Cloud Computing Guidelines
Guidelines for the Use of 3rd Party or Cloud Computing Services at the University of Alaska
Why is this important to me?
If you manage a service and plan to outsource one, or are already and the service will house key university data regarding students, staff, faculty, finances or research, you need to read the remainder of the guide.
Cloud computing, shared services, vendor hosted solutions are becoming more common in information technology and often bring advances in capability and capacity to organizations. They also bring challenges. What University of Alaska departments and organizations once controlled exclusively, now involve relationships that need management to insure they work effectively and that the best interests of the University are managed well. Failure to properly understand and manage cloud computing relationships can result in significant institutional and individual liability, including criminal charges. It is essential that you seek review of any contract or agreement for cloud computing services, as outlined in this document.
All outsourced or vendor hosted contracts and terms and conditions should be reviewed by your Chief Information Officer, IT Security staff and the University Office of General Counsel, prior to entering into an agreement.
The General Counsel's Office will review:
- information and data security
- vendor qualifications
- contract suitability
- risk assessment
Before engaging in a formal relationship all of these elements need to be in order to avoid getting stuck with what you do not want, did not intend or other surprises. To do this we need to be familiar with the issues and consequences of:
- our choices
- what needs to be considered
- organizational needs
- types of data
- methods of protection
- liability and limitations
- service level
- performance metrics
Table of Contents
The Internet is sometimes referred to as the “cloud”. Cloud computing is the array of Internet-based services, often available to the public, for gathering, storing, processing and sharing information. Some cloud services, such as those offered by Apple, Microsoft, or Google, may be free to end-users. For the general user who wants a convenient, Internet-based solution for storing or sharing personal information, cloud computing may provide a reasonable option. University departments seeking such services need to be aware that all services need to adhere to security policy and standards as well as confidentiality laws. This document identifies security and data privacy concerns that must be considered when purchasing or using cloud- computing services at the University. In this context, the University is a cloud-computing consumer.
There are numerous types of cloud computing services available on the Internet that may be appropriate for individual or University use. Some examples of public cloud services are:
- External Email Services (e.g., Hotmail, Gmail, O365, etc.)
- Chat & Instant Messaging Services (e.g., Yahoo, AIM, MSN, IRC, etc.)
- Social Networking Services (e.g., Twitter, Facebook, Instagram, Tumblr, etc.)
- Hosted Application Services (e.g., Google Docs, PageUp, etc.)
- File Sharing (e.g., Dropbox, Box.net , etc.)
Virtual Machines (e.g., GoGrid and Amazon Web Services Elastic Compute Cloud and Azure are commercial web services that allow customers to rent any number of virtual computers upon which they can load and run their own software applications.)
As a member of the University community, be aware of the sensitivity or conditional uses of the data you generate, have access to, or receive. Should you ever need to store or share University information in a manner not currently provided within the University's computing environment, always consider its sensitivity before doing so. Storage and transmission of sensitive information should be limited to cloud computing resources protected by the University’s physical, technical and/or administrative processes for safeguarding data. If you are unsure of what is appropriate you can contact your campus CIO regarding what is and is not safe. When considering cloud computing services that may be entrusted with University of Alaska data or communication tools working with IT security staff to help understand and navigate issues of security and confidentiality is a good idea. In the event the service is being purchased, General Counsel, purchasing, and risk management offices may also need to be engaged to review, negotiate contracts and/or determine liability. Some data comes with licensing or other usage agreements that need to be known and followed. These can include software, commercial data products or information received by virtue of partnerships.
Any time data fitting the Universities definition of internal use or restricted is going to be exchanged with or access given to vendors, service providers, contractors, organizations, etc. outside the University the UA Information Security Officer is be notified in the process of making arrangements for this exchange or access along with the data custodian.
Units or departments that are considering using cloud-computing services should contact their purchasing and IT departments, as well as University General Counsel, prior to entering into any contract. The Institutional Review Board (IRB) should be consulted if a unit or department is planning to share human subjects’ research data within a cloud computing service.
- social security number
- driver's license number or state identification card number
- the individual's account number, credit card account number, or debit card account number in combination with any required security code, access code, or password that would permit access to an individual’s financial account
- passwords, PINs, or access codes for financial accounts
There are a number of information security and data privacy concerns regarding use of cloud computing services at the University. They include:
- Loss of University control of data, leading to a loss of security or reduced effectiveness
- Loss of privacy of data, potentially due to aggregation with data from other cloud consumer
- University dependency on a third party for critical infrastructure and data handling processes
- Potential security and technological defects in the infrastructure provided by a cloud vendor
- No University control over the third parties that a cloud vendor might contract with
- Loss of the University’s own competence in managing the security of computing infrastructure
There are also legal concerns with the use of cloud computing. A cloud-computing relationship is governed by contract law. Disputes over the terms of the contract could be costly and lengthy to resolve. Since cloud-computing relationships are governed by contract, it is important that the following items be considered prior to entering into any contract to use or purchase cloud computing services:
- Data definition and use
- General data protection terms
- Compliance with legal and regulatory requirements
- Data access and handover process at the end of the relationship
- Breach liability assignment
- Service level expectations and performance metrics
All of these items should be addressed in a cloud-computing contract, as well as items that are particular to the specific infrastructure or application services that are used or purchased.
Both the University and cloud-computing vendor must understand the type of data that they might transfer back and forth because of their relationship. A contract must have clear terms that define the data owned by each party and the stages of data use, transmission and storage. The parties also must clearly define data that must be protected, whose custody it is in at various stages and an assignment of liability at each stage.
The contract must specifically state what data the University owns. It must also classify the type of data shared in the contract according to the University’s classification schema: Public, Internal Use, or Restricted.
Units must exercise extreme caution when sharing University internal-use or restricted data within a cloud computing service. The contract must specify how the cloud-computing vendor can use University data. Vendors cannot use University data in any way that violates the law or University policies.
There are times when the University requires access to data in the accounts or under the control of an identity they sponsored in a cloud computing services. Data ownership and the University’s right to access data regardless of what user or identity it is associated with needs to be established. The process for obtaining this kind of access needs to be detailed in procedure.
The University must specify particular data protection terms in a contract with a cloud-computing vendor. The University does this to create a minimum level of security for University data. A minimum level of security ensures that the University data is kept confidential, is not changed inappropriately, and is available to the University as needed.
The University will consider the following contract terms to ensure a minimum level of information security protection:
- Data transmission and encryption requirements
- Authentication and authorization mechanisms
- Intrusion detection and prevention mechanisms
- Logging and log review requirements
- Security scan and audit requirements
- Security training and awareness requirements
- Establish breach responsibility boundaries
- Data disposition
- Service termination terms
Contracting parties in consultation with their associated campus IT department can use resources developed by the National Institute of Standards and Technology (NIST) to make sure that a contract includes the appropriate controls. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) has also prepared information security controls guidance.
The University has many federal laws that it must follow, these include Family Educational Rights and Privacy Act of 1974 (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the U.S. Department of State International Traffic in Arms Regulations (ITAR) 22 CFR 120- 130, U.S. Department of Commerce Export Administration Regulations (EAR) 15 CRF 730 – 774 and the Gramm-Leach-Bliley Act (GLBA Pub.L. 106-102, 113 Stat. 1338), and the Americans with Disabilities Act (ADA) of 2008 (P.L. 110-325)
State laws may also affect a relationship with a cloud-computing vendor. For instance, in Alaska the University must follow rules about protecting Social Security and credit card numbers and follow requirements for notification of a breach (AS 45.48.010 Alaska Personal Information Protection Act). The actions of University employees are also governed by the Alaska Executive Branch Ethics Act.
A relationship with a cloud-computing vendor may also be impacted by private industry regulations. For example, units at the University that accept credit cards also must follow the Payment Card Industry (PCI) Data Security Standard (DSS) issued by the major credit card companies.
Finally, cloud-computing services that use, store, or process University data must also follow applicable University policies and regulations. Such policies may include Information Technology policies and the University's data handling requirements. At a minimum, a cloud-computing contract should address the following regulatory requirements:
- FERPA language if student data is used or transmitted between the parties (units or departments will also need to notify the Office of the Registrar if they plan to share student information within a cloud computing service).
- GLBA language if financial data is used or transmitted between the parties (units or departments will also need to notify the Chief Information Security Officer they plan to share financial information within a cloud computing service).
- HIPAA language if health information is used or transmitted between the parties (units or departments will also need to notify the Chief Information Security Officer at the University if they plan to share health information within a cloud computing service).
- ADA language to ensure compliance for individuals with disabilities.
- Language protecting the intellectual property rights of the University.
- Language requiring the cloud-computing vendor to notify the University, in advance and prior to responding, if it receives any court order, subpoena, discovery request, or any request of any kind seeking access or production of any University data.
- Language requiring a cloud-computing vendor to cooperate with security incident investigation so that the University can meet its own regulatory notification requirements.
- Language requiring a cloud-computing vendor to assist the University with third party
litigation that occurs because of the cloud-computing relationship.
• Language outlining a cloud computing vendor’s obligation to preserve data for a specified period of time and indefinitely in the event of litigation to which hosted data may be related.
- Language requiring a cloud-computing vendor to notify the University if the security of any cloud-computing service is compromised in a breach and any University data is potentially exposed.
- Language requiring the cloud-computing vendor to assist with entering into a cloud services contract and exiting a cloud services contract.
- Language regarding contract termination and return or destruction of University owned data.
Each cloud-computing contract presents unique legal and regulatory issues. Before entering any contract, you should consult with the University General Counsel and Chief Information Security Officer to ensure compliance.
If the Cloud solution includes any end-user-facing human interface, such as an end-user device software component or web site form, file upload system, etc. the Contractor hereby warrants that the products or services to be provided under this agreement comply with the accessibility guidelines of “Section 508 of the Rehabilitation Act of 1973” as amended as of the date of this agreement, and the “Web Content Accessibility Guidelines (WCAG) 2.0” published by the Web Content Accessibility Guidelines (WCAG) 2.0 website.
If the solution includes any end-user-facing human interface, such as an end-user device software component, web pages or site, video or audio playback, file upload system, mobile device components, etc., the Contractor agrees to promptly respond to and resolve any complaint regarding accessibility of its products or services which is brought to its attention and vendor further agrees to indemnify and hold harmless the University or any university entity using the Contractor's products or services from any claim arising out of its failure to comply with the aforesaid requirements.
The University, at its discretion, may at any time test the vendor’s products or services covered by this agreement to ensure compliance with Section 508 and WCAG 2.0. Testing that results in findings of non-compliance, shall result in a 25% reduction in the total cost of the products and/or services covered by this agreement if the non-compliance is not corrected within 30 days of being reported to the vendor in writing. The University will pay all withheld amounts to the vendor upon correction of the non-compliance and acceptance. Said acceptance not to be unreasonably withheld.
Failure to comply with these requirements shall constitute a breach and be grounds for termination of this agreement and a pro-rated refund of fees paid from the University for the remainder of original contract period.
Before a relationship is established the conditions under which it can be ended, the responsibilities of involved parties and steps to disengage should be defined. Without these pieces the process of ending a relationship can become daunting and costly. Starting with a defined set of conditions either side can use to initiate discontinuation of services reduces the unknowns. The following should be established up front and before engagement:
- Who can elect termination of service and how notice is given.
- Elements of the disentanglement such as how reacquisition of real, data or intellectual property is handled.
- Assignment of duties of the University, the vendor and/or a new cloud-computing services vendor.
- Time requirements for responses or actions that need to be taken.
- Responsibility for costs associated with disentanglement.
- Procedures for maintaining the integrity of data or intellectual property throughout the process, and any penalties for not doing so and how integrity is to be established.
Breach Liability Assignment
When entrusting a 3rd party with access to University data the process of transferring, storing and processing that data needs to be evaluated and minimum levels of assurance established for the data in each of those states. Establishing who has possession of it and the responsibility to protect it needs to be done before an adverse event involving University data takes place. Ideally the cloud computing service vendor should accept liability for any data loss that takes place on the systems, networks or applications they manage to deliver a service. Without General Counsel’s approval an agent of the University should not agree to indemnify a cloud-computing vendor.
When entering into a cloud-computing contract, it is also important to make sure that the contract specifies service level expectations and includes performance metrics. The University should consider the following contract terms to address service level and performance metrics:
- Language regarding service availability time and service outages
- Language regarding routine maintenance timeframes
- Language regarding hardware upgrades to cloud-computing services
- Language regarding software updates to cloud-computing services
- Language regarding changes to the cloud-computing services
U.S. Department of Commerce Export Administration Regulations (EAR) 15 CRF 730 - 774
U.S. Department of State International Traffic in Arms Regulations (ITAR) 22 CFR 120 - 130)