Cloud Services
Externally hosted solutions (often referred to as "cloud services") can offer flexible, cost-effective and scalable means of fulfilling the University's requirements for storage, sharing and processing of digital data.
However, the use of cloud services entails transmitting and entrusting third parties with potentially sensitive data, and carries risks that should be carefully considered and managed.
As required under the IT Acceptable Use and Security Policy (ITAUSP) and the IT Acceptable Use Procedures, please submit risk assessment request to ITDS BEFORE you sign up to services and start uploading University data.
-
Assessment Process
Before considering signing up to a new cloud service, you should consider whether existing software and services provided by ITDS will meet your requirements. You can talk to your ITDS Liaison Manager if you are not sure about available services.
If existing software and services do not meet your needs, then a risk assessment can be requested for a new cloud service from this MyIT form. Someone from the ITDS Cyber Security team may contact you to obtain additional information. They will then undertake a security risk analysis based on the reputation of the product and vendor, as well as any evidence to support their security posture.
In the event that the risk is deemed to be unacceptably high (e.g, if third party is unable demonstrate sufficient security controls) then the analyst may advise you to explore alternative products or implement additional controls to reduce risks.
-
Scope and Definitions
There are broadly three categories of cloud services:
•Software as a Service (SaaS): Typically, software applications accessible via a browser. A majority of use cases fall under this category.•Platform as a Service (PaaS): Platform for developing your own applications such as Google App Engine.•Infrastructure as a Service (IaaS): Virtual server hosting such as AWS EC2 and Azure VM.A cloud service is hosted and managed by a third-party, external to the university: these services are typically not downloaded on to individual computers, rather accessed via the internet through a web browser or website login (there are hybrid solutions where there is a front-end desktop program or mobile application, but the data is stored externally in the cloud).
Information that is processed, transmitted and stored with a cloud service is not under the protection of the university’s security controls. Cloud services accessible via the internet are also at risk of potential data breaches.
-
Related Policies and Procedures
-
Previously Approved Cloud Services
Please refer to the following document for a list of services that have previously been assessed and approved for the specific use case (i.e., maximum data classification and number of users).
Previously approved cloud services (PDF)
If you would like to sign up to a cloud service on this list for a similar use case, a complete re-assessment will not be required; however, you are still required to submit a request via MyIT to enable ITDS to keep track of areas within the University using the cloud service.