Outsourced cloud services continue to be the source of and solution to many technology problems. However, more than any other factor, data security and privacy concerns are putting a throttle on cloud adoption. While security and privacy must be addressed, organizations can fast-track their adoption of cloud-based solutions by adopting a nuanced sourcing strategy that ties risk to sourcing decisions.
Sourcing cloud services accelerates the erosion of what's traditionally considered the security perimeter. This can be particularly challenging for security professionals: Campus gateways and data centers, though important control points for security technologies, may play a small role when interacting with cloud services, which are usually transported over encrypted channels. Further, this perimeter breakdown may extend to other areas, such as credential management. Users increasingly expect to use credentials they receive from third parties and often don't understand when they are told that they can't.
At the University of Illinois, we anticipate finding a smaller portion of our computing environment under our direct management. As we work to meet our ethical and regulatory obligations to address privacy and security in the face of this new computing architecture, we are looking very closely at right-sizing the way we evaluate service providers, tailoring our review of providers to the risk inherent in the specific situation. We came to this approach after facing an avalanche of requests to purchase inexpensive (sometimes zero-dollar) services and finding our traditional processes taking months or years to complete. Further, many small service providers are simply unwilling to become our partners for what are essentially consumer services. We have spent weeks negotiating agreements only to have a provider give us a "take it or leave it" ultimatum at the last minute.
We face the risk of allowing our internal processes to either stymie our academic and research mission or force our faculty and staff to skirt the system and accept risk without guidance or oversight. Our goal should be finding responsible ways of encouraging student and professional engagement with modern cloud-based tools, not forbidding them. Our experience suggests that a few straightforward tactics offer a significant return on investment.
Recognize what is low risk and don't waste time on it. Spending time reviewing and negotiating terms for services that bring low risk to your institution is expensive. Software as a service (SaaS) offerings that don't cover protected information often include the very productivity enhancements that most organizations would want their faculty and staff to use. At Illinois, we created an expedited procurement process specifically for these sorts of offerings that let faculty and staff quickly gain access to such services. Our process is described at go.illinois.edu/essa. Before we put this new process into place, such services were either used without any oversight or review, not used at all, or managed through a negotiated contract.
Develop tactics to address medium-risk situations that are available at a modest cost. Protecting students and the vast quantity of information about them that colleges maintain is not only required by federal regulations such as the Family Educational Rights and Privacy Act (FERPA), it also represents an ethical posture toward data stewardship. The poster child for medium-risk data within higher education is student data. As regulated and protected information, student data requires considerable protection. However, students gravitate toward new pedagogical tools and will often consent to classroom interactions through new media. By managing the way students opt in to third-party services, it's possible to enable cloud services for teaching, particularly in a pilot fashion. Almost any collaboration tool will fit this approach, again provided the student is allowed to opt out and those who opt in are provided with information on the privacy and security of the information they share.
Get a handle on your data classification and governance. While it should be an operational goal to reduce the use of protected information such as Social Security numbers, this same approach is unreasonable for student information. In academia, most faculty members handle student information locally, outside of the centrally maintained systems of record. In addition, the risks for FERPA-related breaches are not as severe as they are for the big three: the Health Insurance Portability and Accountability Act (HIPAA); the Payment Card Industry Data Security Standard (PCI DSS); and export-controlled data (data that cannot be stored outside of the United States).
Most institutions use a three-tiered data classification policy, such as public, confidential and high-risk. At Illinois, we have created a four-tier system specifically separating FERPA data from truly high-risk data, such as PCI DSS and HIPAA data and Social Security numbers. Doing so gives us much greater flexibility and allows us to better allocate our resources.
No major institution can afford to bring the across-the-board protection to FERPA data that PCI DSS and HIPAA demand. Developing a nuanced policy for data classification that engages the data owners (who are obligated to define data risk) offers the tools organizations need to evaluate the feasibility of adopting any specific cloud service.
Reserve a heavyweight analysis for high-risk situations. It is expensive to do a detailed evaluation of a third-party service because it takes time from the purchasing unit, the security staff and legal counsel. At the end of such an analysis, summarize the outcome in such a way that the unit requesting the service can understand the uncontrollable risk. Tailor the evaluation to couple the risk the data brings with it to the likelihood of a data breach.
However, consider factors other than the mere risk of a breach. Will critical processes be disrupted if a SaaS provider goes bankrupt? Will the college's reputation be damaged? For example, a defaced website, even for a site hosting public information, could be very embarrassing.
Try to address common security risks in the contract language. Find out if the provider encrypts backups. Will they indemnify the organization from penalties imposed by state data-breach laws? Can they provide proof of compliance for their security practices, such as a SAS 70 or the results of a Shared Assessments (sharedassessments.org) evaluation? Developing standard language that the purchasing, legal and business units understand may not guarantee that prospective providers will agree to every requirement, but it will prepare the organization to better engage the provider.
The ambiguity of security and privacy practices surrounding cloud services can be unnerving. However, these are not necessarily uncontrollable risks. Allowing these potential drawbacks to stop an organization from moving into the cloud service market is an opportunity lost.
An excellent resource to help address common security risks in the contract language is the Educause Data Protection Contractual Language toolkit (wiki.internet2.edu/confluence/x/kQId). In addition, if you're not already tracking the federal government's Federal Risk and Authorization Management Program cloud effort, you should familiarize yourself with the project and any potential legislative outcomes (go to cio.gov and search "FedRAMP"). Many of the items that IT managers might need to address contractually with cloud providers are discussed within the context of this program.