Search

Cloud Services Guidelines

Information Security Office


Commercial cloud service providers like Dropbox and Google Drive offer a convenient method of storing large data sets. As part of Project Kitbag – the replacement of GroupWise – the project team will assess various cloud storage services. The need has been recognized and will be addressed.

Individuals on campus who use, or plan to use cloud-based data storage services should be aware of the following important factors:

  • Understand that most of the commonly used hosting services are located in the United States and are subject to American law, notable the USA PATRIOT ACT
  • Terms of Service policies for these companies are known to change frequently, often without user knowledge. A free and secure service could turn into a “pay” site or a data mining opportunity for other firms with little notice given
  • The provider may not be able to deliver consistent service, resulting in unannounced outages when you least expect it
  • The provider may or may not have the proper controls in place to ensure the data you store with them remains private, or in the event of a disaster, could be recovered
  • There may not be any guarantee of service continuation or continuation of the existing terms, conditions, and privacy policy if the service provider is acquired by another firm.

Recommendations for Commercial Cloud Service Use

  • Do not use commercial cloud services to store highly sensitive University data or your sensitive intellectual property. University data classified as sensitive should be assessed accordingly by a department head or supervisor.
  • Verify that the data being saved to cloud services is free of any federal and/or provincial regulatory constraints, contractual obligations, or grant restrictions
  • Select a cloud service that provides data encryption, strong password policies (supported by password hints or paraphrases) and a Terms of Service agreement you can understand.
  • Protect the information you store on a cloud service using commercially available encryption software.
  • If possible, choose a service that operates its data center in Canada.
  • If encryption keys are created as part of the cloud service security model, make sure the key(s) is saved in a secure place.
  • Avoid mistakes by verifying what you are saving to your cloud storage is what you planned to save.
  • Make sure you have a backup copy of data you save to the cloud service stored somewhere under your direct physical control.
  • If your plan is to share your cloud data with others, keep records of who they are, and grant them only sufficient access to your data store to meet their ‘need to know’. Remove access when they no longer need it.
  • Using commercial cloud services is no different than using your personal network drive on campus. Make sure to disconnect from the service when you leave for extended periods – log out of your computer, or shut it down.