Information Resources & Technology (IRT)

Cloud Computing

Overview | Security Issues | Best Practices | How CAN I use cloud storage properly? | Approved for University Use | NOT Approved for University Use | Help

Cloud Computing: An Overview

Today, there are many services that let you store your files "in the cloud," and access them from anywhere. For example, Dropbox, Box.net, GoogleDocs, GoogleDrive, MobileMe, and iCloud are popular and inexpensive cloud services used everywhere. Even Gmail is considered a cloud storage method. These services are very useful, but sometimes they can be about as secure as... storing something inside an actual cloud (not very secure). Cloud computing services have opened unlimited opportunities to users while creating unlimited risks to those users' data.

Before cloud storage existed, in order to provide storage to users an organization would need to: purchase the storage; create a data center where the storage would reside; run servers that would utilize the storage; and employ server administrators, storage experts, and data center operators. Today, an organization or even an individual can have the equivalent of a data center's infrastructure, just by using a cloud-based service. It can potentially save thousands of dollars and man-hours, and might even be completely free while being available 24/7. But there are security issues that must be addressed before these services can be verified as truly secure, including data ownership, data separation, data protection, and backup.

 


Some of the Security Issues

Users of cloud-based services must be willing to give up control and visibility to cloud service providers. Specifically,

Regulations

There are two specific legal issues that provide cloud security challenges for the School of Medicine:

 


Cloud Security Practices at Stanford School of Medicine

To help address the security risks involved with cloud computing, the School of Medicine has created a set of best practices. If you are interested in using cloud services, here's what you can do:

  1. Contact Information Security Services so that we can perform an information security audit of the cloud computing companies and services that you're interested in employing. (First, check if the company you're interested in is already on the list of approved services below.)
  2. Ask Information Security Services to participate in the Service Level Agreement (SLA) process for each cloud service vendor company you'd like to engage. We will help to ensure that the SLA addresses issues that could potentially affect you and your data, including the monitoring of your data and ensuring that the service provider performs regular vulnerability scans.
  3. Consult the University's Data Classification webpage to understand your obligations for protecting University data, even in the cloud.
  4. If you are using cloud services while meeting data handling requirements, make sure that your group clearly documents policies and procedures for using the service.

 


How CAN I use cloud storage properly?

You might use cloud-based services to store your own personal files that don't contain sensitive information, and files that only contain publicly available data (that is, data not classified as University Restricted or Prohibited). Information Security Services and the University Information Security Office are working on finding secure cloud solutions, and some new services may soon be approved for University business.

If you have more questions about handling sensitive information, see the Stanford Data Classification page, and visit the Prohibited and Restricted Data FAQ. And remember, when in doubt, DON'T.

Approved Cloud Services for Each Level of information:

(For the full chart of services approved for Stanford, visit the Stanford Data Classification page (dataclass.stanford.edu) and scroll down to the bottom.)

PROHIBITED INFORMATION**:
This includes:
  • Social Security Numbers
  • Credit Card Numbers
  • Financial Account Numbers (such as checking or investment accounts)
  • Driver's License Numbers
  • Health Insurance Policy ID Numbers

 ** You should never store any of this data on any of your computers at ALL, without the express permission of the Data Governance Board.

University-Approved Services for Prohibited Information:
 
RESTRICTED INFORMATION:
This includes:

University-Approved Services for Restricted Information:
 

CONFIDENTIAL INFORMATION:
This includes:
  • Student Records
  • Research Data
  • Faculty/staff employment applications, personnel files, benefits, salary, birthdate, and personal contact information
  • Admission applications
  • Donor contact information and non-public gift amounts
  • Non-public Stanford policies
  • Stanford internal memos and email, and non-public reports, budgets, plans, and financial information
  • Non-public contracts
  • University and employee ID numbers

 University-Approved Services for Confidential Information:
 

NON-UNIVERSITY-RELATED, NON-SENSITIVE INFORMATION:

Services NOT Approved for storage of any Prohibited or Restricted information:

  • Amazon cloud services
  • Dropbox

 

 


For Help:

If you ever have any questions about how to handle your information, contact IRT Information Security Services (5-8000 or ).

 

 

 

Stanford Medicine Resources:

Footer Links: