Skip to end of metadata
Go to start of metadata

Other Hot Topics: Cloud Data Storage Solutions | Community Based Security Awareness | Copier and Multi-Function Device Security | Full Disk Encryption | Managing Malware | Mobile Device Security | Social Networking Security | Statewide Longitudinal Data Systems

Security Considerations for Cloud Computing

Security, privacy, identity, and other compliance implications of moving data into the cloud.

  1. Confidentiality and Privacy
    1. Institutions are obligated by regulations such as HIPAA or FERPA to protect educational records, yet placing those records in the cloud introduces new risk. "Education records...means those records that are: (1) Directly related to a student; and (2) Maintained by an educational agency or institution or by a party acting for the agency or institution".
    2. Export controls (such as ITAR).
    3. If some information is FOIA-able what granularity is data defined and managed.
  2. Data Breach Responsibilities and Security. Placing data and services in the cloud amplify concerns about data breaches, yet security is not under direct control of the institution.  
    1. Data breach generally carries with it an obligation to notify.  Who is responsible for notification (you, vendor, 3rd party) and how quickly.
    2. Risks to intellectual property: authorization, terms and conditions that (inappropriately) assert ownership over IP held by third parties, weakening of ability for institutions to assert "work made for hire" for creations that are developed "without use of institutional resources".
    3. Export controls. Does the vendor house data at foreign sites?  Are the systems managed by foreign nationals?
  3. E-Discovery
    1. Institutions and their legal counsel may be obligated to keep records needed for legal discovery. But these records are not under direct institutional control; the institution no longer has the record in the same way that it formerly did. How does one 'discover' within this externalized infrastructure?
  4. Risk Evaluation
    1. Indemnification (both ways)
    2. Warranties (and lack thereof)
    3. Responsibility for End Users
    4. Patent Infringement
    5. Choice of Law and Jurisdiction
    6. Risk Transfer
    7. Procurement Policies & Practices (e.g., procurement policies should require a risk evaluation for products that store records with confidential data)
    8. The University of Florida's Office of Security and Compliance has provided a template that may be used by other institutions to perform a cloud risk survey: SaaS Security Assessment Questionnaire for Hosting Service Provider. There are many additional resources (templates, guidelines, tools) in the Risk Management chapter of this guide.
  5. Business Continuity
    1. Suspension/Termination and their Aftermath
    2. Service Level Agreements
    3. Fungibility of service (how portable is the data if looking to move to a different cloud provider)
  6. Legal Issues & Third Party Obligations in Cloud Computing Contracts
    1. Grants with Stipulations
    2. Course Management
    3. Risk Transfer
    4. Consider incorporated website terms that are modifiable at will. Since the terms of some contracts are tied to URL's that are modifiable at will, new risk can be introduced without conscious evaluation of it. How does one evaluate a river? Does one ever step into the same river twice?  (Is there a service like the WCA to freeze a URL and tie it to a specific time-set of data)
    5. Legal and Quasi-Legal Issues in Cloud Computing Contracts
    6. Data Protection Contractual Language: Common Themes and Examples
Additional Resources for Cloud Computing Security

Higher Education Resources

Industry & Other Resources


Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

Labels:
security security Delete
cloud cloud Delete
computing computing Delete
third third Delete
party party Delete
services services Delete
above-campus above-campus Delete
outsourcing outsourcing Delete
e-mail e-mail Delete
saas saas Delete
software-as-a-service software-as-a-service Delete
confidentiality confidentiality Delete
privacy privacy Delete
identity identity Delete
management management Delete
data data Delete
contracts contracts Delete
e-discovery e-discovery Delete
risk risk Delete
evaluation evaluation Delete
assessment assessment Delete
business business Delete
continuity continuity Delete
legal legal Delete
issues issues Delete
obligations obligations Delete
educause educause Delete
heisc heisc Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.