NCSAM: Cloud computing
Safely using the cloud to manage University information
11:18 a.m., Oct. 31, 2012--Since 2004, EDUCAUSE, the National Cyber Security Alliance (NCSA) and other national organizations have declared October to be National Cyber Security Awareness Month (NSCAM), and the University of Delaware has joined in this annual effort to promote cyber security.
Many people at UD have started using cloud computing, non-University computing storage and other resources delivered as a service over the Internet.
“The cloud can make usability, administrative processes, research and scholarly collaboration more efficient and effective,” Karl Hassler, associate director of IT Network and System Services, said. “That’s the good news. On the downside, the lure of a free cloud application may obscure the risks to University information. The one-size-fits-all terms and conditions might not be appropriate for all University information.”
Before storing or processing University information in the cloud, it is important for UD employees to consider the potential impact that putting that information in the cloud could have on the University’s operations, ability to comply with legal regulations, and protection of privacy. The information’s classification determines its protection requirements. Not all cloud services can meet minimum protection requirements.
While UD utilizes cloud services such as Google Drive and Canvas to store and manage information, they are not appropriate for hosting all types of University information. “You wouldn’t store medical records in Google Drive the risks of violating personal privacy are too great,” Hassler explained. “Google Drive is not a good choice for storing sensitive, confidential or personally identifiable information (PII).”
Before putting University information in the cloud, it is essential to determine whether the information will be adequately protected. For confidential and official use only (OUO) information the click-through terms and conditions will not suffice. Contractual assurances and documentation of the cloud vendor’s security protocols may be necessary to meet sensitive or critical information’s protection requirements.
If your unit or department is interested in taking advantage of the cloud, look at the Process overview detailed in Information Technologies’ (IT) new Cloud vendor management program website. The site will walk you through the information classification stage and help you determine if a contract is needed.
Article by Sarah E. Meadows