Go Directly to Page Content
Go Directly to Site Search
Go Directly to Site Navigation
ITS Safe Computing

Cloud Computing and Information Security

As cloud computing options proliferate for individuals and large organizations, it is increasingly important for both to make informed choices about appropriate use of cloud services, taking into consideration both benefits and risks.

To assist in making this assessment, faculty and staff can see at a glance whether or not it is permissible to maintain a specific data type in a U-M or external vendor cloud service by viewing the Sensitive Data Guide to IT Services.

What is Cloud Computing?

Cloud computing has several distinct characteristics that distinguish it from a traditionally-hosted computing environment:

  • Users often have on-demand access to scalable information technology capabilities and services that are provided through internet-based technologies.
  • These resources run on an external or third-party service provider's system. This is in contrast to traditional systems, which run on locally-hosted servers. Unlike traditional systems which are under the user's personal control or institutional control, cloud computing services are fully managed by the provider.
  • Typically, many unaffiliated and unconnected users share the service provider's infrastructure.
  • Using cloud services reduces the need to carry data on removable media because of network access anywhere, anytime.

Cloud services, sometimes called "software as a service" (SaaS), "infrastructure as a service" (IaaS), or "platform as a service" (PaaS), facilitate rapid deployment of applications and infrastructure without the cost and complexity of purchasing, managing, and maintaining the underlying hardware and software.

Organizations and institutions are increasingly driven to cloud computing as a way to increase functionality, lower cost, and enhance convenience to users by making the services and resources available anywhere there is an internet connection. With cloud computing, users have readily available a suite of applications, features, and infrastructure that would normally require significant investment if provided in the traditional in-house computing environment.

U-M and the Cloud

There are different ways in which cloud computing is being introduced to U-M students, faculty, staff, and researchers. Individuals across campus routinely access cloud applications or services on their smartphone or laptop. Faculty are increasingly using cloud computing applications as class or laboratory tools to supplement or even replace campus-provided resources. U-M researchers work frequently with other researchers across the globe and share data in the cloud.

As part of the NextGen Michigan initiatives, the university is implementing a full service environment and shared internal cloud by migrating from current servers to new virtual servers. The most significant of these new services are M+Box, M+Google, MiDatabase, and MiServer:

  • M+Box provides a storage solution for U-M students, faculty, and staff to store and share files online. It's part of a two-year agreement between Internet2, U-M, and several other peer institutions.
  • M+Google provides a platform for collaboration, including shared documents, as well as email and calendaring.
  • MiDatabase is a U-M hosted cloud service, managed by ITS, consisting of a virtual server and a managed database.
  • MiServer is a virtual server environment managed by ITS which allows users to focus on managing applications instead of the operating system (physical servers).

Proper Use of Cloud Computing Services at U-M

Cloud computing should not be used for information that is private, personal, or sensitive, unless there is a contractual agreement between U-M and the service provider that protects the confidentiality of the information and data. A contractual agreement is a formal contract that would typically be reviewed by the Office of General Counsel.

U-M engages in research, teaching, and business activities that encompass a variety of regulated sensitive data. There are important institutional and individual responsibilities for compliance to ensure that such data are properly protected. Faculty, researchers, and staff (including student employees and students conducting research) need to assess whether federal and state laws, contractual obligations, and/or grant restrictions limit the ability to store institutional or research data in cloud computing services.

Sensitive and Regulated Data: Permitted and Restricted Uses establishes mandatory expectations for complying with statutory and regulatory requirements related to protecting sensitive regulated data. The standard references the following Standard Practice Guide Policies:

Please refer to the Sensitive Data Guide to IT Services to determine where storage of sensitive data is permitted in the U-M computing environment and among current U-M cloud computing service providers.

Security and Privacy

The integrity, availability, and maintenance of appropriate confidentiality of institutional data is critical to U-M's reputation and to minimizing institutional exposure to legal and compliance risks. Much of the challenge in deciding whether cloud computing is desirable and appropriate for an institution like U-M is determining whether a prospective cloud computing vendor has adequate physical, technical, and administrative safeguards as good as or better than the local on-campus systems.

While cloud computing services have numerous potential benefits, there are also potentially significant privacy and security considerations that should be accounted for before collecting, processing, sharing, or storing institutional or personal data in the cloud. Consequently, institutions should conduct careful risk assessment prior to adoption of any cloud computing service.

Specific risks and challenges to consider include:

  • Vendor transparency and inadequate or unclear service level agreement
  • Privacy and confidentiality of personal, sensitive, or regulated data and information
  • Legal and regulatory compliance
  • Cyber security and support for incident forensics
  • Records preservation, access, and management
  • Service availability and reliability

Information Assurance Consultation Available to U-M Cloud Computing Users

Faculty, staff, researchers, and departments can consult with Information and Infrastructure Assurance (IIA) staff when considering adopting cloud computing services and/or infrastructure.

To begin the process, contact 4help@umich.edu.

Additional Resources

Other Higher Education Guidance

Educause