Cloud Storage Policy (Draft for consultation)
Please note that this draft is under consultation with stakeholders in colleges and
university services, before refinement and approval by the appropriate University
Committee.
If you have comments or feedback, please contact Information Security co-ordinator
[email protected]
1. Summary ... 2
2. Purpose ... 2
3. Cloud Storage Definition ... 2
4. Scope ... 2
5. Cloud Storage Characteristics and Risks ... 2
5.1 Consumer orientated ... 3
5.2 Business orientated ... 3
6. Policy ... 4
6.1 Objectives ... 4
6.2 Consumer orientated Cloud Storage ... 4
6.3 Business orientated Cloud Storage ... 5
7. Information Sharing ... 5
8. Synchronising information ... 6
9. Legislation, Policy and Guidance ... 6
page 2
1.
Summary
Confidential University data must not be stored on consumer-oriented cloud services. It may, where the relevant risks have been addressed, and under certain circumstances, be stored on business-oriented cloud services. However, data concerning living individuals may not be stored on any cloud service, unless the University has approved the cloud provider in question for the purpose.
2.
Purpose
This Policy defines the University’s position on the use of Cloud Storage as it relates to the potential storage of University data. The Policy sets out a clear definition of Cloud Storage and the types of University data which may be stored together with any additional safeguards which must be adhered to.
3.
Cloud Storage Definition
For the purposes of this policy, Cloud Storage is defined as:
“Public Cloud Storage Services provided by an external supplier and made available to organisations, or individuals, on terms and conditions, which are defined by the external supplier. Cloud Storage and associated files reside outwith the organisation’s domain (Data Centres) and is usually accessed via a web interface and various synchronisation options, which facilitates the sharing of files and makes data available over a range of computers and other mobile devices.”
Examples of Public Cloud Storage providers include:
DropBox
Box
Microsoft (SkyDrive/OneDrive)
Apple (iCloud)
Oracle
IBM
4.
Scope
This policy applies to all University data i.e. information which arises in University teaching, research and administration, and applies to all staff, students and other parties who have access to University data. Any exceptions must be documented and approved by the Information Policy and Strategy Committee. This policy does not override policies covering data owned or provided by other organisations, and individuals must adhere to any other relevant policies including those stipulated by the organisation providing the data. In situations where that policy differs from this one, the stronger of the two requirements must be respected, unless both organisations have agreed otherwise.
5.
Cloud Storage Characteristics and Risks
page 3
5.1 Consumer orientated
Consumer orientated Cloud storage is commonplace and is often made available free of charge to individuals via a user registration process or bundled with many service offerings and initial hardware purchases. Individuals access their Cloud storage via a number of options including;
Web Browser
Desktop synchronisation client
Drive mapping or equivalent
Mobile app
This means that individuals have access to their storage across a range of devices providing a wide choice of access technologies and data sharing options.
However when signing up with a cloud storage provider the individual must accept the provider’s Terms and Conditions and any associated service level agreement. This presents a number of risks to the security, confidentiality and availability of the individual’s data; in particular:
There is no guarantee on data protection, retention or backup
The Cloud provider may store data outwith the UK/EU and not be bound by UK/EU laws relating to the
protection of personal data.
Individuals should read carefully the Terms and Conditions governing the use of their Cloud storage with
particular reference to;
o Circumstances leading to account termination and potential loss of data.
o Provider’s liability for negligence with respect to misuse, exposure, loss or damage of data
o Confidentiality of data with respect to Providers data mining activities and potential resale of information for advertising, user tracking and user profiling purposes.
o Considerations about who actually owns the data and therefore has full rights over it. Some
cloud providers may assert ownership of any data stored in the provider’s cloud, or reserve the right to do so in future.
The financial stability of Cloud Storage providers should be considered to avoid a potential end of
service with no or little notice.
5.2 Business orientated
There are several Cloud storage providers who offer services specifically tailored for business use. Organisations contract with their preferred cloud storage provider for specific services and manage the accounts for the individuals within their organisation who they wish to have access to Cloud Storage. Authorised individuals access their allocated Cloud storage via a number of options including;
Web Browser
Desktop synchronisation client
Drive mapping or equivalent
Mobile app
This means that authorised individuals have access to their allocated storage across a range of devices providing a wide choice of access technologies and data sharing options.
The Business orientated Cloud storage services address many of the risks associated with the consumer versions, in particular
page 4
The organisation retains full ownership of their data
Security, confidentiality and availability of data are sometimes assured via industry standard accreditations e.g. ISO 27001, EU Safe Harbour.
Data retention and backup arrangements are defined
There is no advertising built from data mining or other uses of Business data
The Cloud provider’s liability relating to negligence, misuse, lose or damage of data is better defined From a corporate and legal perspective several issues remain, which need to be considered and addressed before deciding on the type of information that is suitable for Cloud Storage via an external provider. In particular:
Research data management, where either the organisation providing the data, or the funding body
have specific requirements for where it must reside e.g. in the UK, or in the University itself.
Data Protection Act, governing the storage and management of personal information
The University’s policy on confidential data
Risks associated with automatic data synchronisation between Cloud storage and corporate/personal
devices
Also, agencies of foreign governments may potentially have access to data in cloud storage, and this
may be a concern for storing certain types of information.
6.
Policy
6.1 Objectives
Safeguard the security, confidentiality, integrity and availability of the University’s information assets.
Ensure compliance with national and international laws governing the storage and guardianship of data
Ensure compliance with contractual commitments relating to the storage and guardianship of data
Ensure that University employees and other partners understand the University’s requirements relating to
the storage and guardianship of data
6.2 Consumer orientated Cloud Storage
Allowed
Only non-confidential information
which the University has placed in the public domain or would release into the public domain, for example under Freedom of Information, may be stored within Consumer
orientated Cloud Storage.
Any allowable information stored
within Consumer Orientated Cloud Storage should also have copies held within the University, and therefore not comprise the only copy.
Not Allowed
The University forbids the use of consumer orientated Cloud Storage for the following information assets:
Information which the University considers private and
would not make available to the public, or might be exempt from release under Freedom of Information
Personal data i.e. that which concerns living individuals
and hence falls under the Data Protection Act
Information relating to contractual undertakings
between the University and third parties
Information relating to research outcomes, prior to
publication
Information relating to the normal business of theuniversity including, emails, minutes of meetings, reports, budget statements, audit reports, proposals, project plans, project progress reports, strategic reviews etc.
page 5
6.3 Business orientated Cloud Storage
The University accepts that business-orientated Cloud Storage can provide solutions for a wide range of strategic objectives including:
Ease of information sharing between individuals within the University
Ease of sharing of information between individuals within the University and other partners outwith
the University
Ability to access information whilst away from the University via a range of device types
Security, confidentiality and availability of Information assets
Allowed
The University permits the storage of public, private and confidential information within business-orientated Cloud Storage as long as the following conditions are met:
The information is not personal data (i.e.
relating to living persons).
The activity is in accordance with the
University’s policy on confidential data.
The service-specific contract and service level
agreement (SLA) must satisfy the University’s requirements for information guardianship.
The University’s legal and contractual
obligations must not be compromised
Where the Service specific contract and SLA
does not guarantee the timely recovery of lost or damaged data then any allowable
information stored within Business Orientated Cloud Storage should be copies of information held elsewhere within the University and therefore not the only version.
The University must retain management
control of the user accounts associated with cloud storage subscriptions
Not Allowed
The University does not permit the storage of the following types of information on business-orientated cloud storage services:
Personal data as defined by the Data
Protection Act
Information subject to specific requirements
on storage location e.g. must be held within the University’s own data centres
Further details about the University’s requirements and legal commitments can be found under the ‘Legislation, Policy and Guidance’ section below
Clarifications and advice on ‘Allowable use’ is available from the Data Protection and Freedom of Information Office and IT Services via the IT Services help desk.
7.
Information Sharing
The following restrictions apply to the sharing and synchronisation of University data. Where there is a requirement to share information with others then it is important that individuals who enable the sharing of data do so with the following safeguards:
Grant access to the specific Folders and files that are required to support the Collaboration or
information sharing and ensure that no other folders or files are made available.
Inform all individuals involved in the collaboration or information sharing that they have a duty of
care for the information provided and must honour all security requirements as well as privacy or confidentiality commitments.
page 6
8.
Synchronising information
Synchronising information to and from Allowable Cloud Storage can provide significant advantages in terms of information availability and speed of access. Synchronising information across a range of devices requires the following safeguards:
Individuals must ensure that the devices involved in the synchronisation process are protected as far as
possible from unauthorised access or loss. Mobile devices must have a “PIN” code or equivalent enabled.
Individuals must ensure that the devices involved in the synchronisation process are protected as far as
possible from malware and are kept up to date with vendor supplied security patches.
Individuals must ensure that any private or sensitive University information is further protected via
strong data encryption. Laptops must have Full Disk Encryption configured before data is synced.
9
.
Legislation, Policy and Guidance
Data Protection and Freedom of Information Office (University of Glasgow) Policy and Guidelines on Confidential Data in (University of Glasgow) Data management Support for Researchers (University of Glasgow)
Guidance on the Use of Cloud Computing (Information Commissioners Office)
10. List of approved Business Orientated Cloud Storage providers
The University will maintain and publish a list of approved Business Orientated cloud Storage providers to ensure that Colleges and University services staff choose the most appropriate supplier for their specific purposes. The list will be maintained by IT Services and published on the University web site.
For the purposes of this draft policy the current list of approved suppliers is as follow. Arkivum (Current service)
For Research Data Management archive at project closure. The Arkivum Research Data management services were contracted via an open procurement conducted on behalf of the UK academic institutions by JISC.
Microsoft OneDrive for Business (In development at University of Glasgow release September 2015) OneDrive for business is part of the Office 365 suite of services which deliver a rich set of Business class collaboration solutions. The complete suite of services has been reviewed by the JISC on behalf of UK Academic Institutions leading to advantageous changes to Contract terms and the supporting Service Level Agreement. In addition Office 365 has been approved by the UK Government to hold or transact public sector data for business conducted at the “OFFICIAL” level of Security Classification.
Draft Document Control
Draft (rev 1.209) for comment (2015-04-23) Layout revision (2015-05-26)
