Information Security

 

Use cloud services safely

Use cloud services safely

Introduction

Consumer cloud services certainly have plenty going for them. The chances are, someone out there in ‘the cloud’ is offering exactly what you need for the project you’re about to embark on and, often, it’s going to be better, quicker to set up and cheaper than what’s immediately available in-house. But – and it’s a big but – what about security? If you haven't got the necessary permission to use the service or are using it insecurely you could land yourself – and the University – in a whole lot of hot water. Who are you doing business with? What access will they have to your data? And what else might they do with it? You can outsource the functionality but not the risk.

Audience:

Everyone

At a glance

  • Know your data and who is responsible for it
  • Use University systems where possible
  • Check the terms and conditions for security and privacy offered by the cloud service
  • Don’t fall foul of data protection: check the contract and get consent

In detail

The two important things you need to know before using any cloud service are what kind of data you’re going to store and who is responsible for that data.

The University classifies data under three categories. Consumer cloud services are probably okay for public data and for most internal data. But they might not be secure enough when it comes to confidential data. And you absolutely mustn’t use consumer cloud services for anything where personal data is involved unless you’ve both sought the necessary authorisation and consulted Legal Services.

Perhaps more importantly, you need to know who is responsible for the data because they're accountable for what happens if things go wrong. They might be internal or external to the University. They are responsible for deciding whether the data is public, internal or confidential and they can tell you whether there are any rules that prevent you from using cloud services. If in doubt, ask yourself this simple question: how much trouble would it cause if the data was lost or leaked?

Before you take the plunge and start using the cloud, do take a moment to consider what the University has to offer. There are plenty of options available for sending surveys, sharing data and storing documents. At first glance they may take a little bit of time and effort to set up but it might not be as onerous as you think. In the long run, internal services could actually save you a whole lot of trouble setting up necessary agreements and carrying out appropriate due diligence. Get in touch with your department or college IT manager or with IT Services via the Service Desk.

So the onus is on you to make sure that you don’t put misplaced trust in a would-be cloud service provider. Easier said than done perhaps but the Information Security Team can offer support and guidance where necessary.

The first thing you need to consider is whether the security and privacy policies of the cloud service provider meet your requirements. Don’t just assume they will look after your data. Check how much information they provide about security and exactly what you’re agreeing to in terms of who they will pass your data on to. If you don’t understand all of the technical jargon or need some help in assessing the security policies against University requirements you can contact the Information Security Team for help.

Beyond checking the information they provide you should also make sure that you’re making the most of the security functionality provided. Sometimes cloud services can even enhance security! Make sure you have configured the product to provide the maximum security at your disposal and activated additional functionality such as two-factor authentication. See our “I want to” on securing online accounts for more details.

Unfortunately, security isn’t the only thing you need to worry about. Even if the data you are sharing is public, if it contains personal data then the Data Protection Act applies and information security is only one part of that. Since personal data includes names and email addresses the bar is pretty low. So even seemingly innocuous tasks like sending round a questionnaire with SurveyMonkey or sending invitations with Eventbrite could lead to you falling foul of the law!

One of the obvious pitfalls is the fact that many cloud services are based outside the European Economic Area (EEA) and as such the Eighth Principle of the Data Protection Act applies. This means that you need to go the extra mile to ensure that an adequate level of security is applied. In practice this probably means one of two things:

  1. Make sure any contract includes the ‘model clauses’ approved by the EU; or
  2. You’ve obtained unambiguous and freely given consent from any individuals concerned.

The quickest option is usually the second and you can do this by being completely up-front about what’s going on, making users aware of the privacy policies for the service and making sure that there’s a viable alternative available if people don’t want to use your cloud service. An example for Eventbrite might look like this:

Eventbrite processes data (including any personal data you may submit by booking this event) outside of the European Economic Area. Please only submit any personal data which you are happy to have processed in this way, and in accordance with Eventbrite’s privacy policy applicable to respondents (available here: https://www.eventbrite.co.uk/support/articles/en_US/Troubleshooting/eventbrite-privacy-policy) If you prefer not to use Eventbrite for responding to this invitation, you may respond directly to [insert email address].

For detailed advice on whether it’s ok to share data with cloud service providers see the IT Services Cloud Toolkit, and for further advice on complying with all of the principles of the Data Protection Act contact Legal Services.

The model clauses are contractual clauses which are approved by the EU which can be included in agreements with third-parties and allow for transfers of data outside of the EEA. There are two key things to be aware of:

  1. The clauses must be included in the agreement with all parties (including subcontractors or any affiliate companies);
  2. Any agreement must cover the specific usage.

By way of example, SurveyMonkey provide an ancillary agreement directly with its US affiliate which incorporates the model clauses. However, this has to be signed up to an account-by-account basis.

For more information on the model clauses and Data Protection in general, contact Legal Services.