Guidelines for the Use of Cloud Computing (Third Party) Services at Carleton University

The definition and limits of cloud computing are still evolving. At its simplest, cloud computing is a type of computing where both applications and infrastructure capabilities are provided to end users as storing, processing and sharing information service through the Internet. Some cloud services offered by Apple, Google, or Microsoft, may be free to end users.

For a general user, cloud computing may provide a reasonable option for storing or sharing personal information. University departments, whether administrative, academic or research, planning on using such services need to be aware that all must adhere to security policies and standards as well as provincial and federal laws. This Guideline identifies security and data privacy concerns that must be considered when purchasing or using cloud computing services at Carleton University.

There are numerous types of third party cloud computing services available that may be appropriate for individual or University use. Some examples are:

  • External email services; e.g., Hotmail, Gmail, etc.
  • Chat & Instant Messaging Services; e.g., MSM, AIM, etc.
  • Social Networking Services; e.g., Twitter, Facebook, etc.
  • Hosted Application Services; e.g., Google Docs
  • File Sharing; e.g., Dropbox, Copy, etc.

Your Responsibility

As a member of the University community, you should be aware of the sensitivity or conditional uses of the data you generate, have access to, or receive. Should you ever need to store or share University information in a manner not currently provided within the University’s computing environment, always consider its sensitivity before doing so.

Storage and transmission of sensitive information should be limited to cloud computing resources that are protected by the University’s physical, technical and/or administrative processes for safeguarding data. If you are unsure of what is appropriate you can contact the University CIO (Chief Information Officer) regarding what is and is not safe. When considering cloud computing services that may be entrusted with University data or communication tools, it is a good idea to consult with the Information Security (IS) staff in ITS (Information Technology Services) to help understand and navigate the issues of security and confidentiality

If the service is being purchased, the University Legal Counsel, Purchasing Services, the CIO and the Risk Management office may also need to be engaged to review, negotiate contracts, and/or determine liability. These can include software, commercial data products or information received by virtue of partnerships.

Considerations

The following questions can assist in making decisions on the acquisition of cloud computing services:

Has the external cloud computing resource been approved for use within the University?

If in doubt ask your ITS IT Security staff or the CIO as there can be significant hidden or duplicated costs and risk.

Is there an alternative cloud computing resource already available within the University?

Currently Carleton University provides cloud based email via Microsoft’s Office 365. For document collaboration, the service cuCollab is available to staff and faculty.

Does the cloud service have a contractual relationship with the University?

This will be a good indicator of an approved cloud computing resource. However, discretion still needs to be used with respect to what kind of data you plan to introduce to the service.

How sensitive is the information you intend to give to the provider of a cloud based service?

Often when data leaves the University it is viewable by administrative and other staff of the service provider. Sensitive information regarding staff, students, affiliates, agreements, correspondence, etc. should not be hosted off University IT resources or with services not contractually engaged.

Do you have the authority to make decisions about how public or private the data is?

Often there are agreements, governing regulations, University policy or legal requirements that need to be reviewed and provided for in the disclosure of sensitive or restricted data. If you are unsure of what might be required, contact the CIO in ITS to identify requirements and risks that need to be provided for and assist with their implementation.

Is it Personally Identifiable Information (PII)?

According to the University’s Student and Applicant Record Policy, and the Access to Information and Protection of Privacy legislation, PII includes, but is not limited to:

  • Name
  • Home address, telephone, email address
  • Student number, enrolment status, all education history (courses taken, grades, evaluative comments)
  • Employee number, employment history

PII placed outside the University’s control puts the University and the individual(s) it identifies at risk. Placing it in cloud computing resources not provided by the University is inconsistent with the protection the University and applicable law affords PII. You can create a large expense and embarrassment for the University and yourself if required confidentiality is lost.

Could the data’s exposure create liability or image problems for the University?

If the answer to this is yes, cloud computing services without University approval are not suitable for this material. It may cause the University to have to notify the provincial government, federal government and individual(s) involved in accordance with the Ontario Freedom of Information and Protection of Privacy Act (FIPPA) and Personal Information Protection and Electronic Documents Act (PIPEDA).

Information Security, Privacy and Legal Concerns

There are a number of information security and data privacy concerns regarding the use of cloud computing services at the University. They include:

  • Loss of information confidentiality and potential brand damage to Carleton; e.g., data breaches
  • Non-compliance with federal and provincial privacy legislation
  • Cloud computing providers’ unilateral change of their terms of service
  • Loss of information; e.g., disappearance of cloud provider with no backup at the University
  • Loss of information ownership
  • Availability of information; e.g., denial of service
  • Loss of control over information; e.g., information stored in non-University cloud accounts
  • Inability to investigate the loss of information confidentiality or availability
  • Inability to satisfy timely information requests for legal, investigatory or compliance purposes
  • Hijacking of cloud computing account or service
  • Inability of the University to control information access controls

There are also legal concerns with the use of cloud computing. A cloud computing relationship is governed by contract law. Disputes over the terms of the contract could be costly and lengthy to resolve. Since cloud computing relationships are governed by contract, it is important that the following items be considered prior to entering into any contract for the use or purchase of cloud computing services:

  • Data definition and use
  • General data protection terms
  • Compliance with legal and regulatory requirements
  • Data access and handover process at the end of the relationship
  • Information Security Incident Reporting
  • Breach liability assignment
  • Service level expectations and performance metrics

All of these items should be addressed in a cloud-computing contract, as well as items that are particular to the specific infrastructure or application services that are used or purchased.

Data Definition and Use

Both the University and cloud computing vendors must understand the type of data that they might transfer back and forth because of their relationship. A contract must have clear terms that define the data owned by each party and the stages of data use, transmission and storage. The parties also must clearly define the data that must be protected, and whose custody it is in at various stages, and assignment of liability at each stage.

The contract must specifically state what data the University owns. It must also classify the type of data shared in the contract according to the University’s classification schema; i.e.; public, internal, or restricted.

There are times when the University requires access to data in the accounts or under the control of an identity they sponsored in a cloud computing service. Data ownership and the University’s right to access the data, regardless of what user or identity it is associated with, needs to be established. The process for obtaining this kind of access needs to be detailed in a Procedures document.

General Data Protection Terms

The University must specify particular data protection terms in a contract with a cloud computing provider in order to create a minimum level of security. A minimum level of security ensures that University data is kept confidential, is not changed inappropriately, and is available to the University as needed.

The University will consider the following contract terms to ensure a minimum level of information security protection:

  • Data transmission and encryption requirements
  • Authentication and authorization mechanisms
  • Intrusion detection and prevention mechanisms
  • Logging and log review requirements
  • Security scan and audit requirements
  • Breach responsibility boundaries
  • Data disposition
  • Service termination terms

Regulatory Requirements

Any use of cloud computing must respect University Policies, as well as provincial and federal regulation including Ontario Freedom of Information and Protection of Privacy Act (FIPPA) and Personal Information Protection and Electronic Documents Act (PIPEDA).

Data Access and Handover Process

Before a relationship is established, the conditions under which it can be ended, the responsibilities of involved parties and steps to disengage should be defined. Without these pieces, the process of ending a relationship can become daunting and costly. Starting with a defined set of conditions that either side can use to initiate discontinuation of services, reduces the unknowns. The following should be established up front and before engagement:

  • Who can elect termination of service and how notice is given
  • Elements of the disengagement, such as how re-acquisition of data or intellectual property is handled
  • Assignment of duties of the University, the vendor and/or a new cloud computing service vendor
  • Time requirements for response or actions that need to be taken
  • Responsibility for cost associated with detachment
  • Procedures for maintaining the integrity of data or intellectual property throughout the process, and any penalties for not doing so and how integrity is to be established

Information Security Incident Reporting

When engaging a third party to provide cloud computing services, the contractual agreement must include provisions that ensure the University is notified of information security incidents within an acceptable period of time. Depending on the type of incident, the University may have obligations to report breaches to other bodies including provincial and federal governments where Personally Identifiable Information (PII) is involved.

Breach Liability Assignment

When entrusting a third party with access to University data, the process of transferring, storing and processing that data needs to be evaluated, and minimum levels of assurance established. Confirming who has possession of it and the responsibility to protect it, needs to be done before an adverse event takes place. Ideally, the cloud computing service vendor must accept liability for any data loss that occurs on the systems, networks or applications they manage. Without the approval of the Manager, Risk and Insurance, an agent of the University must not agree to indemnify a cloud computing vendor.

Service Level Expectation and Performance Metrics

When entering into a cloud computing contract, it is important to make sure that the contract specifies service level expectations and includes performance metrics. The University should consider the following contract provisions to address service level and performance metrics regarding:

  • Service availability time and service outage
  • Routine maintenance timeframes
  • Hardware upgrades to cloud computing services
  • Software updates to cloud computing services
  • Changes to the cloud computing services

Reference Material

http://carleton.ca/secretariat/policies/

  • Information Security Policy
  • Information Technology (IT) Security Policy
  • Cloud Computing Security Policy

http://carleton.ca/privacy/policies/

  • Carleton’s Privacy Policies

http://carleton.ca/privacy/wp-content/uploads/policy_studentrecord.pdf

  • Carleton University Student and Applicant Record Policy