(Draft for consultation) Please note that this draft is under consultation with stakeholders in colleges and university services, before refinement and approval by the appropriate University Committee. If you have comments or feedback, please contact Information Security co-ordinator Chris.Edwards@glasgow.ac.uk 1. Summary... 2 2. Purpose... 2 3. Cloud Storage Definition... 2 4. Scope... 2 5. Cloud Storage Characteristics and Risks... 2 5.1 Consumer orientated... 3 5.2 Business orientated... 3 6. Policy... 4 6.1 Objectives... 4 6.2 Consumer orientated Cloud Storage... 4 6.3 Business orientated Cloud Storage... 5 7. Information Sharing... 5 8. Synchronising information... 6 9. Legislation, Policy and Guidance... 6 10. List of approved Business Orientated Cloud Storage providers... 6
1. Summary Confidential University data must not be stored on consumer-oriented cloud services. It may, where the relevant risks have been addressed, and under certain circumstances, be stored on business-oriented cloud services. However, data concerning living individuals may not be stored on any cloud service, unless the University has approved the cloud provider in question for the purpose. 2. Purpose This Policy defines the University s position on the use of Cloud Storage as it relates to the potential storage of University data. The Policy sets out a clear definition of Cloud Storage and the types of University data which may be stored together with any additional safeguards which must be adhered to. 3. Cloud Storage Definition For the purposes of this policy, Cloud Storage is defined as: Public Cloud Storage Services provided by an external supplier and made available to organisations, or individuals, on terms and conditions, which are defined by the external supplier. Cloud Storage and associated files reside outwith the organisation s domain (Data Centres) and is usually accessed via a web interface and various synchronisation options, which facilitates the sharing of files and makes data available over a range of computers and other mobile devices. Examples of Public Cloud Storage providers include: DropBox Box Microsoft (SkyDrive/OneDrive) Apple (icloud) Oracle IBM Google 4. Scope This policy applies to all University data i.e. information which arises in University teaching, research and administration, and applies to all staff, students and other parties who have access to University data. Any exceptions must be documented and approved by the Information Policy and Strategy Committee. This policy does not override policies covering data owned or provided by other organisations, and individuals must adhere to any other relevant policies including those stipulated by the organisation providing the data. In situations where that policy differs from this one, the stronger of the two requirements must be respected, unless both organisations have agreed otherwise. 5. Cloud Storage Characteristics and Risks Cloud storage may be characterised as consumer orientated or business orientated. page 2
5.1 Consumer orientated Consumer orientated Cloud storage is commonplace and is often made available free of charge to individuals via a user registration process or bundled with many service offerings and initial hardware purchases. Individuals access their Cloud storage via a number of options including; Web Browser Desktop synchronisation client Drive mapping or equivalent Mobile app This means that individuals have access to their storage across a range of devices providing a wide choice of access technologies and data sharing options. However when signing up with a cloud storage provider the individual must accept the provider s Terms and Conditions and any associated service level agreement. This presents a number of risks to the security, confidentiality and availability of the individual s data; in particular: There is no guarantee on data protection, retention or backup The Cloud provider may store data outwith the UK/EU and not be bound by UK/EU laws relating to the protection of personal data. Individuals should read carefully the Terms and Conditions governing the use of their Cloud storage with particular reference to; o Circumstances leading to account termination and potential loss of data. o Provider s liability for negligence with respect to misuse, exposure, loss or damage of data o Confidentiality of data with respect to Providers data mining activities and potential resale of o information for advertising, user tracking and user profiling purposes. Considerations about who actually owns the data and therefore has full rights over it. Some cloud providers may assert ownership of any data stored in the provider s cloud, or reserve the right to do so in future. The financial stability of Cloud Storage providers should be considered to avoid a potential end of service with no or little notice. 5.2 Business orientated There are several Cloud storage providers who offer services specifically tailored for business use. Organisations contract with their preferred cloud storage provider for specific services and manage the accounts for the individuals within their organisation who they wish to have access to Cloud Storage. Authorised individuals access their allocated Cloud storage via a number of options including; Web Browser Desktop synchronisation client Drive mapping or equivalent Mobile app This means that authorised individuals have access to their allocated storage across a range of devices providing a wide choice of access technologies and data sharing options. The Business orientated Cloud storage services address many of the risks associated with the consumer versions, in particular The terms and conditions and service level agreement is tailored to business needs page 3
The organisation retains full ownership of their data Security, confidentiality and availability of data are sometimes assured via industry standard accreditations e.g. ISO 27001, EU Safe Harbour. Data retention and backup arrangements are defined There is no advertising built from data mining or other uses of Business data The Cloud provider s liability relating to negligence, misuse, lose or damage of data is better defined From a corporate and legal perspective several issues remain, which need to be considered and addressed before deciding on the type of information that is suitable for Cloud Storage via an external provider. In particular: Research data management, where either the organisation providing the data, or the funding body have specific requirements for where it must reside e.g. in the UK, or in the University itself. Data Protection Act, governing the storage and management of personal information The University s policy on confidential data Risks associated with automatic data synchronisation between Cloud storage and corporate/personal devices Also, agencies of foreign governments may potentially have access to data in cloud storage, and this may be a concern for storing certain types of information. 6. Policy 6.1 Objectives Safeguard the security, confidentiality, integrity and availability of the University s information assets. Ensure compliance with national and international laws governing the storage and guardianship of data Ensure compliance with contractual commitments relating to the storage and guardianship of data Ensure that University employees and other partners understand the University s requirements relating to the storage and guardianship of data 6.2 Consumer orientated Cloud Storage Allowed Only non-confidential information which the University has placed in the public domain or would release into the public domain, for example under Freedom of Information, may be stored within Consumer orientated Cloud Storage. Any allowable information stored within Consumer Orientated Cloud Storage should also have copies held within the University, and therefore not comprise the only copy. Not Allowed The University forbids the use of consumer orientated Cloud Storage for the following information assets: Information which the University considers private and would not make available to the public, or might be exempt from release under Freedom of Information Personal data i.e. that which concerns living individuals and hence falls under the Data Protection Act Information relating to contractual undertakings between the University and third parties Information relating to research outcomes, prior to publication Information relating to the normal business of the university including, emails, minutes of meetings, reports, budget statements, audit reports, proposals, project plans, project progress reports, strategic reviews etc. page 4
6.3 Business orientated Cloud Storage The University accepts that business-orientated Cloud Storage can provide solutions for a wide range of strategic objectives including: Ease of information sharing between individuals within the University Ease of sharing of information between individuals within the University and other partners outwith the University Ability to access information whilst away from the University via a range of device types Security, confidentiality and availability of Information assets Allowed The University permits the storage of public, private and confidential information within businessorientated Cloud Storage as long as the following conditions are met: The information is not personal data (i.e. relating to living persons). The activity is in accordance with the University s policy on confidential data. The service-specific contract and service level agreement (SLA) must satisfy the University s requirements for information guardianship. The University s legal and contractual obligations must not be compromised Where the Service specific contract and SLA does not guarantee the timely recovery of lost or damaged data then any allowable information stored within Business Orientated Cloud Storage should be copies of information held elsewhere within the University and therefore not the only version. The University must retain management control of the user accounts associated with cloud storage subscriptions Not Allowed The University does not permit the storage of the following types of information on businessorientated cloud storage services: Personal data as defined by the Data Protection Act Information subject to specific requirements on storage location e.g. must be held within the University s own data centres Further details about the University s requirements and legal commitments can be found under the Legislation, Policy and Guidance section below Clarifications and advice on Allowable use is available from the Data Protection and Freedom of Information Office and IT Services via the IT Services help desk. 7. Information Sharing The following restrictions apply to the sharing and synchronisation of University data. Where there is a requirement to share information with others then it is important that individuals who enable the sharing of data do so with the following safeguards: Grant access to the specific Folders and files that are required to support the Collaboration or information sharing and ensure that no other folders or files are made available. Inform all individuals involved in the collaboration or information sharing that they have a duty of care for the information provided and must honour all security requirements as well as privacy or confidentiality commitments. page 5
8. Synchronising information Synchronising information to and from Allowable Cloud Storage can provide significant advantages in terms of information availability and speed of access. Synchronising information across a range of devices requires the following safeguards: Individuals must ensure that the devices involved in the synchronisation process are protected as far as possible from unauthorised access or loss. Mobile devices must have a PIN code or equivalent enabled. Individuals must ensure that the devices involved in the synchronisation process are protected as far as possible from malware and are kept up to date with vendor supplied security patches. Individuals must ensure that any private or sensitive University information is further protected via strong data encryption. Laptops must have Full Disk Encryption configured before data is synced. 9. Legislation, Policy and Guidance Data Protection and Freedom of Information Office (University of Glasgow) Policy and Guidelines on Confidential Data in (University of Glasgow) Data management Support for Researchers (University of Glasgow) Guidance on the Use of Cloud Computing (Information Commissioners Office) 10. List of approved Business Orientated Cloud Storage providers The University will maintain and publish a list of approved Business Orientated cloud Storage providers to ensure that Colleges and University services staff choose the most appropriate supplier for their specific purposes. The list will be maintained by IT Services and published on the University web site. For the purposes of this draft policy the current list of approved suppliers is as follow. Arkivum (Current service) For Research Data Management archive at project closure. The Arkivum Research Data management services were contracted via an open procurement conducted on behalf of the UK academic institutions by JISC. Microsoft OneDrive for Business (In development at University of Glasgow release September 2015) OneDrive for business is part of the Office 365 suite of services which deliver a rich set of Business class collaboration solutions. The complete suite of services has been reviewed by the JISC on behalf of UK Academic Institutions leading to advantageous changes to Contract terms and the supporting Service Level Agreement. In addition Office 365 has been approved by the UK Government to hold or transact public sector data for business conducted at the OFFICIAL level of Security Classification. Draft Document Control Draft (rev 1.209) for comment (2015-04-23) Layout revision (2015-05-26) page 6