Cloud Computing
Cloud Security Practices at Stanford School of Medicine
To help address the security risks involved with cloud computing, the School of Medicine has created a set of best practices. If you are interested in using cloud services, here's what you can do:
- Contact Information Security Services so that we can perform an information security audit of the cloud computing companies and services that you're interested in employing. (First, check if the company you're interested in is already on the list of approved services below.)
- Ask Information Security Services to participate in the Service Level Agreement (SLA) process for each cloud service vendor company you'd like to engage. We will help to ensure that the SLA addresses issues that could potentially affect you and your data, including the monitoring of your data and ensuring that the service provider performs regular vulnerability scans.
- Consult the University's Risk Classification webpage to understand your obligations for protecting University data, even in the cloud.
- If you are using cloud services while meeting data handling requirements, make sure that your group clearly documents policies and procedures for using the service.
Approved Cloud Services for Each Level of information
(For the full chart of services approved for Stanford, visit the Stanford Risk Classification page.)
FOR HIGH AND MODERATE RISK INFORMATION: |
---|
This includes:
|
FOR LOW-RISK INFORMATION: |
---|
This includes:
University-Approved Services for Low-Risk Information:
|
FOR NON-UNIVERSITY-RELATED, NON-SENSITIVE INFORMATION: |
---|
Services NOT Approved for storage of any Moderate or High Risk information, only for personal and non-private information:
|
Cloud Computing: An Overview
Today, there are many services that let you store your files "in the cloud," and access them from anywhere. For example, Dropbox, Box.net, GoogleDocs, GoogleDrive, MobileMe and iCloud are popular and inexpensive cloud services used everywhere. Even Gmail is considered a cloud storage method. These services are very useful, but sometimes they can be about as secure as... storing something inside an actual cloud (i.e., not very secure). Cloud computing services have opened unlimited opportunities to users while creating unlimited risks to those users' data.
Today, an organization or even an individual can have the equivalent of an entire data center's infrastructure, just by using a cloud-based service. It can potentially save thousands of dollars and man-hours, and might even be completely free. But there are security issues that must be addressed before these services can be verified as truly secure.
Some of the Security Issues
Users of cloud-based services must be willing to give up control and visibility to cloud service providers. Specifically:
- The user cannot know precisely who and what may be accessing their data, and has no way to monitor any of these actions.
- The user cannot be sure that specific actions they think they are performing are in fact happening as expected. (For example: a user may attempt to delete his/her own data, but the cloud service provider may be keeping a secondary copy of the data that would still remain on the servers.)
Regulations
There are two specific legal issues that provide cloud security challenges for the School of Medicine:
- HIPAA-protected information must reside within the United States and cannot be exported. By using a cloud service provider, the user of the data does not know specifically where his/her data is housed. Many cloud service providers have data centers throughout the world, and it is very possible that data stored with the cloud service provider may be housed outside the United States.
- Any company handling HIPAA-protected information must sign a Business Associates Agreement (BAA), accepting responsibility for the protection of that information while in the company's care. Cloud service providers, particularly those that offer free services, are often unwilling to sign a BAA.
How CAN I use cloud storage properly?
You might use cloud-based services to store your own personal files that don't contain sensitive information, and files that only contain publicly available data (that is, data not classified as Moderate or High Risk).
For Stanford information, the University has created agreements with certain cloud services providers, and there is an approved list of services for information with different levels of risk. See above for a list of approved services. Information Security Services and the University Information Security Office are working on finding additional secure cloud solutions, and some new services may soon be approved for University business.
If you have more questions about handling sensitive information, see the Stanford Risk Classification page, and visit the High Risk Data FAQ. And remember, when in doubt, DON'T.
For Help:
If you ever have any questions about how to handle your information, contact IRT Information Security Services (5-8000 or irt-security@lists.stanford.edu ).