Educause Security Discussion mailing list archives
Re: Trying to manage the move to the cloud
From: Nathan Zierfuss <nathan.zierfuss () ALASKA EDU>
Date: Fri, 11 Mar 2011 09:30:25 -0900
Data protection requirements are also one of the ways we are trying to keep sensitive data out of the cloud but starting to think about the next 3-5 years when more vendors are offering cloud based ERP resources which will need to hold sensitive PII or PHI now would be good. Two areas we are working on are risk frameworks and liability limitations. Risk frameworks to think about what we are and are not willing to accept from a vendor or ourselves in the use of cloud based services. Establishing liability boundaries in procurements & contracts to know where our risk is by saying at point A I'm responsible for this data and what happens to it and at point B you are and we have all agreed to it. Rather then the blanket indemnification that currently happens in default licensing and contracts. Developing these areas now will be key to dealing with the cloud since stopping it has not been an effective or efficient tactic. Nathan Zierfuss, CISSP, Senior IT Security Officer - Technology Oversight Services, University of Alaska 910 Yukon Dr. Suite 105, PO Box 755320 Fairbanks, Alaska 99775-5320 - Ph: (907) 450-8112 Fx: (907) 450-8381 On Mar 11, 2011, at 7:11 AM, Jeffrey I. Schiller wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Mar 11, 2011 at 10:37:16AM -0500, Bob Bayn wrote:Our Information Security Policy includes this little statement: "Offsite storage, processing or backup of PSI/CID [private sensitive information/critical institutional data] must use service providers evaluated and approved by the responsible data steward in consultation with OIT. OIT is directed to publish standards that conform to this policy<https://it.usu.edu/policies/htm/information-security/selection-of-cloud-computing-services>."I like this approach. I am not a big fan of "You may not do that, period." style policies. If central IT has comparable solutions to a service in the cloud that someone wants to use, that is one thing. However often this isn't the case. So if you say "you must use central IT's services" and the person needs to use the cloud service to do their job, in effect you are saying "you cannot do your job." Guess what happens then. And yes, I know that they probably can do their job without using the particular cloud service at issue, but it probably requires more work (which may not be appreciated by their supervisor!). One of the big challenges that we have in security is getting security to align with human nature. When we ask people to do something that goes against the grain of human nature, compliance will always be low and risk will always be increased. I can rant more on this topic, but I won't pollute this thread with it :-) I would recommend first, a data classification policy. Followed by an evaluation of various offering out there and a mapping of which class of data is appropriate for which cloud service (if any). -Jeff - -- _______________________________________________________________________ Jeffrey I. Schiller Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room N42-283 Cambridge, MA 02139-4307 617.253.0161 - Voice jis () mit edu http://jis.qyv.name _______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFNeknD8CBzV/QUlSsRApWmAJ9sIk964Vz5chRhNfvznHBD+KDa1wCg2u3n EfgMFVPwex0/4bo4FqcGpaM= =Jr4w -----END PGP SIGNATURE-----
Current thread:
- Trying to manage the move to the cloud Chancellor, Beth C. (Mar 10)
- Re: Trying to manage the move to the cloud Schoenefeld, Keith P. (Mar 10)
- Re: Trying to manage the move to the cloud Mclaughlin, Kevin (mclaugkl) (Mar 11)
- Re: Trying to manage the move to the cloud Lorenz, Eva (Mar 11)
- Re: Trying to manage the move to the cloud Neil Sindicich (Mar 29)
- Re: Trying to manage the move to the cloud Mclaughlin, Kevin (mclaugkl) (Mar 11)
- Re: Trying to manage the move to the cloud Schoenefeld, Keith P. (Mar 10)
- Re: Trying to manage the move to the cloud Shamblin, Quinn (Mar 11)
- Re: Trying to manage the move to the cloud Bob Bayn (Mar 11)
- Re: Trying to manage the move to the cloud Jeffrey I. Schiller (Mar 11)
- Re: Trying to manage the move to the cloud Nathan Zierfuss (Mar 11)
- Re: Trying to manage the move to the cloud Leon DuPree (Mar 29)
- Re: Trying to manage the move to the cloud Jeffrey I. Schiller (Mar 11)