Standards and Guidelines for Using and Procuring Cloud or Third Party Information Technology Services
- General Standards and Responsibilities
- How to initiate a Cloud Services Project
- Guidance on Institutional use of Cloud Services at UT Arlington
- Guidance on Personal Use of Instututional Cloud Services
- General Advantages of Cloud Services
- Potential Risks and Consequences
- Best Practices, Requirements and Cautions for Using Cloud Services
- Updates and modifications to this guideline
Most users recognize Cloud Services offered to consumers such as free email (e.g. Google Gmail, Microsoft Live, etc.) or free storage (e.g. Photobucket, Google Drive, Microsoft One Drive, Box, Dropbox, etc.), and numerous other services that permit storage or file sharing.
While these services are great options for personal use, the terms and conditions that accompany them generally do not meet Texas State, UT System or UT Arlington requirements. These requirements are in place in order to protect the interests of the University and to ensure that the standards for data security are met. For example, UT Arlington requires assurance that sensitive or confidential files placed on such services are not released to other parties or placed in other countries without our knowledge.
This document provides best practices, standards and guidelines for procuring and using third party information technology services, including Cloud Services, at UT Arlington. It also outlines some of the risks and costs associated with Cloud Services that may not be readily apparent.
This document applies to all services purchased by UT Arlington departments or employees that involve the creation, transfer, storage, manipulation, processing or other handling of University data on third party information resources. These third party services include, but are not limited to, Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Data as a Service (DaaS), or other such services that are hereafter and collectively known as Cloud Services.
1) Each Cloud Service must have an Institutional Owner
The Owner can be a department head or researcher. The Owner will be responsible for the ongoing business relationship with the Cloud Services provider. It is the Owner’s responsibility to:
- Obtain approval and support from his or her respective University Vice President or Dean to acquire and use the Cloud Service. All risks and responsibility for the Cloud Service are assumed by the Owner and approved by respective Vice President or Dean.
- Justify the ongoing business relationship with the Cloud Service provider.
- Monitor and ensure that the ongoing use of the service conforms to State, UT System and UT Arlington policies and regulations.
- Classify the data and assign mission criticality of the Cloud Service.
- Ensure that a Custodian has been assigned to implement, maintain or monitor the information security of the service.
- Ensuring that access control and related procedures are reviewed periodically.
2) All Cloud Services, particularly those involving confidential information, must be approved by UT Arlington CIO and CISO prior to procurement.
This is to ensure that the service:
- Is required in order to meet the University’s mission.
- Has an appropriate Owner who will be responsible for the ongoing relationship with the Cloud Provider and will be responsible for the information security practices surrounding its use.
- Is not wasteful or redundant especially considering the availability of on-premises services or other cloud services; ensuring that the service, or an equivalent one, has not already been purchased.
- Scope can be expanded or reduced based on a cost/benefit analysis. It is possible that the service may serve the institution well and therefore a site-wide license or purchase can be made in order to obtain a better price.
- Will continue to have executive support and succession plan in the event the Owner leaves the institution.
3) Each Cloud Service must be properly sanctioned
Due diligence must be performed prior to entering into an agreement with a third party, and this goes beyond verifying Cloud Service functionality. This includes ensuring that:
- The terms and conditions of the service has been approved by the Office of University Compliance and Legal Affairs. Note that:
i. UTA can incorporate standardized contractual language that is coordinated with UT System and the State that covers Cloud Services. These standard terms and conditions address many, but not all, of the risks identified in this document.
ii. All third party agreements, including the click-through agreements, which accompany Cloud Services can only be signed by a UT Arlington official with institutional signature authority. It is possible to supersede the terms and conditions in a click-through agreement with one that is established separately.
- Ensuring that an information security risk assessment has been completed. The Information Security Office conducts risk assessments and provides results to Owners. All services that involve the creation, storage, transfer, manipulation or other handling of University or regulated data on Cloud Services must be reviewed and approved by the Chief Information Security Officer.
- Ensuring that the Cloud Services can be supported by centralized IT infrastructure. All Cloud Services that require integration with UT Arlington information resources (such as authentication services like shibboleth, LDAP or ADFS) must be reviewed and approved by the Vice President of Information Technology and Chief Information Officer.
- Ensuring that the data can be readily accessed by UTA as the need arises or if an individual leaves the institution.
IV. How to initiate a Cloud Services Project
Until such time that a formal procedure is in place at UT Arlington, the quickest method to initiate a project is to contact the Information Security Office. Please see the Cloud Procurement Procedures site for more information. The Information Security Office will request a meeting with the vendor and the prospective Owner in order to understand the nature of the service, and will thereafter guide the process.
V. Guidance on Institutional use of Cloud Services at UT Arlington
There is no prohibition against the procurement of Cloud Services at UT Arlington. In fact, UT Arlington has sanctioned Cloud Services that contribute to the overall success of our mission; these include the branded services called UTA Flow, UTA Box, Blackboard, Qualtrics, Lynda, etc. In some respects, our business critical systems such as MyMav and UT Share, can be considered also Cloud Services, albeit cooperatively run with UT System.
As a general policy, unless absolutely necessary from a business, instruction or research perspective, all data must remain on UT Arlington owned systems or on a sanctioned cloud service.
Office of Information Technology and some research departments offer employees and researchers free server services and storage space that allows sharing of files between individuals with the appropriate access.
VI. Guidance on Personal Use of Instututional Cloud Services
As noted above, Cloud Services come in all sorts of forms and often are available to the public, for gathering, storing, processing and sharing information. Some cloud services, such as those offered by Apple, Microsoft or Google, are generally free for personal use and often provide very attractive features, such as generous storage space or collaboration tools that help with personal productivity.
As a general rule, avoid placing personal data on UTA systems or Cloud Services - all employees are expected to use good judgment by separating personal use of UTA Cloud Services from Institutional use; sanctioned services as those mentioned above, are considered University services and as such are subject to open records requests, subpoenas or litigation holds.
VII. General Advantages of Cloud Services
The increased speed, reliability and ubiquity of the Internet has changed the way technology is deployed by large vendors and this has greatly influenced the way services are being delivered. For a variety of reasons many vendors are moving towards or promoting the use of Cloud Services as their primary product as opposed to the traditional model of selling shrink-wrapped software for on-premises installation. The economies of scale that vendors are able to achieve by providing these services cause them to be offered at a lower cost than running them on-premises, compelling many organizations to adopt them.
- Increasingly the cost of Cloud Services both in terms of capital expenses and on-going operational expenses, are significantly cheaper than traditional on-premises implementations.
- The Cloud Service provider is contractually responsible for the physical security of the servers and therefore responsible for all the costs related to managing and securing data centers. Data Center operations can be very costly as it requires highly regulated climate control, fire suppression and redundant power.
- By adopting a particular Cloud Service, the on-going maintenance of the software (and related infrastructure) will be done by the Cloud Service provider and so UT Arlington does not need to assign resources or train IT personnel for that particular maintenance activity.
- Vendors are also beginning to update their Cloud based offerings at a rate that is at par or better than their shrink-wrapped offerings, and in many cases do not offer an on-premises implementation.
- Some Cloud Services being offered are cost prohibitive to implement on-premises; this includes fairly large storage allocation or computing power that vendors are able to provide at a significantly cheaper rate due to economies of scale they are able to achieve.
- Some Cloud Services can prevent waste by providing on-demand server services that are temporary in nature and required for a short period. For low risk data processing, this is preferable as the purchase or deployment of on-premises servers invariably requires the purchase of permanent hardware, which not only is a capital expense but has associated, on-going operational and maintenance costs.
VIII. Potential Risks and Consequences
Failure to properly understand and manage Cloud Services can result in significant institutional and individual liability. It is essential that prospective Owners seek a review of any contract or agreement for services according to UT Arlington Policy. As a member of the University community, should you ever need to store or share University information in a manner not currently provided within the University’s computing environment, always consider the confidentiality of the data and be aware of conditional uses of the data you generate, have access to, or receive. It is everyone’s responsibility to take privacy and security into consideration when making decisions about the use of any service (free or paid).
Additionally, there are risks with using non-sanctioned Cloud Services:
- Unclear, and potentially poor access control or general security provisions
- Sudden loss of service without notification
- Sudden loss of data without notification
- Data stored, processed, or shared on cloud service is often mined for resale to third parties that may compromise people’s privacy
- The exclusive intellectual rights to the data stored, processed, or shared on cloud service may become compromised.
IX. Best Practices, Requirements and Cautions for Using Cloud Services
The procurement of Cloud Services is generally the execution of a business contract irrespective of the dollar value of the service. By acquiring a Cloud Service, UT Arlington (and not the individual requestor) is establishing a legal and business relationship with the Cloud Service provider. Such relationships come with terms and conditions that should be reviewed and negotiated prior to entering into an agreement. Beyond this, each department head or requester must a number of items before entering into an agreement. The Information Security Office can provide assistance where needed and standard UT System terms and conditions cover many of these items:
- Classify the data and determine related security requirements – The Owner should consider the security requirements for the data that will be stored or handled by the Cloud Service, both in the short and long term. UT Arlington has established a data classification standard and has published minimum security requirements for securing the data. The Owner should make a determination, prior to completing an agreement, about the long term use of the Cloud Service, anticipate the nature and classification of the data that will be stored, and then ensure that the vendor can meet the minimum security requirements.
- Determine roles and responsibilities – The Owner is ultimately responsible for the data that will be created, transferred or stored on the Cloud Service. The Owner should work with the CIO and CISO to establish roles and responsibilities to ensure that all aspects of the service, including user authentication and access control and related audits have a custodian assigned.
- Consider the total cost of the service – The Owner should work with the Cloud Service provider to determine the total cost of the service. Some Cloud Service providers do not include the costs of implementation, high availability, integration with UT Arlington’s authentication systems, backups, intrusion prevention or detection, liability insurance, etc. It is the Owner’s responsibility to consider the operational use of the Cloud Services and to determine what risks can be mitigated.
- Establish an exit plan in the contract – while this might be counter intuitive when acquiring a Cloud Service, the Owner must be prepared for a worst-case scenario, and have a separation plan that includes provisions for securely copying the data (especially in order to meet retention requirements) and ensuring the data is destroyed at the appropriate time.
- Ensure the long term financial viability of the Cloud Service provider – When considering the use of a Cloud Services provider, the Owner should make a determination as to whether the provider is on sound financial footing. Doing so will give the Owner a general sense of whether the University will have access to the data if the provider becomes insolvent and to ensure that security of the data will be assigned priority if any cost-cutting occurs.
- Ensure that a risk assessment has been completed – The Owner of the Cloud Service should work with the Information Security Office to determine wither the provider has an established information security program that is sufficient to protect University Data. The Owner will receive a summary assessment that includes any identified risks.
- Avoid the mistake of assuming existing adoption has been fully vetted – Many Cloud Services have been adopted and used successfully at Institutions of Higher Education. A common mistake that is made however is the assumption that a risk assessment has been completed by those institutions and that the risks assumed by those institutions are ones that UT Arlington are willing to assume as well.
- Ensure compliance with various regulations – UT Arlington is subject to a number of federal, state and UT System regulations, including FERPA (which covers student privacy), GLBA (which covers certain financial accounts), ITAR & Export Laws, Institutional Review Board (for regulated human subject data), etc.
- Ensure that the data will be stored in the USA and governed by appropriate law – Cloud Services can exist anywhere in the world and as such Owners must guard against the potential for University data to be placed in countries outside of United States jurisdiction. Additionally, UT Arlington requires that Texas law is the prevailing law governing the Cloud Services agreement.
- Ensure that expected service levels will be met – Cloud Service Owners must determine whether the guaranteed service levels offered by the Cloud Services is sufficient. The Owner should ensure that the contract can easily be cancelled if the provider does not meet service expectations. Service levels come in three primary forms:
- Availability – The service must be available when it is required. Availability is measured in terms of the guaranteed “up-time” which is measured as a percentage of time. For example 99.9% uptime is equivalent to roughly 44 minutes of expected unavailability a month, whereas 9.999% is equivalent to roughly 26 seconds of expected unavailability a month. Whereas non-mission critical systems can withstand 44 minutes of down time during a month, some mission critical systems may not.
- Performance – The service must be responsive to be useful. This can be subjective and difficult to measure especially when the Cloud Service depends on the public internet – there are numerous potential points of failure or slowdowns between the user and the Cloud Service. The Owner should develop a strategy to handle performance issues, and this will include the quality of customer service.
- Reliability – Depending on the nature of the Cloud Service, logical errors can be introduced (e.g. how a particular value is calculated in a data dashboard). The Owner should develop a strategy to measure the accuracy of expected results.
- Ensure that secure backups are occurring – Owners are responsible for defining a business continuity plan, especially if the service becomes mission critical. While most Cloud Services provide backup solutions, the service may require additional fees. Additionally, the Owner should understand the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) and factor both into continuity plans.
X. Updates and modifications to this guideline.
This document will be modified as necessary to address changes in technology, processes and identified risks, and is intended to complement, and does not supersede, relevant UT System or UT Arlington policies and procedures governing the security of University data. In the absence of specific policies, policy statements found in this document will stand as provisional until such time that it is incorporated into a HOP policy or procedure. Significant changes to this guideline will be announced to Information Security Administrators and/or in the MavWire.