Guidance on the Use of Cloud Services
Many of us use "cloud" services, whether we email through a Hotmail account, share photos through Facebook and Flickr, move documents between home and work computers through Dropbox and iCloud, videoconference with colleagues and loved ones in different time zones with Skype and AIM, blog through WordPress and Blogger, upload our lives through video clips on YouTube or collaborate on writing a paper with Google Docs.
If we use these services, it's because they can save us time or money, or offer us the ability to do something we couldn't do otherwise. As a bonus, it means someone else has to worry about those annoying computer tasks like backing up data, ensuring enough disk space, etc.
But the fact that your data, and maybe the university's data and students' data, is now in someone else's hands has all sorts of implications. It can also create risk for you and for the university when there is no contract or agreement between UC and the company offering the service.
Whether a given cloud app is appropriate to use for your UC Irvine activities (or even for your personal use) is a matter of understanding the risks and making an informed decision. This document is intended to help you be a savvy consumer of these services should you choose to utilize them in connection with UC Irvine activities.
- It is your responsibility to take privacy and security into consideration when making decisions about when it is and is not acceptable to use any service, even free or low cost ones. All university and campus policies apply to all university data, whether on UC or non-UC systems. Most of these services typically include "click-to-accept" agreements that have not been reviewed or approved by UC and so may introduce security risks for your information and to the university. If you need help assessing these risks, contact the campus or Health Affairs Information Security Officer.
- Restricted, confidential, or student information must never be stored, received, processed or published on non-UC systems unless you have worked with Purchasing to ensure that a UC-approved agreement is in place that addresses information security and privacy requirements and concerns. Similarly, don't rely on external information systems or services for critical university business processes unless a UC-approved agreement is in place.
- The university cannot protect the privacy of your communications if you use one of these services, as it has no control over what occurs outside its borders. If you use one of these services without consulting with anyone, you may be creating risk for yourself and for the university.
Situations in which non-UC services are (likely) inappropriate
The following are serious indicators of situations in which use of a non-UC service without a UC-approved agreement being in place is inappropriate. If one or more of these conditions apply to your circumstance, consider whether the university offers a solution you could use instead, or work with OIT Software Licensing or Purchasing to negotiate an agreement with the service provider before using the service.
- You will be conducting university business that should not be disclosed to the general public;
- Student data will be involved;
- Restricted or confidential information will be involved;
- You need a high level of security;
- Privacy is a concern;
- There are things that wouldn't be acceptable for the company to do with your information;
- The company will or may store data outside of the United States, or data will cross US borders to reach the user. For example, some of Google's data centers are not within US borders, potentially placing university data under foreign jurisdiction and possibly subject to inspection by foreign governments;
- You have specific requirements for availability of data and electronic communications that the service can't guarantee;
- Credit card data is involved;
- You are subject to the requirements of a Data Management Plan;
- It would be a problem if the service suddenly changes or is no longer available, either temporarily or permanently.
Issues to consider
When you use cloud services, the non-UC company has access to your data, communications, account information, etc. A company may have entirely reasonable privacy, security and business continuity protections in place, but you shouldn't assume they meet UC's standards. How important this is depends upon on your specific use of these services.
To help make this determination, consider the issues listed below. If any of them raise concerns, using a non-UC service without a UC-approved agreement in place may be ill-advised.Privacy issues
Be mindful that your privacy and the privacy of everyone using the product or service are dependent on the non-UC company.
- It's best to assume that whatever information goes to or through the service may become public. This includes records of activities of those using the service, such as who used the service, what they used it for and when, etc.
- If a subpoena, search warrant or other legal instrument is presented to the company to obtain information about you, you shouldn't expect to be informed. While some organizations will try to direct the requester to you/the university first, there is no guarantee that this will happen, and the vendor may even be legally prohibited from disclosing the request.
- Companies can be acquired, change business models or go out of business. Even if you keep local copies of critical data, what happens to your data if, say, the company that was hosting your data shuts down?
- It is essential to ensure that ownership of university data remains with the university. Whenever you put data on a commercial service, ensure that the terms do not conflict with university policy or governmental contracts and grants in terms of data ownership. Software Central can help with this.
- Keep in mind that you may be required by the university to produce records relating to university business, including email, instant messages, files, etc., regardless of whether those records are stored on university or non-university systems or services. Using a cloud app does not relieve you of this obligation but may make it more difficult for you to comply.
- There is no guarantee that deleted content or accounts will really be deleted. It may take awhile before the content or the account is completely flushed from all of the company's archives. Practices will also vary as to how long accounts may remain idle before the account and associated data are destroyed.
- If the service is free or "click wrap" you probably have little or no recourse against the vendor if something goes wrong or they do something you don't agree with.
Acknowledgements and Further Reading
- Much of this advisory document has been adapted from UCLA's Guidance on the Use of Cloud Apps by Individuals and UC Santa Cruz's Use of Free Services, with additional input from UC Berkeley and Lawrence Berkeley Lab.
- Cornell University's Challenges to Cloud Computing provides a comprehensive overview of these issues.