Examples of cloud computing include Software as a Service, Platform as a Service, and Infrastructure as a Service. Generally, cloud computing services are run outside the walls of the customer organization, on a vendor's infrastructure with vendor maintenance.
Although cloud-like services can be internal (e.g., IU's Intelligent Infrastructure), this document refers exclusively to cloud services provided by third-party vendors over a network connection where at least part of the service resides outside the institution, regardless of whether those services are offered freely to the public or privately to paying or registered users.
Cloud computing represents an externalization of information technology applications and infrastructure beyond an organization's data center walls. In the university context, cloud computing may be thought of as extra-campus or above-campus computing.
Cloud services are often available "on demand," and utilize an infrastructure shared by the vendor's customers. While some offer a flat fee model or consumption-based pricing, other cloud services are offered at no cost.
Within the university, the confidentiality, integrity, availability, use control, and accountability of institutional data and services are expected to be ensured by a suite of physical, technical, and administrative safeguards proportional to the sensitivity and criticality (i.e., risk) of those information assets and services.
These safeguards help protect the reputation of the university and reduce institutional exposure to legal and compliance risks. Much of the challenge in approaching cloud computing involves determining whether a service vendor has adequate safeguards in place commensurate with the value and risk associated with assets and services involved.
Once the high-level challenges are understood, the next step is to consider the risks and determine whether or how to appropriately mitigate those risks in the context of the proposed information and/or service.
- Vendor trustworthiness: How do we establish an adequate level of trust in a cloud service provider? How do we ensure our trust boundaries do not extend farther than intended when using a cloud service vendor?
- Integration: We must account for the ease or difficulty of integrating cloud services with internal systems and processes. How will we manage the integration of such cloud services with current information and/or information services? For example, how would we integrate existing user credentials with a cloud service without reducing the integrity of those credentials? Would we need multiple credentials?
- Data and intellectual property issues: What is the potential for and the consequences of information loss, leakage, and commingling with other clients' information or services? What are the risks to involved intellectual property? What response plan will be followed if a data breach occurs? How is the data owner notified?
- Records preservation, access, and management: How would we manage preservation, access, retention, and disposal of information? How would we ensure that university information is securely removed from the vendor's equipment if necessary? How would we ensure that we can preserve and gain prompt access to stored information if needed in the context of a lawsuit, investigation, or public records request?
- Responsibility/liability: What is the relative liability for lost data/revenue accepted by the vendor and retained by the university? How will liabilities related to lost or altered data be shared between the vendor and the university?
- Vendor location: What are the implications of the vendor's location on compliance, cultural, timeliness, and support level issues?
- Human resources safeguards: How does the vendor select, vet, and train its employees to minimize risks to the privacy, security, and integrity of client data? How does the vendor manage employee changes?
- Operational flexibility: What is the effect of the potential loss of flexibility or life cycle control over the service? How would we be alerted to vendor service changes that could impact our operations?
- Security/safeguards: How do we satisfy ourselves that the vendor will employ and maintain adequate safeguards based on the sensitivity and criticality of the information or/service involved, e.g., how would the vendor ensure that cloud service access privilege changes are applied accurately and timely? How would the vendor ensure that only authorized individuals are able to modify access privileges? Can the vendor support encryption of data at rest or in transit if necessary
- Confidentiality/privacy: What are the privacy risks and/or open records consequences of the information and/or service involved? Can we control how our information may be used by the vendor? Does vendor use or intended use of information conflict with nondisclosure agreements the university has entered into regarding such information? Does vendor use or intended use of information compromise patentable inventions associated with or embodied in that information? How do we address user concern about vendor privacy policy? Do we need to provide an alternative service for users who do not wish to expose themselves to the vendor's privacy practices?
- Legal/regulatory consequences: How does the use of a cloud service impact our ability to comply with various legal requirements (e.g., HIPAA, FERPA, PCI-DSS, E-discovery, state data protection laws, export control laws)? Do laws where the vendor is incorporated or locates its servers (which may include foreign laws) potentially apply? Are there implications for faculty, staff, or students working or studying outside the US? Can we control where the vendor stores our data if the law restricts the transmission or storage of such data (e.g., certain research data) outside the US?
- Difficulty managing cloud services: How would we interface with the service provider? What management information (e.g., availability, system failures, discovered vulnerabilities, incidents, potential compromises) is available from the provider? Can we access necessary logs associated with the service? What type of user support would be needed for the cloud service? Who would provide it? What are the minimum service expectations? Are tools available to detect service failures? What if the service does not meet our expectations?
- Availability: What are potential issues resulting from vendor downtime, poor vendor quality or reliability, lack of bandwidth, or slow response? What leverage do we have if the level of availability does not meet our expectations? How do we explain outages or poor service performance to our users?
The above factors should not be taken to suggest that cloud computing has no potential benefits; but rather that the benefits must be balanced with the risks involved when evaluating the use of cloud computing services.
Cloud computing services are similar to traditional outsourcing and can be approached analogously while accounting for their unique risks/benefits. The following recommendations and strategies are intended to assist units in their approach to evaluating the prudence and feasibility of leveraging cloud services.
- Risk/benefit analysis: Units considering university services that may be delivered using cloud technology, or new services provided by cloud technology, must identify and understand the risks and benefits of the service. Recognize that vendor security failures will potentially involve or at least reflect on the university. Consider the security and privacy objectives of confidentiality, integrity, availability, use control, and availability, and determine what would happen if these objectives were not met. Honestly compare costs of the internal and external services, including costs to manage the vendor relationship, and costs of integrating the service with existing internal services and processes.
- Consultation: Consult with appropriate data stewards, process owners, stakeholders, and subject matter experts during the evaluation process. Also, consult with Purchasing, the General Counsel's Office, the University Information Policy Office, and the University Information Security Office.
- Lower risk candidates: When considering university services that may be delivered using cloud technology, ideal candidates will be those that are non-critical to operations, involve public information, and otherwise would require significant internal infrastructure or investment to deliver or continue delivering internally. These are likely to represent the best opportunities for maximizing benefit while minimizing risk.
- Higher risk candidates: University services that are critical to the operation of the university or involve differentiating or core competencies, and/or involve restricted, or critical information or intellectual property, are necessarily higher risk candidates and require careful scrutiny.
- Consider "internal cloud" alternatives: Due to the decentralized nature of the university, some duplication of effort is inevitable. Units should consider leveraging internal cloud-like services when looking for ways to reduce cost, e.g., units managing their own email servers and/or server hardware should consider migrating to the institutional email solutions and/or a virtual server solution (i.e., Intelligent Infrastructure). "Large enterprises should generally avoid placing sensitive information in public clouds, but concentrate on building internal cloud and hybrid cloud capabilities in the near term," (Dan Blum, "Cloud Computing Security in the Enterprise," Burton Group, July 15, 2009).
- Vendor agreement: In all cases, strive to obtain a contract or service-level agreement with the vendor. For non-critical services involving public data, it may be possible to leverage a cloud service without such an agreement if the vendor is willing to provide adequate assurances; however, services critical to the university and/or those involving more sensitive data (i.e., restricted or critical) must not be provided by a cloud vendor without an appropriate agreement in place. Purchasing, the General Counsel's Office, the University Information Policy Office, and the University Information Security Office must be consulted when drafting such agreements.
- Proportionality of safeguards: Vendor physical, technical, and administrative safeguards should be equal to or better than those in place internally for similar services and information. Areas to explore with the vendor include privileged user access, regulatory compliance, data location, data segregation, recovery/data availability, change management, user provisioning and de-provisioning, personnel practices, incident response plans, and investigative/management support, as well as the issues identified in the previous section. Scrutinize any gaps identified.
- Due diligence: Due diligence should be conducted to determine the viability of the vendor/service provider. Consider such factors as vendor reputation, transparency, references, financial (means and resources), and independent third-party assessments of vendor safeguards and processes.
- Exit strategy: Cloud services should not be engaged without developing an exit strategy for disengaging from the vendor or service and integrating the service into business continuity and disaster recovery plans. Be sure to determine how you would recover your data from the vendor, especially in cases where the vendor shuts down.
- Proportionality of analysis/evaluation: The depth of the above analysis and evaluation and the scope of risk mitigation measures and required vendor assurances must be proportional to the risk involved, as determined by the sensitivity level of the information involved and the criticality or value to the university of the service involved.
