Office of the Vice President for Global Communications

Thursday, September 2, 2010

Task force issues privacy, security recommendations for cloud computing

A U-M task force is recommending ways to address privacy and data security issues associated with the growing trend toward “cloud computing” — applications and services provided over the Internet instead of internally or on individual computers.


More information

• View the full task force report, including a list of members.
Preliminary guidelines for appropriate use of cloud computing by individual faculty, staff, departments and research programs. (Go to Protecting University Data.)

Cloud Services Privacy and Data Security Task Force
Scott Arnst — IT director, UM-Flint
Nancy Bartlett — Archivist, Bentley Historical Library
Jack Bernard — Assistant general counsel, Office of the Vice President & General Counsel
Elaine Brock — Senior associate director, Division of Research Development and Administration
George DiGiacomo — Director, Technology Services, Student Affairs
Marjory Falconer — Human resource information technology manager
Paul Howell — Chief information technology security officer, ITS
Ray Hutchinson — Associate dean for regulatory affairs, Medical School
Lynn Johnson — Assistant dean for informatics and innovation, School of Dentistry
John Johnston — Senior academic technology specialist, School of Pharmacy
Alex Kuhn — Graduate student, Electrical Engineering and Computer Science
Marilyn Lanzon — Executive director, Device Engineering and Support, MCIT
John Merlin Williams — Director, Digital Media Commons, Duderstadt Center
Brian Noble — Associate professor, Computer Science and Engineering
James Penner-Hahn — Associate dean for budget, LSA
Paul Robinson — University Registrar
Kurt Riegel — IT manager, UMHS Compliance Office
Cindy Wells, chair — Deputy CIO, ITS
Vlad Wielbut — Director of Informatics and Computing Services, School of Public Health
John Wilkin — Executive director, HathiTrust, University Libraries

As the university looks to move more of its information technology functions into the cloud at an institutional level, Information and Technology Services (ITS) is working to determine how best to provide U-M research and learning communities with cloud services that are easy to access, well structured and well supported.

“It is critical that U-M develop the capability sooner rather than later to manage the privacy and data security issues identified by the task force. The task force report provides a very solid foundation for that capability, and we will energetically be moving forward on this agenda during the 2010-11 academic year,” says Laura Patterson, chief information officer and associate vice president. 

Individual faculty, staff and students already use many cloud services — examples being Google Apps and Web-based e-mail — to handle such operations as e-mail, calendaring, data storage or content management. They are attracted by the greater functionality, lower cost and increased convenience of accessing their e-mail, documents or files from any computer at any location.

“In many respects, the campus will be catching up to what many individuals at U-M are already doing in both personal and academic realms,” says Cindy Wells, deputy chief information officer and chair of the Cloud Services Privacy and Data Security Task Force.

Many see cloud computing as providing the common tools for faculty, staff and students to work with each other locally, nationally and internationally. It offers a solution to frequently incompatible IT infrastructures and applications throughout the university that can block effective collaboration.

But while there are number of advantages to cloud computing, such third-party services can raise concerns regarding loss of institutional control and service level guarantees.

Additionally, current standard agreements for many cloud-based products raise privacy and data security issues. These include protection of information under the Family Educational Rights and Privacy Act, who has the right to suspend accounts, vendors’ use of U-M data and metadata, and accessibility to users with disabilities.

“As organizations move toward adopting cloud-based services, it is imperative that data security and stewardship be addressed. We must comply with state and federal laws that speak to protecting student and employee data,” says Paul A. Robinson, university registrar and a task force member.

“Contracts with cloud service providers need to have specific and consistent language that addresses data privacy and security. The University of Michigan has and will continue to be insistent that any cloud-based service agreements include appropriate clauses that speak to these privacy and security requirements,” Robinson adds.

The task force’s student, faculty and administrator representation included IT staff, research administrators, compliance officers, institutional data managers and the Office of General Counsel.

The task force identified the following issues:

• Current click-through agreements for many cloud services do not provide adequate protection for sensitive university data.

• Privacy and data security issues can be managed through campus contracts with cloud providers.

• Faculty, students and staff can find it difficult to understand and follow security guidelines for different types of data. In particular, they often cannot identify the level of risk in exposure of any particular data set.

• Systems that store sensitive data with stringent regulatory or legal requirements need to comply with clearly defined security measures regardless of where the services are hosted.

Task force recommendations include:

• Campus IT providers should use security guidelines outlined in the task force’s report when evaluating and negotiating with vendors for cloud services.

• ITS should negotiate contracts with cloud vendors that can be leveraged across the campus instead of having individuals or departments signing multiple agreements.

• The Office of General Counsel should provide a list of issues and sample language to use when procuring cloud services.

• ITS should create and maintain a catalog of negotiated cloud services that includes a data sensitivity label and provides a way for individuals and/or units to provision under the contracts. 

• ITS should establish guidelines and processes to help data generators and IT providers determine security and sensitivity levels of data.

• Campuswide identity management that includes the U-M Health System will be critical to the success of integrating cloud-based services into our current environment. Campus services should continue the model of single sign-on and passing of credentials whenever possible.