Cloud Computing Security

Security Considerations for Cloud Computing

Security, privacy, identity, and other compliance implications of moving data into the cloud.

  1. Confidentiality and Privacy
    1. Institutions are obligated by regulations such as HIPAA or FERPA to protect educational records, yet placing those records in the cloud introduces new risk. "Education records...means those records that are: (1) Directly related to a student; and (2) Maintained by an educational agency or institution or by a party acting for the agency or institution".
    2. Export controls (such as ITAR).
    3. If some information is FOIA-able what granularity is data defined and managed.
  2. Data Breach Responsibilities and Security. Placing data and services in the cloud amplify concerns about data breaches, yet security is not under direct control of the institution.
    1. Data breach generally carries with it an obligation to notify. Who is responsible for notification (you, vendor, 3rd party) and how quickly.
    2. Risks to intellectual property: authorization, terms and conditions that (inappropriately) assert ownership over IP held by third parties, weakening of ability for institutions to assert "work made for hire" for creations that are developed "without use of institutional resources".
    3. Export controls. Does the vendor house data at foreign sites? Are the systems managed by foreign nationals?
  3. E-Discovery
    1. Institutions and their legal counsel may be obligated to keep records needed for legal discovery. But these records are not under direct institutional control; the institution no longer has the record in the same way that it formerly did. How does one 'discover' within this externalized infrastructure? (See the E-Discovery Toolkit for more information.)
  4. Risk Evaluation
    1. Indemnification (both ways)
    2. Warranties (and lack thereof)
    3. Responsibility for End Users
    4. Patent Infringement
    5. Choice of Law and Jurisdiction
    6. Risk Transfer
    7. Procurement Policies & Practices (e.g., procurement policies should require a risk evaluation for products that store records with confidential data)
    8. The University of Florida's Office of Security and Compliance has provided a template that may be used by other institutions to perform a cloud risk survey: SaaS Security Assessment Questionnaire for Hosting Service Provider. There are many additional resources (templates, guidelines, tools) in the Risk Management chapter of this guide.
  5. Business Continuity
    1. Suspension/Termination and their Aftermath
    2. Service Level Agreements
    3. Fungibility of service (how portable is the data if looking to move to a different cloud provider)
  6. Legal Issues & Third Party Obligations in Cloud Computing Contracts
    1. Grants with Stipulations
    2. Course Management
    3. Risk Transfer
    4. Consider incorporated website terms that are modifiable at will. Since the terms of some contracts are tied to URL's that are modifiable at will, new risk can be introduced without conscious evaluation of it. How does one evaluate a river? Does one ever step into the same river twice? (Is there a service like the WCA to freeze a URL and tie it to a specific time-set of data)
    5. Legal and Quasi-Legal Issues in Cloud Computing Contracts
    6. Data Protection Contractual Language: Common Themes and Examples
Additional Resources for Cloud Computing Security

Higher Education Resources

Industry & Other Resources

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).