Educause Security Discussion mailing list archives
Re: Trying to manage the move to the cloud
From: "Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>
Date: Fri, 11 Mar 2011 09:33:40 -0500
I think Keith nailed it. We use a data protection policy that basically provides details as to what is Restricted (our highest classification), Controlled and Public data. We've done extensive training across the community on what data falls under what category and what has to be done to protect restricted or controlled data. I'm a big fan of getting data classified so that we can focus on securing the data we see as putting UC most at risk. Cloud computing adds some interesting pieces to this, for example: * If we use a MicroSoft (just an example) cloud how do we ensure that it doesn't spread outside the U.S.A. for both production and backup instances. If it goes outside the U.S. we then have to consider the Export Control Implications. How do we make sure that Microsoft cloud support makes sure that no foreign nationals have access to the data in the cloud? If a foreign national does have access how do we verify that they are a Federally licensed foreign national? Also, If a PI on an Export Controlled research project is using something like DropBox how do they ensure that all the data is based in and stays in the U.S.? How do we help them meet the business need that drove them to using the DropBox type service? <sigh> I probably have more questions than I do solutions. :) - Kevin Kevin L. McLaughlin, CISM, CISSP, GIAC-GSLC, PMP, ITIL Master Certified Assistant Vice President, Information Security & Special Projects University of Cincinnati 513-556-9177 The University of Cincinnati is one of America's top public research institutions and the region's largest employer, with a student population of more than 41,000. [cid:image001.gif@01CBDFCE.3B36DF60] From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Schoenefeld, Keith P. Sent: Friday, March 11, 2011 1:46 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Trying to manage the move to the cloud I believe the best way to approach something like this would simply be to either create or leverage existing policies about sensitive information at your University needing to reside on University systems (or University approved systems). Appropriately implemented data classification combined with rules surrounding the storage and use of such data should suffice. Enforcement, however, is a whole different ball game. -- KS Keith Schoenefeld Information Security Analyst Baylor University From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chancellor, Beth C. Sent: Thursday, March 10, 2011 8:36 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Trying to manage the move to the cloud All, It is clear that many of us are dealing with the challenges of when, if and how to adopt public cloud computing models. In the mean time, it's concerning that at least some of our users are using free cloud services on their own. Like many of you, my institution has policies about appropriate use (AUP), privacy policies, perquisite use policies, etc. What we don't have is a policy that say "you must use the IT resources provided by your institution" even if other resources are available at no cost. I am concerned about the onsie-twosie uses of Mozy, yahoo, hotmail, gmail, wikispaces, skydrives, and other free services (and sometimes not free) that have not been reviewed or endorsed by central IT. Have any of you written or adopted policies that require the use of University provided or endorsed IT resources and that prohibit the use of non-endorsed resources when conducting university business? Beth Beth Chancellor, MEd, CISSP Associate CIO and Chief Information Security Officer University of Missouri (573) 882-2434
Current thread:
- Trying to manage the move to the cloud Chancellor, Beth C. (Mar 10)
- Re: Trying to manage the move to the cloud Schoenefeld, Keith P. (Mar 10)
- Re: Trying to manage the move to the cloud Mclaughlin, Kevin (mclaugkl) (Mar 11)
- Re: Trying to manage the move to the cloud Lorenz, Eva (Mar 11)
- Re: Trying to manage the move to the cloud Neil Sindicich (Mar 29)
- Re: Trying to manage the move to the cloud Mclaughlin, Kevin (mclaugkl) (Mar 11)
- Re: Trying to manage the move to the cloud Schoenefeld, Keith P. (Mar 10)
- Re: Trying to manage the move to the cloud Shamblin, Quinn (Mar 11)
- Re: Trying to manage the move to the cloud Bob Bayn (Mar 11)
- Re: Trying to manage the move to the cloud Jeffrey I. Schiller (Mar 11)
- Re: Trying to manage the move to the cloud Nathan Zierfuss (Mar 11)
- Re: Trying to manage the move to the cloud Leon DuPree (Mar 29)
- Re: Trying to manage the move to the cloud Jeffrey I. Schiller (Mar 11)