Data privacy in the campus cloud
The University of Michigan’s very decentralized campus means it has multiple IT departments, numerous technologies and plenty of cloud applications. “We basically use everything you can think of when it comes to the cloud,” says Don Welch, chief information security officer. “Colleges here have their own relationships with providers, and their own strategies with information storage. So it’s a big task to set central policies, but it’s important to take on that role.”
The institution is far from alone in storing data on multiple cloud-computing platforms. Many higher ed institutions provide various services—consumer-friendly choices such as Box, Google Drive and Dropbox, as well as enterprise-class applications such as Amazon Web Services and Microsoft Azure for university data. Michigan, for example, hosts its own private cloud storage, but not all of its campuses take advantage of the service, which leads Welch and his staff to spend a great deal of time educating people about cloud privacy.
“We put a lot of effort into safe computing,” he says. “Data privacy and security have to be top of mind for everyone, no matter what they’re using, so we work to build that awareness.”
When dealing with data privacy and cloud storage, several best practices can help colleges and universities stay secure.
Embed privacy into provider contracts
One of the most important steps in securing data is to protect an institution’s rights at the contract negotiation stage, says William Morse, chief information officer at the University of Puget Sound in Washington. This means privacy, confidentiality, disclosure responsibilities, indemnification, data backups and other issues are all discussed and in writing. Also, a contract should articulate what would happen in the event of a cloud provider’s acquisition by another company, or what could occur if the service being purchased is changed into a different technology. “Everything must be negotiated,” says Morse. “Spending the proper amount of time at this stage is key to the university protecting itself.”
Confirm vendor practices
After negotiating a privacy-rich contract, the next step is to make sure the cloud service is complying with privacy and security mandates, adds Morse. “CIOs know how to do this with their own servers and data,” he says. “However, I can’t tell you how often people fail to ask what the company does. It would be a mistake to assume best practices are being followed without verification.”
This confirmation should be ongoing as well. Morse says vigilance is critical. Monitoring providers to ensure they’re delivering what’s promised is a big part of data privacy. Warning signs that best practices aren’t being followed include system failures, poor customer service and encryption problems.
Choosing cloud service vendors carefully and deliberately is important, says Jay Graham, enterprise architect at the University of Pittsburgh. As specific cloud computing services are considered, his team asks the provider to complete an extensive security questionnaire that requires detailed information about the controls in place to safeguard data.
For example, Box was chosen as the university’s enterprise cloud storage and collaboration service after the company offered assurances that all of its data centers are in the United States, which means Pitt researchers can maintain compliance with export control regulations, Graham says.
Deliver guidance based on data type
Keeping certain sensitive information out of the cloud and setting data privacy protections that are specific to each service or key ways to prevent potentially costly security problems. Before storing university information in the cloud, it’s important for all employees to consider the potential impact of a data breach, says Karl Hassler, associate director of IT networks and systems services at the University of Delaware. The university’s cloud management website details the technologies used and tips on using the cloud.
Delaware’s cloud services include Google Drive and Canvas, but they’re not appropriate for hosting all types of information, Hassler says. “You wouldn’t store medical records in Google Drive; the risks of violating personal privacy are too great. Google Drive is not a good choice for storing sensitive, confidential or personally identifiable information.”
Consider a private cloud
Michigan offers its campuses private cloud services as a more secure alternative to public clouds. This can mean several advantages, including closer management of privacy and security. “When you look at public cloud services, it’s a subscription model, like cable TV,” says Tony Hampel, product marketing director at Connected Data, which offers a private cloud storage appliance. “As you get more people subscribing to the service, the higher your expense will be, and the more you’ll have to think about security controls.”
Implement training—and keep it fresh
Strong data privacy begins at the user level, and for that to occur, colleges and universities have to take a multipronged approach to training. In addition to online resources like those seen at the University of Delaware, many schools hold information security workshops for individual academic departments, and issue push notifications about security and privacy whenever possible.
For example, when faculty, staff and students log into their email accounts at the University of Pittsburgh, they see a message that briefly describes cloud storage and gives advice on what type of data shouldn’t be stored there. The message includes a link to a webpage that lists non-permitted data types.
At the University of Michigan, students take voluntary data security tests to gauge how informed they are about good computing practices—and Welch says participation tends to be high. Not only does this give IT a better idea of attitudes and practices around security, but it also delivers information on data privacy that students may not have considered.
This is particularly important because younger people tend to have a lower expectation of privacy compared to many people in older generations, Welch says. “They’ve come to accept that online companies are gathering information about them in order to market products to them, and for many, they just accept it as part of life. That’s a broad generalization, but I do think that younger people are much less concerned about privacy than they should be.”
Collaborate and learn
One of the advantages of operating in a higher education setting is the high level of collaboration that isn’t seen in the private sector, Welch says. Colleges and universities often share best practices with each other, and also attend trainings and workshops together on technology topics. Tapping into higher ed organizations and conferences can be helpful for sharing strategies and concerns with others in the higher education community.
Collaboration is also vital within a college or university, especially at a larger school with multiple campuses, Welch says. At the University of Michigan, technology professionals in the central office often “shadow” IT managers in other parts of the university to share data privacy tactics, to collaborate on possible solutions to campuswide issues and to learn about vendors.
“Even though we all might be using different technologies and have different needs, there’s tremendous value in collaborating with one another to get new perspectives and increase creativity when it comes to developing solutions to problems,” Welch says.
In general, data privacy in the cloud should be seen as an ongoing project, with numerous moving parts that all need to be monitored and tweaked over time. By understanding the role of vendors, implementing strong oversight and training, and collaborating with other technology experts, schools can harness the cloud’s full potential without giving up privacy and security.
Elizabeth Millard is a Minneapolis-based writer who frequently covers technology.