Information Security Guideline: Cloud Computing Services. Information Security and Privacy Committee Draft version 8/1/2012

(1)

Computing Services

Information Security and Privacy Committee

(2)

i

Introduction

Although use of third party computing services over the internet is not new, it has evolved into a category of computing now referred to as “cloud computing.” The United States National Institute of Standards and Technology defines cloud computing as:

a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.1

Cloud computing services (CCS) are often categorized as “software as a service” (SaaS),

“platform as a service” (PaaS), or “infrastructure as a service” (IaaS), and are sometimes referred to as hosted applications, storage, or computing. See Appendix A for a taxonomy of cloud services and available solutions. Moreover, the definition and limits of the term cloud computing appear to be still evolving.

Potential advantages of using cloud computing services include  “on-demand” access to storage,

 potentially improved service capabilities,  reduced cost of IT ownership,

 collaboration with individuals from anywhere across the globe, and

 access to a suite of applications and features that would normally require significant time and investment to develop.

Examples of cloud computing services currently used by the university for both administrative and academic purposes include:

 university course management (Blackboard),

 e-mail, calendaring, and file storage such as those provided by Google, Microsoft, Yahoo, Dropbox, and others,

 backup services,

 travel management services,

 social media applications (Facebook, Blogspot),  credit card processing, and

 web hosting.

It is anticipated that use of CCS will continue to grow at the university. While there appears to be a tremendous upside potential to the use of CCS, there are also some significant business risks that need to be understood and managed when considering an IT service strategy involving CCS. Understanding these risks will help to assure that university business objectives involving IT services will continue to be achieved over time and the university will be in compliance with applicable laws, regulations, and contracts.

1_{Mell, Peter; Timothy Grance; US National Institute of Standards and Technology (NIST) Special Publication (SP) 800-145 (Draft), The NIST}

(4)

2

Purpose

The purpose of this guideline is to help create awareness and understanding to the campus community of the specific business risks and concerns related to using CCSs and to provide guidelines for acquiring and using CCSs to help ensure the university is protected from financial loss or reputational harm.

Scope

This guideline applies to all administrative and academic units that are currently using or are considering the use of CCSs to store confidential or restricted university information2 or to perform a critical3 business process or service.

This guideline is not intended to address academic use of CCSs for teaching and learning purposes. Guidance for this topic is discussed in Academic Use of Cloud Computing Services

(currently under development).

Risks and Concerns Associated with Cloud Computing

The cloud computing model introduces some new business risks and concerns associated with management of information and IT services. These risks primarily stem from moving

information services provisioned “in house” by the university to third party providers. Use of third party services fundamentally means loss of full control over data and IT service delivery processes and placing greater reliance on a third party service provider to assure the following information objectives continue to be met:

 availability,  accessibility,  confidentiality, and  regulatory compliance.

Availability of the data or service to conduct university business. If the service involves key business processes that are critical to operations, the service provider should demonstrate its ability to maintain business continuity and deliver services with minimal disruption and to ensure that the data is properly backed up. This should be specified in a service level agreement or contract with the service provider.

Accessibility to the data or service. Should the CCS provider no longer be able to provide further service, provisions should be in place to ensure the university will be able to recover the data.

2_{Confidential information is}_{non-public sensitive information whose access must be protected due to proprietary, ethical, or privacy} considerations. This classification applies even though there may not be a civil statute requiring this protection. (Examples: Date of Birth, Ethnicity, Donor Contact Information, Contracts).

Restricted information is non-public sensitive information protected and/or regulated by statutes, policies, or regulations. It may also represent

information for which an Information Trustee has exercised his or her right to restrict access. (Examples: Student Academic Record (FERPA), non-directory information, Social Security Number, Credit Card Number, Personal Health Information, Driver’s License Number)

(see Information Classification procedure at policy.byu.edu)

3_{Critical information or services are those where not having access to the information when expected or where an unrecoverable loss of}

(5)

3 Confidentiality of university information. The CCS provider must be able to ensure

university information remains confidential. Information should be protected in accordance with university security policies and procedures and privacy laws such as FERPA, HIPAA, GrammLeachBliley Act (GLB), etc. CCS providers may not have adequate identity and access -management controls. With more sophisticated applications now available that provide access by enterprise users, partners, and clients; highly granular, least privilege-based user access tools are required.

Compliance with laws and regulations—In addition to the various data privacy laws described above, other laws and regulations may apply to information pertaining to nuclear materials, chemicals, bio hazards, and federal research. For example, if the university has information that is subject to federal export controls, the service provider must be prohibited from storing such information at sites located in other countries.

Legal concerns. Several legal concerns are associated with the use of cloud computing. A cloud computing relationship is governed by contract law. Disputes over the terms of the contract could be costly and lengthy to resolve. Since cloud computing relationships are governed by contract, several items need to be considered prior to entering into any contract or agreement to use cloud computing services. These include, but are not limited to

 Data Definition and Use,

 Data Ownership,

 Service Level Expectations and Performance Metrics,

 General Data Protection Terms (FERPA, HIPAA, PCI, etc.),

 Compliance with Legal and Regulatory Requirements, and

 Termination of Service Terms.

If a CCS provider will be storing or processing sensitive university information or delivering a critical IT service, a contract should be in place to ensure that the university is protected from liability or loss arising from data breaches or other problems with the service provider.

Guidelines for Using Cloud Computing Services at BYU

Acquiring Cloud Computing Services

Departments wanting to acquire CCS solutions must ensure that the above concerns are

addressed and that the university is not exposed to unnecessary risk or liability. Before pursuing any CCS solution, departments should first determine if any of the following conditions apply:

 Restricted university information will be stored or processed by the CCS provider,  The information or service is critical to university operations, or

 Regulatory or contractual requirements exist that govern the use or protection of the information such as data privacy, export controls, or research dealing with human subjects.

If any of these conditions apply, university units must follow the information security procedure

Acquiring Cloud Computing Services. This procedure will guide departments through the CCS acquisition process and ensure a proper university contract exists with the CCS provider.

(6)

4 If none of the above conditions apply, no special provisions or procedures are required; however, university units are encouraged to use the Acquiring Cloud Computing Services procedure as a best practice guide.

Departments should be aware that the university provides a variety of applications and services that support instructional, administrative, and research activities by faculty, staff and students. These applications and services should be considered before moving to a CCS solution.

Additionally, the university may have agreements with specific CCS vendors or offer university-hosted solutions that may meet department needs.

Operational Considerations

Departments may need to revise operational business practices and procedures to ensure CCSs are properly managed and will continue to meet operational objectives. The types of operational activities that need to be in place will depend largely on the sensitivity and criticality of the service as described above. Some operational considerations include

 Roles and responsibilities for supporting the CCS service,  User support processes and procedures,

 Security administration,  Transaction monitoring,

 Service performance and availability monitoring;  Data backup and recovery procedures, and  Business continuity plans.

Additional Information

For more information about using cloud computing services at the university see infosec.byu.edu or contact the university Information Security Officer.