Cloud Computing and Information Security
As cloud computing options proliferate for individuals and large organizations, it is increasingly important for both to make informed choices about appropriate use of cloud services, taking into consideration both benefits and risks.
To assist in making this assessment, faculty and staff can see at a glance whether or not it is permissible to maintain a specific data type in a U-M or external vendor cloud service by viewing the Sensitive Data Guide to IT Services.
What is Cloud Computing?
Cloud computing has several distinct characteristics that distinguish it from a traditionally-hosted computing environment:
Cloud services, sometimes called "software as a service" (SaaS), "infrastructure as a service" (IaaS), or "platform as a service" (PaaS), facilitate rapid deployment of applications and infrastructure without the cost and complexity of purchasing, managing, and maintaining the underlying hardware and software.
Organizations and institutions are increasingly driven to cloud computing as a way to increase functionality, lower cost, and enhance convenience to users by making the services and resources available anywhere there is an internet connection. With cloud computing, users have readily available a suite of applications, features, and infrastructure that would normally require significant investment if provided in the traditional in-house computing environment.
U-M and the Cloud
There are different ways in which cloud computing is being introduced to U-M students, faculty, staff, and researchers. Individuals across campus routinely access cloud applications or services on their smartphone or laptop. Faculty are increasingly using cloud computing applications as class or laboratory tools to supplement or even replace campus-provided resources. U-M researchers work frequently with other researchers across the globe and share data in the cloud.
Proper Use of Cloud Computing Services at U-M
Refer to the Sensitive Data Guide to IT Services to determine where storage of sensitive data is permitted in the U-M computing environment and among current U-M cloud computing service providers. The guide provides information about
Sensitive and Regulated Data: Permitted and Restricted Uses establishes mandatory expectations for complying with statutory and regulatory requirements related to protecting sensitive regulated data. The standard references the following Standard Practice Guide Policies:
Security and Privacy
The integrity, availability, and maintenance of appropriate confidentiality of institutional data is critical to U-M's reputation and to minimizing institutional exposure to legal and compliance risks. Much of the challenge in deciding whether cloud computing is desirable and appropriate for an institution like U-M is determining whether a prospective cloud computing vendor has adequate physical, technical, and administrative safeguards as good as or better than the local on-campus systems.
While cloud computing services have numerous potential benefits, there are also potentially significant privacy and security considerations that should be accounted for before collecting, processing, sharing, or storing institutional or personal data in the cloud. Consequently, institutions should conduct careful risk assessment prior to adoption of any cloud computing service.
Specific risks and challenges to consider include:
Information Assurance Consultation Available to U-M Cloud Computing Users
Faculty, staff, researchers, and departments can consult with Information and Infrastructure Assurance (IIA) staff when considering adopting cloud computing services and/or infrastructure.
To begin the process, contact the ITS Service Center.
Other Higher Education Guidance