Cloud Computing

Today, there are many services that let you store your files "in the cloud," and access them from anywhere. For example, Dropbox, Box.net, GoogleDocs, GoogleDrive, MobileMe and iCloud are popular and inexpensive cloud services used everywhere. Even Gmail is considered a cloud storage method. These services are very useful, but sometimes they can be about as secure as... storing something inside an actual cloud (i.e., not very secure). Cloud computing services have opened unlimited opportunities to users while creating unlimited risks to those users' data.

Before cloud storage existed, in order to provide storage to users an organization would need to: purchase the storage; create a data center where the storage would reside; run servers that would utilize the storage; and employ server administrators, storage experts and data center operators. Today, an organization or even an individual can have the equivalent of a data center's infrastructure, just by using a cloud-based service. It can potentially save thousands of dollars and man-hours, and might even be completely free while being available 24/7. But there are security issues that must be addressed before these services can be verified as truly secure, including data ownership, data separation, data protection, and backup.

Users of cloud-based services must be willing to give up control and visibility to cloud service providers. Specifically:

• The user cannot know precisely who and what may be accessing their data, and has no way to monitor any of these actions.
• The user cannot be sure that specific actions they think they are performing are in fact happening as expected. (For example: a user may attempt to delete his/her own data, but the cloud service provider may be keeping a secondary copy of the data that would still remain on the servers.)

There are two specific legal issues that provide cloud security challenges for the School of Medicine:

• HIPAA-protected information must reside within the United States and cannot be exported. By using a cloud service provider, the user of the data does not know specifically where his/her data is housed. Many cloud service providers have data centers throughout the world, and it is very possible that data stored with the cloud service provider may be housed outside the United States.
• Any company handling HIPAA-protected information must sign a Business Associates Agreement (BAA), accepting responsibility for the protection of that information while in the company's care. Cloud service providers, particularly those that offer free services, are often not willing to sign a BAA (after all, why should they accept fiscal responsibility when they are not earning any revenue from the service?).

To help address the security risks involved with cloud computing, the School of Medicine has created a set of best practices. If you are interested in using cloud services, here's what you can do:

1. Contact Information Security Services so that we can perform an information security audit of the cloud computing companies and services that you're interested in employing. (First, check if the company you're interested in is already on the list of approved services below.)
2. Ask Information Security Services to participate in the Service Level Agreement (SLA) process for each cloud service vendor company you'd like to engage. We will help to ensure that the SLA addresses issues that could potentially affect you and your data, including the monitoring of your data and ensuring that the service provider performs regular vulnerability scans.
3. Consult the University's Risk Classification webpage to understand your obligations for protecting University data, even in the cloud.
4. If you are using cloud services while meeting data handling requirements, make sure that your group clearly documents policies and procedures for using the service.

You might use cloud-based services to store your own personal files that don't contain sensitive information, and files that only contain publicly available data (that is, data not classified as Moderate or High Risk). Information Security Services and the University Information Security Office are working on finding secure cloud solutions, and some new services may soon be approved for University business.

If you have more questions about handling sensitive information, see the Stanford Risk Classification page, and visit the Prohibited and Restricted Data FAQ. And remember, when in doubt, DON'T.

(For the full chart of services approved for Stanford, visit the Stanford Risk Classification page.)

For Help:

If you ever have any questions about how to handle your information, contact IRT Information Security Services (5-8000 or irt-security@lists.stanford.edu ).