The definition and limits of cloud computing are still evolving. At its simplest, cloud computing is a type of computing where both applications and infrastructure capabilities are provided to end users as storing, processing and sharing information service through the Internet. Some cloud services offered by Apple, Google, or Microsoft, may be free to end users.
For a general user, cloud computing may provide a reasonable option for storing or sharing personal information. University departments, whether administrative, academic or research, planning on using such services need to be aware that all must adhere to security policies and standards as well as provincial and federal laws.
The information below is taken from Carleton’s Cloud Computing Security Guidelines. The full document identifies security and data privacy concerns that must be considered when purchasing or using cloud computing services at Carleton University.
Types of Cloud Computing Services
There are numerous types of third party cloud computing services available that may be appropriate for individual or University use. Some examples are:
- External email services; e.g., Hotmail, Gmail, etc.
- Chat & Instant Messaging Services; e.g., MSM, AIM, etc.
- Social Networking Services; e.g., Twitter, Facebook, etc.
- Hosted Application Services; e.g., Google Docs
- File Sharing; e.g., Dropbox, Copy, etc.
As a member of the University community, you should be aware of the sensitivity or conditional uses of the data you generate, have access to, or receive. Should you ever need to store or share University information in a manner not currently provided within the University’s computing environment, always consider its sensitivity before doing so.
Storage and transmission of sensitive information should be limited to cloud computing resources that are protected by the University’s physical, technical and/or administrative processes for safeguarding data. When considering cloud computing services that may be entrusted with University data or communication tools, it is a good idea to consult with the Information Security staff in ITS (Information Technology Services) to help understand and navigate the issues of security and confidentiality.
Information Security and Data Privacy Concerns
There are a number of information security and data privacy concerns regarding the use of cloud computing services at the University. They include:
- Loss of information confidentiality and potential brand damage to Carleton; e.g., data breaches
- Non-compliance with federal and provincial privacy legislation
- Cloud computing providers’ unilateral change of their terms of service
- Loss of information; e.g., disappearance of cloud provider with no backup at the University
- Loss of information ownership
- Availability of information; e.g., denial of service
- Loss of control over information; e.g., information stored in non-University cloud accounts
- Inability to investigate the loss of information confidentiality or availability
- Inability to satisfy timely information requests for legal, investigatory or compliance purposes
- Hijacking of cloud computing account or service
- Inability of the University to control information access controls
There are also legal concerns with the use of cloud computing.
When engaging a third party to provide cloud computing services, the contractual agreement must include provisions that ensure the University is notified of information security incidents within an acceptable period of time.
Depending on the type of incident, the University may have obligations to report breaches to other bodies including provincial and federal governments where Personally Identifiable Information (PII) is involved.