Cloud Computing Guidelines

Guidelines for the Use of 3rd Party or Cloud Computing Services at the University of Alaska

Why is this important to me?

If you manage a service and plan to outsource one, or are already and the service will house key university data regarding students, staff, faculty, finances or research, you need to read the remainder of the guide.

Cloud computing, shared services, vendor hosted solutions are becoming more common in information technology and often bring advances in capability and capacity to organizations. They also bring challenges. What University of Alaska departments and organizations once controlled exclusively, now involve relationships that need management to insure they work effectively and that the best interests of the University are managed well. Failure to properly understand and manage cloud computing relationships can result in significant institutional and individual liability, including criminal charges. It is essential that you seek review of any contract or agreement for cloud computing services, as outlined in this document.

All outsourced or vendor hosted contracts and terms and conditions should be reviewed by your Chief Information Officer, IT Security staff and the University Office of General Counsel, prior to entering into an agreement.

What does the General Counsel's Office review?

The General Counsel's Office will review:

governance
information and data security
vendor qualifications
contract suitability
risk assessment

Before beginning a formal relationship with a cloud computing vendor, what elements need to be addressed?

Before engaging in a formal relationship all of these elements need to be in order to avoid getting stuck with what you do not want, did not intend or other surprises. To do this we need to be familiar with the issues and consequences of:

Exhibit A: University of Alaska Purchase Order Confidentiality and Privacy Requirement
Exhibit B: Information Resources Proposal Review Form

Cloud Computing

The Internet is sometimes referred to as the “cloud”. Cloud computing is the array of Internet-based services, often available to the public, for gathering, storing, processing and sharing information. Some cloud services, such as those offered by Apple, Microsoft, or Google, may be free to end-users. For the general user who wants a convenient, Internet-based solution for storing or sharing personal information, cloud computing may provide a reasonable option. University departments seeking such services need to be aware that all services need to adhere to security policy and standards as well as confidentiality laws. This document identifies security and data privacy concerns that must be considered when purchasing or using cloud- computing services at the University. In this context, the University is a cloud-computing consumer.

Examples

There are numerous types of cloud computing services available on the Internet that may be appropriate for individual or University use. Some examples of public cloud services are:

External Email Services (e.g., Hotmail, Gmail, O365, etc.)
Chat & Instant Messaging Services (e.g., Yahoo, AIM, MSN, IRC, etc.)
Social Networking Services (e.g., Twitter, Facebook, Instagram, Tumblr, etc.)
Hosted Application Services (e.g., Google Docs, PageUp, etc.)
File Sharing (e.g., Dropbox, Box.net , etc.)

Virtual Machines (e.g., GoGrid and Amazon Web Services Elastic Compute Cloud and Azure are commercial web services that allow customers to rent any number of virtual computers upon which they can load and run their own software applications.)

Your Responsibility

As a member of the University community, be aware of the sensitivity or conditional uses of the data you generate, have access to, or receive. Should you ever need to store or share University information in a manner not currently provided within the University's computing environment, always consider its sensitivity before doing so. Storage and transmission of sensitive information should be limited to cloud computing resources protected by the University’s physical, technical and/or administrative processes for safeguarding data. If you are unsure of what is appropriate you can contact your campus CIO regarding what is and is not safe. When considering cloud computing services that may be entrusted with University of Alaska data or communication tools working with IT security staff to help understand and navigate issues of security and confidentiality is a good idea. In the event the service is being purchased, General Counsel, purchasing, and risk management offices may also need to be engaged to review, negotiate contracts and/or determine liability. Some data comes with licensing or other usage agreements that need to be known and followed. These can include software, commercial data products or information received by virtue of partnerships.

Any time data fitting the Universities definition of internal use or restricted is going to be exchanged with or access given to vendors, service providers, contractors, organizations, etc. outside the University the UA Information Security Officer is be notified in the process of making arrangements for this exchange or access along with the data custodian.

Units or departments that are considering using cloud-computing services should contact their purchasing and IT departments, as well as University General Counsel, prior to entering into any contract. The Institutional Review Board (IRB) should be consulted if a unit or department is planning to share human subjects’ research data within a cloud computing service.

Considerations

Has the external cloud computing resource been approved for use within the University?

If in doubt ask your local information security staff or campus CIO as there can be significant hidden or duplicated cost and risk.

Is there an alternative cloud computing resource already available within the University?

This can include Google Apps for Education (email, chat, document sharing, etc.) or other resources that can provide the functionality desired.

Does the cloud service have a contractual relationship with the University?

This will be a good indicator of an approved cloud computing resource. However discretion still needs to be used with respect to what kind of data you plan to introduce to the service.

How sensitive is the information you intend to give to the provider of a cloud based service?

Often when data leaves the University it is viewable by administrative and other staff at the service provider. Sensitive information regarding staff, students, affiliates, agreements, correspondence etc. should not be hosted off University IT resources or with services not contractually engaged.

Do you have the authority to make decisions about how public or private the data is?

Often there are agreements, governing regulation, University policy or legal requirements that need to be reviewed and provided for in disclosure of sensitive or restricted data. If you are unsure of what might be required it never hurts to ask. Your campus CIO or Information Security Officer can identify requirements and risks that need to be provided for and assist with their implementation.

Is it personally identifiable information?

Personally identifiable information (PII) according to University Regulation R05.08.023 is the combination of a persons first and last name or first initial and last name when either is accompanied by any of the following:

social security number
driver's license number or state identification card number
the individual's account number, credit card account number, or debit card account number in combination with any required security code, access code, or password that would permit access to an individual’s financial account
passwords, PINs, or access codes for financial accounts

PII placed outside the University’s control puts the University and the individual(s) it identifies at risk. Placing it in cloud computing resources not provided by the University is inconsistent with the protection the University and applicable law affords PII. You could create a large expense and embarrassment for the University and yourself if required confidentiality is lost.

Could the data’s exposure create liability or image problems for the University?

If the answer to this is yes, cloud computing services without University approval are not suitable for this material. Additionally it may cause the University to have to notify the state and individual(s) involved in accordance with the Alaska Personal Information Protection Act (AS 45.48.010 - .090).

Guidelines

There are a number of information security and data privacy concerns regarding use of cloud computing services at the University. They include:

Loss of University control of data, leading to a loss of security or reduced effectiveness
Loss of privacy of data, potentially due to aggregation with data from other cloud consumer
University dependency on a third party for critical infrastructure and data handling processes
Potential security and technological defects in the infrastructure provided by a cloud vendor
No University control over the third parties that a cloud vendor might contract with
Loss of the University’s own competence in managing the security of computing infrastructure

There are also legal concerns with the use of cloud computing. A cloud-computing relationship is governed by contract law. Disputes over the terms of the contract could be costly and lengthy to resolve. Since cloud-computing relationships are governed by contract, it is important that the following items be considered prior to entering into any contract to use or purchase cloud computing services:

Data definition and use
General data protection terms
Compliance with legal and regulatory requirements
Data access and handover process at the end of the relationship
Breach liability assignment
Service level expectations and performance metrics

All of these items should be addressed in a cloud-computing contract, as well as items that are particular to the specific infrastructure or application services that are used or purchased.

Data Definition and Use

Both the University and cloud-computing vendor must understand the type of data that they might transfer back and forth because of their relationship. A contract must have clear terms that define the data owned by each party and the stages of data use, transmission and storage. The parties also must clearly define data that must be protected, whose custody it is in at various stages and an assignment of liability at each stage.

The contract must specifically state what data the University owns. It must also classify the type of data shared in the contract according to the University’s classification schema: Public, Internal Use, or Restricted.

Units must exercise extreme caution when sharing University internal-use or restricted data within a cloud computing service. The contract must specify how the cloud-computing vendor can use University data. Vendors cannot use University data in any way that violates the law or University policies.

There are times when the University requires access to data in the accounts or under the control of an identity they sponsored in a cloud computing services. Data ownership and the University’s right to access data regardless of what user or identity it is associated with needs to be established. The process for obtaining this kind of access needs to be detailed in procedure.

General Data Protection Terms

The University must specify particular data protection terms in a contract with a cloud-computing vendor. The University does this to create a minimum level of security for University data. A minimum level of security ensures that the University data is kept confidential, is not changed inappropriately, and is available to the University as needed.

The University will consider the following contract terms to ensure a minimum level of information security protection:

Data transmission and encryption requirements
Authentication and authorization mechanisms
Intrusion detection and prevention mechanisms
Logging and log review requirements
Security scan and audit requirements
Security training and awareness requirements
Establish breach responsibility boundaries
Data disposition
Service termination terms

Contracting parties in consultation with their associated campus IT department can use resources developed by the National Institute of Standards and Technology (NIST) to make sure that a contract includes the appropriate controls. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) has also prepared information security controls guidance.

Compliance with Legal and Regulatory Requirements

The University has many federal laws that it must follow, these include Family Educational Rights and Privacy Act of 1974 (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the U.S. Department of State International Traffic in Arms Regulations (ITAR) 22 CFR 120- 130, U.S. Department of Commerce Export Administration Regulations (EAR) 15 CRF 730 – 774 and the Gramm-Leach-Bliley Act (GLBA Pub.L. 106-102, 113 Stat. 1338), and the Americans with Disabilities Act (ADA) of 2008 (P.L. 110-325)

State laws may also affect a relationship with a cloud-computing vendor. For instance, in Alaska the University must follow rules about protecting Social Security and credit card numbers and follow requirements for notification of a breach (AS 45.48.010 Alaska Personal Information Protection Act). The actions of University employees are also governed by the Alaska Executive Branch Ethics Act.

A relationship with a cloud-computing vendor may also be impacted by private industry regulations. For example, units at the University that accept credit cards also must follow the Payment Card Industry (PCI) Data Security Standard (DSS) issued by the major credit card companies.

Requirements

Finally, cloud-computing services that use, store, or process University data must also follow applicable University policies and regulations. Such policies may include Information Technology policies and the University's data handling requirements. At a minimum, a cloud-computing contract should address the following regulatory requirements:

FERPA language if student data is used or transmitted between the parties (units or departments will also need to notify the Office of the Registrar if they plan to share student information within a cloud computing service).
GLBA language if financial data is used or transmitted between the parties (units or departments will also need to notify the Chief Information Security Officer they plan to share financial information within a cloud computing service).
HIPAA language if health information is used or transmitted between the parties (units or departments will also need to notify the Chief Information Security Officer at the University if they plan to share health information within a cloud computing service).
ADA language to ensure compliance for individuals with disabilities.
Language protecting the intellectual property rights of the University.
Language requiring the cloud-computing vendor to notify the University, in advance and prior to responding, if it receives any court order, subpoena, discovery request, or any request of any kind seeking access or production of any University data.
Language requiring a cloud-computing vendor to cooperate with security incident investigation so that the University can meet its own regulatory notification requirements.
Language requiring a cloud-computing vendor to assist the University with third party litigation that occurs because of the cloud-computing relationship.
• Language outlining a cloud computing vendor’s obligation to preserve data for a specified period of time and indefinitely in the event of litigation to which hosted data may be related.
Language requiring a cloud-computing vendor to notify the University if the security of any cloud-computing service is compromised in a breach and any University data is potentially exposed.
Language requiring the cloud-computing vendor to assist with entering into a cloud services contract and exiting a cloud services contract.
Language regarding contract termination and return or destruction of University owned data.

Each cloud-computing contract presents unique legal and regulatory issues. Before entering any contract, you should consult with the University General Counsel and Chief Information Security Officer to ensure compliance.

Accessibility

If the Cloud solution includes any end-user-facing human interface, such as an end-user device software component or web site form, file upload system, etc. the Contractor hereby warrants that the products or services to be provided under this agreement comply with the accessibility guidelines of “Section 508 of the Rehabilitation Act of 1973” as amended as of the date of this agreement, and the “Web Content Accessibility Guidelines (WCAG) 2.0” published by the Web Content Accessibility Guidelines (WCAG) 2.0 website.

If the solution includes any end-user-facing human interface, such as an end-user device software component, web pages or site, video or audio playback, file upload system, mobile device components, etc., the Contractor agrees to promptly respond to and resolve any complaint regarding accessibility of its products or services which is brought to its attention and vendor further agrees to indemnify and hold harmless the University or any university entity using the Contractor's products or services from any claim arising out of its failure to comply with the aforesaid requirements.

The University, at its discretion, may at any time test the vendor’s products or services covered by this agreement to ensure compliance with Section 508 and WCAG 2.0. Testing that results in findings of non-compliance, shall result in a 25% reduction in the total cost of the products and/or services covered by this agreement if the non-compliance is not corrected within 30 days of being reported to the vendor in writing. The University will pay all withheld amounts to the vendor upon correction of the non-compliance and acceptance. Said acceptance not to be unreasonably withheld.

Failure to comply with these requirements shall constitute a breach and be grounds for termination of this agreement and a pro-rated refund of fees paid from the University for the remainder of original contract period.

Data Access and Handover Process at the End of the Relationship

Before a relationship is established the conditions under which it can be ended, the responsibilities of involved parties and steps to disengage should be defined. Without these pieces the process of ending a relationship can become daunting and costly. Starting with a defined set of conditions either side can use to initiate discontinuation of services reduces the unknowns. The following should be established up front and before engagement:

Who can elect termination of service and how notice is given.
Elements of the disentanglement such as how reacquisition of real, data or intellectual property is handled.
Assignment of duties of the University, the vendor and/or a new cloud-computing services vendor.
Time requirements for responses or actions that need to be taken.
Responsibility for costs associated with disentanglement.
Procedures for maintaining the integrity of data or intellectual property throughout the process, and any penalties for not doing so and how integrity is to be established.

Breach Liability Assignment

When entrusting a 3rd party with access to University data the process of transferring, storing and processing that data needs to be evaluated and minimum levels of assurance established for the data in each of those states. Establishing who has possession of it and the responsibility to protect it needs to be done before an adverse event involving University data takes place. Ideally the cloud computing service vendor should accept liability for any data loss that takes place on the systems, networks or applications they manage to deliver a service. Without General Counsel’s approval an agent of the University should not agree to indemnify a cloud-computing vendor.

Service Level Expectations and Performance Metrics

When entering into a cloud-computing contract, it is also important to make sure that the contract specifies service level expectations and includes performance metrics. The University should consider the following contract terms to address service level and performance metrics:

Language regarding service availability time and service outages
Language regarding routine maintenance timeframes
Language regarding hardware upgrades to cloud-computing services
Language regarding software updates to cloud-computing services
Language regarding changes to the cloud-computing services

Reference Material

7 things you should know about...; Cloud computing (PDF)

University of Alaska Data Classification Standards

University of Alaska Board of Regents’ Policy

Alaska Personal Information Protection Act

FERPA at University of Alaska

HIPAA at University of Alaska

Alaska Personal Information Protection Act Alaska Statute: AS 45.48

Purdue University Cloud Computing Guidelines

U.S. Department of Commerce Export Administration Regulations (EAR) 15 CRF 730 - 774
U.S. Department of State International Traffic in Arms Regulations (ITAR) 22 CFR 120 - 130)

Nanook Technology Services