Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Data Management

Guidance on Use and Selection of Cloud Services

advertisement 
Guidance on Use and
Selection of Cloud Services
1.
Purpose and Summary
The University relies on IT systems and, to a lesser extent, manual procedures for handling
and processing the information supporting many of its activities. Information that the
University manages needs to be appropriately secured to protect against consequences of
breaches of confidentiality, failures of integrity, interruption to availability and failure to
comply with legal, statutory or regulatory requirements.
The core principles of information security are confidentiality, integrity and availability and it
is vital that we are able to protect these values with regards to University information assets:
 Confidentiality: ensuring that only those individuals who have a valid and authorised
reason to access the information can do so;
 Integrity: ensuring that information is not altered, deleted or otherwise modified by
individuals or processes unauthorised to do so;
 Availability: ensuring that the information can be accessed when it is required.
The University recognises that failure to adhere to its legislative, regulatory and contractual
obligations may result in significant financial and legal penalties and reputational damage.
With respect to information relating to individuals as covered by the Data Protection Act
1998, the Information Commissioner’s Office can issue a monetary penalty up to £500, 000 if
it were determined that the University did not take reasonable steps to secure personal
information or acted in such a way as to knowingly put information security at risk.
This document provides guidance to University staff and students on the use of cloud IT
resources and services for processing University data. Cloud services offer benefits
including cost reduction, flexibility of scale and remote access. However, users need to
consider the data privacy and legal compliance risks associated with the use of Cloud
services for processing University data relating to individuals, or which is commercially
sensitive.
Further advice and guidance will be issued from time to time in recognition of the speed of
change and developments in this new and emerging area of technology. Help and support is
available from a number of areas of the University and these are listed in section 6 below.
Scope and Responsibilities
The guidelines apply to the use of any Cloud service which involves the processing and/or
storage of University information.
Responsibility for ensuring appropriate use of Cloud services in accordance with relevant
legislation and University policies lies with University staff and students managing, procuring
or overseeing any services identified below. The University acknowledges that individuals
are best positioned to determine and select services to suit their requirements but should be
aware that in doing so, for University information, the University remains responsible and
they are entering into an agreement on its behalf. It is therefore of high importance that
individuals involved in the selection and procurement of Cloud services for University
information are clear of this responsibility and are supported to make appropriate choices.
Page 1 of 7
UoW Guidance on the use of Cloud Services v1.3.1
2.
Definition of Cloud Services
‘Cloud services’ is a general term for anything that involves delivering hosted services over
the Internet. Many users will have encountered the Cloud as a way of storing their
information remotely (e.g. iCloud, Dropbox, Google Docs). The term ‘Cloud’ was inspired by
the cloud symbol that's often used to represent the Internet in flowcharts and diagrams.
A cloud service has three distinct characteristics that differentiate it from traditional hosting. It
is sold on demand, typically by the minute or the hour; it is elastic - a user can have as much
or as little of a service as they want at any given time; and the service is fully managed by
the provider (the user needs nothing but a personal computer and Internet access).
Cloud Services fall into three main categories of service:
Infrastructure-as-a-Service (IaaS): customers can use ‘rented’ computer infrastructure (e.g.
services, network equipment, memory) as a service through the internet. Additional
hardware can be sources at speed.
Platform-as-a-Service (PaaS): customers can access a set of software and product
development tools (the ‘platform’) hosted in the Cloud. Also customers can use the Cloudbased platforms to send out applications on the internet to third parties.
Software-as-a-Service (SaaS): customers can access and use software (e.g. applications for
word-processing, spreadsheets, email) through the internet rather than storing it on their own
machines. The SaaS service is generally billed on a utility basis and therefore the cost
typically reflects the level of service.
Users can choose between a range of Cloud types to deliver these services and these vary
in respect of data privacy, service levels and flexibility around contractual terms and
conditions. Details of the choices are presented in section 4 below.
The Cloud can offer organisations many benefits including:




3.
Reduced IT capital costs and ongoing operating costs
Flexibility and scalability of IT resources
Reduced environmental impact, and
Economies of scale on price, quality and expertise, allowing purchase of
potentially more robust and secure IT solutions.
The University’s Approach to the Cloud
The University recognises that there are circumstances where the appropriate use of Cloud
services enables University staff and students to work collaboratively and remotely.
However, this does mean that the use of public Cloud services (such as DropBox or
GoogleDocs) is never an appropriate choice to store or process University information.
The benefits of Cloud Services must be balanced against the risks related to processing or
storing certain types of information in the Cloud. Particular attention must be paid to
assessing the legal risks regarding data protection or contractual obligations, in order to
ensure that the use of Cloud services does not lead to a breach of University policy and/or
regulations and/ or place the University at risk of a breach of legislation. Use of Cloud
services for University information must also be compliant with the University Information
Security Policy and Regulation 311.
1
See www.warwick.ac.uk/gov/informationsecurity/
Page 2 of 7
UoW Guidance on the use of Cloud Services v1.3.1
University information with a classification of Restricted or above (e.g. relating to
individuals or which is commercially sensitive) should only be stored on secure
University systems or in private Cloud with third parties which are subject to a formal,
legal contract with the University.
4.
What Types of University Information can be stored in the Cloud?
There are different choices for Cloud services, each of which carry different risks in terms of
data privacy and service levels you can expect. All Cloud services will be provided on
agreement to terms and conditions – this may be as simple as a check box stating you
accept the provider’s standard terms when you register to the service through to a customerspecific contract.
The three main choices are presented below, together with an indication of suitability for the
different classes of University information:
Types of University Information
Cloud Option (definition)
Public Cloud
(Public cloud applications, storage, and
other resources are made available to
the general public by a service provider.
These services are free or offered on a
pay-per-use model. Generally, public
cloud service providers like Amazon
AWS, Microsoft, DropBox and Google
own and operate the infrastructure and
offer access only via Internet)
Professional/Community Cloud
(This option shares infrastructure
between several organisations from a
specific community with common
concerns (research, compliance,
jurisdiction, etc.), whether managed
internally or by a third-party and hosted
internally or externally.)
Private Cloud
(This is cloud infrastructure with
separate areas for each customer under
a dedicated contract, whether managed
internally or by a third-party and hosted
internally or externally. An example of
this is the Microsoft live@edu email
service used by the University)
2
Public
Protected




Restricted
2
Reserved




Use of professional and community Cloud is
permitted for lower risk University information but
adequate assurances around data confidentiality
and security are required




See University Data Classifications (www.warwick.ac.uk/gov/informationsecurity/)
Page 3 of 7
UoW Guidance on the use of Cloud Services v1.3.1
5. What Do You Need To Do
The following steps should be undertaken when choosing to use cloud services for storing,
processing and/or sharing University information:
1.
Identify the class of information you wish to store, process and/or share using cloud
resources or services using the University Information Classifications2 (i.e. Public,
Protected, Restricted or Reserved).
2.
Refer to the table above to see which types of cloud service is appropriate for that type
of information.
3.
Research possible services or providers taking into account the considerations set out in
the Due Diligence section of Annex A. Outside of the legal requirements set out around
confidentiality and data protection, the decision of one service over another rests on the
suitability to deliver the service and performance needed to achieve your purpose.
Some partner organisations or research funders may stipulate specific storage and
access requirements for their information and it is important that these considerations
are taken into account when deciding which service or provider to use. Failure to adhere
to these obligations could result in legal or financial penalties, as well as potential
reputational damage for the University.
4.
Undertake due diligence with the Institutional Governance Team and the Purchasing
Team as part of the standard procurement process3. This process will vary depending
on the cost of the service and the sensitivity of the University information to be stored,
processed and/or shared via the cloud service.
You should perform the same steps and seek the same due diligence even if our
preferred service is delivered free of charge. The University has a responsibility to
protect its information, including continuity of access and security to that information
when stored or processed outside of the University’s systems.
6. Further Resources and Help
If you need advice and guidance on how to select and use Cloud services, you can contact
the following areas:
The Institutional Governance Team can advise the legal aspects of Cloud services.
(www.warwick.ac.uk/gov/informationsecurity)
IT Services can provide guidance on the technical aspects of migrating data to the Cloud
and the technical security concerns. Contact IT Security team via helpdesk@warwick.ac.uk.
The Purchasing and Insurance Office can provide assistance in the purchasing and
tendering processes for potential Cloud services
(www.warwick.ac.uk/finance/purchasing_and_insurance ).
More information around data protection and other considerations when selecting Cloud
services is provided in Annex A.
3
See http://www2.warwick.ac.uk/services/finance/purchasing_and_insurance
Page 4 of 7
UoW Guidance on the use of Cloud Services v1.3.1
Annex A – Legal and Contractual Considerations
1. Data Protection Considerations
Many Cloud services involve the submission and storage of personal data (any information
from which a living individual can be identified). As with any service provider processing
personal data, liability for the service provider’s breach of the Data Protection Act 1998
(DPA) or data protection law in other territories whilst processing the University’s data is
ultimately the University’s responsibility.
University staff, students and other parties acting on our behalf must comply with the
University Information Security Policy and the University Data Protection Policy in
order to safeguard the University in this respect.
The Cloud presents two broad areas of risk which must be considered and addressed
adequately within contracts, namely lack of control over the data (ability to exclusively
ensure its confidentiality, integrity isolation and availability) and lack of transparency (of the
data processing including location of the data centres, information around possible subcontractors and transfer of the data outside of the EEA).
It is important to address the legal concerns properly prior to moving data to the
Cloud. Appropriate legal advice must be obtained from the Institutional Governance
Team.
2.
Points for Consideration When Selecting Cloud Services
Information Ownership and Research
Who owns the data stored in the Cloud?
The act of placing data in the Cloud should not alter its ownership status. Intellectual
Property Rights (IPR) of material uploaded to the Cloud will normally be retained by the
University in the case of works created by staff, unless there is agreement otherwise. Please
refer to the University’s Regulation 28 on Intellectual Property Rights
(www.go.warwick.ac.uk/calendar ).
However, the nature of the Cloud means that information is constantly being added,
removed or modified, and new information generated. This results in potential difficulty in
identifying where the material was created, acknowledging that it should be possible to
identify the creator and therefore the first IPR owner.
Analysis4 of Cloud providers’ terms and conditions suggests that Cloud providers do not
assert ownership of the intellectual property rights in content and data uploaded by their
users.
Licencing
Cloud providers, although not asserting IPR, frequently include provision within their contract
terms and conditions stating that the customer (i.e. the University) grants the provider a
compulsory licence to republish some or all of the customer’s data for the purpose of
provision of the service.
You will be responsible, in liaison with the Legal Services Team, for ensuring that the extent
4
Queen Mary University of London School of Law: http://www.cloudlegal.ccls.qmul.ac.uk/
Page 5 of 7
UoW Guidance on the use of Cloud Services v1.3.1
of such a licence is limited to that necessary for the provision of the Cloud service, and that
any such licence is compatible with the University’s obligations to third parties.
Lawful Processing of Personal Data
The seventh data protection principle in the DPA requires the University to ensure that
personal data relating to its staff, students and others remains secure, including protecting
such data from accidental loss. The responsibility remains with the University in cases
where the processing of the data is passed to a third party provider.
Beyond the requirements of the DPA, it is possible for the University to be liable to staff,
students and others under contract law in the case where it has agreed, in a contract with
these groups, to ensure the security of data and fails to do so. The University could also be
liable in negligence where it fails to take reasonable precautions and staff, students or others
suffer loss or distress as a result.
Due Diligence
The Purchasing and Insurance Team, the Institutional Governance Team and Legal
Services Team can provide support in assessing the capability of potential Cloud providers
to protect University data. A standard information security workbook is available on request
and should be completed to gain assurance on the following broad areas:

Where (geographically) the data is stored. If it is outside Europe (formally, outside the
EEA) and in a country not recognised by the Information Commissioner5 as providing
adequate levels of protection and not stored in the USA under Safe Harbor, then you
should not use the service.

If the data is stored with a US company subject to the Federal Trade Commission6, you
need to be aware that the company will transfer your data to the USA when compelled
(or sometimes simply requested) to do so. As non-US citizens, we do not have the same
levels of protection with respect to our data as US citizens do when data is stored in the
USA.

Whether the personal and sensitive data is (strongly) encrypted when stored, transferred
and processed and whether strong authentication and limited access control will be
employed to ensure confidentiality.

Will the Cloud provider use any sub-contractors to process your data, can the provider
assure the sub-contractor’s ability to protect your data and how will your instructions and
obligations be transferred to these other parties?

How and when you can access your data during the contract and what happens when
the contract comes to an end? Of particular note is the University’s obligation to respond
to Freedom of Information requests within the 20 working days limit and even if the data
is held in the Cloud, the law still regards the University as holding the data.

How easy is it to move your data between Cloud providers? Currently most Cloud
providers do not make use of standard data formats making it difficult to migrate between
providers (so-called vendor lock-in).
5
6
www.ico.gov.uk
www.ftc.gov
Page 6 of 7
UoW Guidance on the use of Cloud Services v1.3.1

What service levels are provided and are they adequate to your needs? What disaster
recovery and business continuity plans are in place to ensure continued availability of the
service?

Is the provider "reputable"? This is sometimes difficult to judge, but consider how long
they have been in business. Cloud storage is a highly competitive market and some
current providers can be expected not to remain in business.
Law Enforcement and Loss of Control
The Regulation of Investigatory Powers Act 2000 (RIPA) governs disclosure of information
by the University to law enforcement agencies. The University has published a statement on
RIPA7. You will be required to ensure That any proposed contract with a Cloud provider is
compatible with the University’s RIPA statement..
From the perspective of staff, students and others, under RIPA, the University may disclose
to the Police information regarding communications and who made them, inclusive on
occasion of the identity of the user of a particular email or IP address, login records and the
recipient of particular emails. The RIPA does not cover the content of emails. Disclosure of
email content requires a court order or a request under Sections 28 and 29 of the DPA.
Document History
11
13
16
July
Aug
Apr
2012
2012
2013
(J. Findlay)
(J.Findlay)
(J.Findlay)
9
9
May
Oct
2013
2013
(J.Findlay)
(J.Findlay)
Began first draft (v1)
Incorporated comments from Director of IT Services (v1.1)
Incorporated further comments from the Director of IT Services, Head of
Institutional Governance Support, Prof M Knights and Deputy Registrar (v1.2)
Incorporated comments and approved for release by Senior Officers (v1.3)
Minor amends to revise information classifications in line with new Information
Classification and Handling Procedure (v1.3.1)
The official version of this document will be maintained online. Before referring to any printed
copies please ensure they are up to date.
7
www.go.warwick.ac.uk/gov/informationsecurity
Page 7 of 7
UoW Guidance on the use of Cloud Services v1.3.1
Related documents
Slide - People
Slide - People
Jordan University of Science and Technology Abstract: Authors
Jordan University of Science and Technology Abstract: Authors
Cloud Computing - Lutheran Services in America
Cloud Computing - Lutheran Services in America
I am a tornado
I am a tornado
Lisa Neal-Graves, Director Technology Insights, Intel
Lisa Neal-Graves, Director Technology Insights, Intel
Cisco Video Strategy - Distributed Computing Industry Association
Cisco Video Strategy - Distributed Computing Industry Association
Download
advertisement