
- What makes the cloud so risky?
- What types of University data or information are considered sensitive or restricted and therefore, pose risks and/or concerns when storing in the cloud?
- If I’m a researcher, do I have any additional concerns about the cloud?
- My students use online services provided through the text books used in the course. Is that an example of a cloud service?
- What University policies govern the use of the cloud?
- What is the University’s cloud strategy?
- How can I determine whether a given cloud application is okay to use?
- Do you have examples of why cloud computing may be risky?
Q: What is the “cloud”?
A: In its simplest form, the cloud refers to information technology services, accessed via the Internet, where the location of the infrastructure (i.e., servers that hold the data) is unknown to the user. Many of the most popular cloud services are free.
Q: What kind of services and applications are considered cloud services?
A: Examples of cloud services include, but are not limited to, Microsoft Hotmail, Microsoft 365, Yahoo mail, Gmail, Facebook, MySpace, Skydrive, Google Apps, YouTube, Dropbox and Mozy. Cloud services, such as those listed, can be used if authorized or endorsed by your campus IT department. Others on your campus, such as your Registrar, may also need to be consulted before using these type of services. In any case, individual University employees should not sign up for these services on their own to conduct University business.
Q: Isn’t the cloud more reliable, efficient and less expensive?
A: Cloud services are popular for a variety of reasons. They provide consumers with the ability to easily obtain services on-demand and often at no cost. Cloud services are not always more reliable but are generally available from anywhere, as long as you have access to the Internet. It’s reasonable for University employees to assume that they are benefiting the University when using cloud services. However, cloud services can pose significant risks to employees and to the University when used to conduct University business.
Q: What are the risks of using the cloud?
A: The cloud poses little risk when used to store or transmit information and data that is publicly available. The risks can be high when using the cloud to store or transmit sensitive data or information protected by laws or regulations. Risks include possible loss, theft and corruption of data or exposure of data to unauthorized users. These risks can result in legal and financial liability and reputational harm.
Another risk lies with the adoption of similar cloud-based services. While it’s important for faculty and other University employees to use services that meet their needs, it’s also important for us to consider the confusion we may cause by adopting the same or very similar services from different cloud providers.
Q: What makes the cloud so risky?
A: First, University employees are generally not authorized to agree to terms and conditions provided via “click through” agreements. Agreeing to these terms and conditions can place you and the University in legal jeopardy.
Second, these terms and conditions rarely provide adequate protections for sensitive data covered under statutes such as FERPA and HIPAA. Cloud providers are generally not required to tell you or the University if they experience a security breach. A user’s intellectual property or FERPA-protected data could be exposed or stolen without the user knowing it.
And finally, providers of cloud services may not always provide adequate security protections for the data stored in the cloud and, because these services are pervasive and often offered by huge corporations (such as Google and Microsoft), they are targets for cyberattacks.
Q: What types of University data or information are considered sensitive or restricted and therefore, pose risks and/or concerns when storing in the cloud?
A: Examples of information/data that must or should be protected include but aren’t limited to:
- Student information that is not considered directory information
- All student information for students who have asserted FERPA
- Patient information
- Personally identifiable information that could lead to identity theft or have a negative impact on an individual’s finances (e.g., name, DOB, SSN, credit card numbers, bank account numbers)
- HR/personnel records
- Certain types of intellectual property
- Data or information affected by export controls
- Certain types of research data or information governed by requirements of a specific grant (e.g., unpublished research or data collected as part of a research project)
- Account names (i.e., login credentials) and passwords
Q: If I’m a researcher, do I have any additional concerns about the cloud?
A: Yes. Many cloud-based services store data in overseas facilities. Under U.S. export control laws, some research data must remain in the United States. Additionally, depending on the country, government and law enforcement seizures of computers, servers and other infrastructure are of particular concern.
Q: My students use online services provided through the text books used in the course. Is that an example of a cloud service?
A: In most cases, yes. Cloud services are sometimes tied to the purchase of other products. Textbooks, for example, are increasingly being sold bundled with online (cloud-based) tools and applications. These tools do not necessarily meet the University’s information security, FERPA and contractual requirements.
Q: What University policies govern the use of the cloud?
A: From a procurement perspective, BPM 1204 governs all information technology purchases made by University departments. Related to the use of the cloud, the section under “Applications” applies. The central IT department at each campus must review and approve all applications, even if the application is free.
From an information security perspective, BPM 1203 gives the VP for IT and the CIOs responsibility for establishing and enforcing information security requirements and standards.
Related to the use of the cloud, the Data Classification System (DCS) establishes the standards by which certain types of information must be secured.
Q: What is the University’s cloud strategy?
A: Each University of Missouri campus has a slightly different strategy for use of the cloud. Currently, all University students are using either Microsoft’s Outlook Live or Google’s Gmail for their official University email account. Individual campuses or individual departments within a campus are already using a limited number of cloud-based services such as Google Apps.
University IT staff, led by the Chief Information Officers, are constantly reviewing and assessing our ability to take advantage of the cloud. We hope to work with cloud service providers to obtain adequate security protections and contract terms and conditions within the next 2-3 years in order to move to either a public cloud or more likely, a private cloud for services like email, file storage and other collaborative applications.
Q: How can I determine whether a given cloud application is okay to use?
A: Check with the central IT department at your campus. The CIO at each campus has the ultimate responsibility for ensuring that the cloud services endorsed and adopted are secure (as much as is reasonably possible) and provide adequate contractual protections for you and for the University. If you are already using a cloud-based service, be sure to limit the type of information you place in the cloud.
Q: Do you have examples of why cloud computing may be risky?
A: It should be noted that the type of security incidents described below could, in theory, happen anywhere, anytime, regardless of whether the services are cloud-based or otherwise. With a private cloud (or completely private IT services) however, the University has a great deal more control in the following areas: 1) the due diligence paid to how services are managed and maintained, 2) the legal obligations when a breach occurs 3) the ability to respond and limit exposure and, 4) the ability to identify exactly what happened and what data was exposed.
If you have questions about cloud computing or using cloud resources, contact your Information Security Officer.