Use of Cloud Computing
This document identifies some of the issues and risks involved in leveraging cloud computing services, and provides recommendations on their appropriate use.
Cloud computing is a style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet. Examples include Software as a Service, Platform as a Service, and Infrastructure as a Service. Generally, cloud computing services are run outside the walls of the customer organization, on a vendor's infrastructure with vendor maintenance. Although cloud-like services can be internal (e.g., IU's Intelligent Infrastructure), this document refers exclusively to cloud services provided by third party vendors over a network connection where at least part of the service resides outside the institution, regardless whether those services are freely offered to the public or privately to paying or registered users.
Cloud computing represents an externalization of information technology applications and infrastructure beyond an organization's data center walls. In the university context, cloud computing may be thought of as extra-campus or above-campus computing.
Cloud services are often available "on demand," and utilize an infrastructure shared by the vendor's customers. While some offer a flat fee model or consumption-based pricing, other cloud services are offered at no cost.
Organizations are exploring cloud computing as a way to reduce costs, improve service, increase agility, and free internal resources to focus on differentiating, mission-critical activities.
Within the university, the confidentiality, integrity, availability, use control, and accountability of institutional data and services are expected to be ensured by a suite of physical, technical, and administrative safeguards proportional to the sensitivity and criticality (i.e., risk) of those information assets and services. These safeguards help protect the reputation of the university and reduce institutional exposure to legal and compliance risks. Much of the challenge in approaching cloud computing involves determining whether a service vendor has adequate safeguards in place commensurate with the value and risk associated with assets and services involved.
Although third party cloud capabilities may be used by an institution, they pose additional challenges and risks requiring careful consideration.
- Cloud service immaturity: The cloud computing space is still in a state of relative immaturity. Vendor fluctuations and various service approaches are likely to make this a volatile segment in the short term.
- Vendor lock-in/dependency: Given this immaturity and volatility, vendor dependency or vendor changes (bankruptcies/shutdowns/acquisitions and their consequences) must be considered, including the ability to continue business operations if the vendor shuts down unexpectedly. It may be difficult or impossible to reclaim data from the vendor under such circumstances.
- Risk assessment and management difficulty: Risk assessment and management are difficult in many cases due to poor vendor transparency, inflexible terms of service, lack of a negotiated contract with the vendor (as opposed to a "click through" terms of service imposed on all users), and lack of right to audit. These make achieving a sufficient level of confidence in a vendor and associated risk mitigation a significant challenge.
- Cost/benefit profile uncertainty: Recent surveys suggest that the cost/benefit of cloud services is difficult to assess. A significant proportion of institutions that have used cloud services indicate the cost/savings realized by using cloud services was estimated incorrectly, and that they have been unable to effectively monitor cost/savings, or have only been able to do so with great difficulty. This demonstrates a significant lack of true understanding of the costs and benefits involved. In some cases, cloud services have not yielded any cost advantage. In addition, there may be no way to predict or to protect the organization from significant future service cost increases.
- Lack of contract or service level agreement: Traditional outsourcing arrangements have usually involved a contract and/or service level agreement as a tool for setting expectations, gaining assurances, defining responsibility, and transferring a portion of the risk to the vendor. In some cases, cloud service providers use a one-size-fits-all/take-it-or-leave-it approach to their terms of service and are not willing to enter into such agreements (although large/influential customers may have leverage to negotiate special terms). This is a key difference between traditional outsourcing and some cloud services. In the absence of such an agreement, how can we (a) comply with laws that require or strongly suggest certain contractual terms be in place with vendors who handle sensitive data, and (b) ensure appropriate physical, technical, and administrative safeguards are in place and/or define expectations and responsibilities?
- Liability and reputational risk resulting from vendor actions: Legal and regulatory bodies have made it clear that much of the responsibility and liability for the appropriate security and privacy of the information/service being outsourced remain with the institution. Even with appropriate contractual clauses in place, the institution may become the target of constituent complaints, investigations, lawsuits, and regulatory enforcement actions if a vendor mishandles institutional data and/or gives rise to a data privacy or security breach.
Once the high level challenges are understood, the next step is to consider the risks and determine whether/how to appropriately mitigate those risks in the context of the proposed information and/or service.
- Vendor trustworthiness: How do we establish an adequate level of trust in a cloud service provider? How do we ensure our trust boundaries do not extend farther than intended when using a cloud service vendor?
- Integration: We must account for the ease or difficulty of integrating cloud services with internal systems and processes. How will we manage the integration of such cloud services with current information and/or information services? For example, how would we integrate existing user credentials with a cloud service without reducing the integrity of those credentials? Would we need multiple credentials?
- Data and intellectual property issues: What are the potential for and the consequences of information loss, leakage, and comingling with other clients' information or services? What are the risks to involved intellectual property? What response plan will be followed if a data breach occurs? How is the data owner notified?
- Records preservation, access, and management: How would we manage preservation, access, retention, and disposal of information? How would we ensure that university information is securely removed from the vendor's equipment if necessary? How would we ensure that we can preserve and gain prompt access to stored information if needed in the context of a lawsuit, investigation, or public records request?
- Responsibility/liability: What is the relative liability for lost data/revenue accepted by the vendor and retained by the university? How will liabilities related to lost or altered data be shared between the vendor and the university?
- Vendor location: What are the implications of the vendor's location on compliance, cultural, timeliness, and support level issues?
- Human resources safeguards: How does the vendor select, vet, and train its employees to minimize risks to the privacy, security, and integrity of client data? How does the vendor manage employee changes?
- Operational flexibility: What is the effect of the potential loss of flexibility or life cycle control over the service? How would we be alerted to vendor service changes that could impact our operations?
- Security/safeguards: How do we satisfy ourselves that the vendor will employ and maintain adequate safeguards based on the sensitivity and criticality of the information or/service involved, e.g., how would the vendor ensure that cloud service access privilege changes are applied accurately and timely? How would the vendor ensure that only authorized individuals are able to modify access privileges? Can the vendor support encryption of data at rest or in transit if necessary?
- Legal/regulatory consequences: How does the use of a cloud service impact our ability to comply with various legal requirements (e.g., HIPAA, FERPA, PCI-DSS, E-discovery, state data protection laws, export control laws)? Do laws where the vendor is incorporated or locates its servers (which may include foreign laws) potentially apply? Are there implications for faculty, staff, or students working or studying outside the US? Can we control where the vendor stores our data if the law restricts the transmission or storage of such data (e.g., certain research data) outside the US?
- Difficulty managing cloud services: How would we interface with the service provider? What management information (e.g., availability, system failures, discovered vulnerabilities, incidents, potential compromises) is available from the provider? Can we access necessary logs associated with the service? What type of user support would be needed for the cloud service? Who would provide it? What are the minimum service expectations? Are tools available to detect service failures? What if the service does not meet our expectations?
- Availability: What are potential issues resulting from vendor downtime, poor vendor quality or reliability, lack of bandwidth, or slow response? What leverage do we have if the level of availability does not meet our expectations? How do we explain outages or poor service performance to our users?
The above factors should not be taken to suggest that cloud computing has no potential benefits; but rather that the benefits must be balanced with the risks involved when evaluating the use of cloud computing services.
Cloud computing services are similar to traditional outsourcing and can be approached analogously while accounting for their unique risks/benefits. The following recommendations and strategies are intended to assist units in their approach to evaluating the prudence and feasibility of leveraging cloud services.
- Risk/benefit analysis: Units considering university services that may be delivered using cloud technology, or new services provided by cloud technology, must indentify and understand the risks and benefits of the service. Recognize that vendor security failures will potentially involve or at least reflect on the university. Consider the security and privacy objectives of confidentiality, integrity, availability, use control, and availability, and determine what would happen if these objectives were not met. Honestly compare costs of the internal and external services, including costs to manage the vendor relationship, and costs of integrating the service with existing internal services and processes.
- Consultation: Consult with appropriate data stewards, process owners, stakeholders, and subject matter experts during the evaluation process. Also, consult with Purchasing, the General Counsel's Office, the University Information Policy Office, and the University Information Security Office.
- Lower risk candidates: When considering university services that may be delivered using cloud technology, ideal candidates will be those that are non-critical to operations, involve public information, and otherwise would require significant internal infrastructure or investment to deliver or continue delivering internally. These are likely to represent the best opportunities for maximizing benefit while minimizing risk.
- Higher risk candidates: University services that are critical to the operation of the university or involve differentiating or core competencies, and/or involve restricted, or critical information or intellectual property, are necessarily higher risk candidates and require careful scrutiny.
- Consider "internal cloud" alternatives: Due to the decentralized nature of the university, some duplication of effort is inevitable. Units should consider leveraging internal cloud-like services when looking for ways to reduce cost, e.g., units managing their own email servers and/or server hardware should consider migrating to the institutional email solutions and/or a virtual server solution (i.e., Intelligent Infrastructure). "Large enterprises should generally avoid placing sensitive information in public clouds, but concentrate on building internal cloud and hybrid cloud capabilities in the near term," (Dan Blum, "Cloud Computing Security in the Enterprise," Burton Group, July 15, 2009).
- Vendor agreement: In all cases, strive to obtain a contract or service level agreement with the vendor. For non-critical services involving public data, it may be possible to leverage a cloud service without such an agreement if the vendor is willing to provide adequate assurances; however, services critical to the university and/or those involving more sensitive data (i.e., restricted or critical) must not be provided by a cloud vendor without an appropriate agreement in place. Purchasing, the General Counsel's Office, the University Information Policy Office, and the University Information Security Office must be consulted when drafting such agreements.
- Proportionality of safeguards: Vendor physical, technical, and administrative safeguards should be equal to or better than those in place internally for similar services and information. Areas to explore with the vendor include privileged user access, regulatory compliance, data location, data segregation, recovery/data availability, change management, user provisioning and de-provisioning, personnel practices, incident response plans, and investigative/management support, as well as the issues identified in the previous section. Scrutinize any gaps identified.
- Due diligence: Due diligence should be conducted to determine the viability of the vendor/service provider. Consider such factors as vendor reputation, transparency, references, financial (means and resources), and independent third-party assessments of vendor safeguards and processes.
- Exit strategy: Cloud services should not be engaged without developing an exit strategy for disengaging from the vendor or service and integrating the service into business continuity and disaster recovery plans. Be sure to determine how you would recover your data from the vendor, especially in cases where the vendor shuts down.
- Proportionality of analysis/evaluation: The depth of the above analysis and evaluation and the scope of risk mitigation measures and required vendor assurances must be proportional to the risk involved, as determined by the sensitivity level of the information involved and the criticality or value to the university of the service involved.
For more information, visit our page on Cloud Computing.
- Published - 26-August-2009
- Revised - 23 - November -2011