Cloud Security Practices at Stanford School of Medicine
To help address the security risks involved with cloud computing, the School of Medicine has created a set of best practices. If you are interested in using cloud services, here's what you can do:
- Consult the University's Data Risk Classification page to confirm what level of information you're looking to use with cloud services.
- Check whether the company or product you're interested in using is already on the list of approved services. If not, submit a Data Risk Assessment (DRA) to request a review of the service. Other items that will need to be reviewed include the Service Level Agreement (SLA) process for each cloud service vendor company you'd like to engage. We will help to ensure that the SLA addresses issues that could potentially affect you and your data, including the monitoring of your data and ensuring that the service provider performs regular vulnerability scans
- If you are using cloud services while meeting data handling requirements, make sure that your group clearly documents policies and procedures for using the service.
- Also look at the University's Cardinal Cloud service to see if this UIT supported service could meet your requirements.
For the current chart of services approved for Stanford based on risk, visit the Stanford Risk Classification page.)
Cloud Computing: An Overview
Today, there are many services that let you store your files "in the cloud," and access them from anywhere. For example, Dropbox, Box.net, GoogleDocs, GoogleDrive, MobileMe and iCloud are popular and inexpensive cloud services used everywhere. Even Gmail is considered a cloud storage method. These services are very useful, but sometimes they can be about as secure as... storing something inside an actual cloud (i.e., not very secure). Cloud computing services have opened unlimited opportunities to users while creating unlimited risks to those users' data.
Today, an organization or even an individual can have the equivalent of an entire data center's infrastructure, just by using a cloud-based service. It can potentially save thousands of dollars and man-hours, and might even be completely free. But there are security issues that must be addressed before these services can be verified as truly secure.
Some of the Security Issues
Users of cloud-based services must be willing to give up control and visibility to cloud service providers. Specifically:
- The user cannot know precisely who and what may be accessing their data, and has no way to monitor any of these actions.
- The user cannot be sure that specific actions they think they are performing are in fact happening as expected. (For example: a user may attempt to delete his/her own data, but the cloud service provider may be keeping a secondary copy of the data that would still remain on the servers.)
There are two specific legal issues that provide cloud security challenges for the School of Medicine:
- HIPAA-protected information must reside within the United States and cannot be exported. By using a cloud service provider, the user of the data does not know specifically where his/her data is housed. Many cloud service providers have data centers throughout the world, and it is very possible that data stored with the cloud service provider may be housed outside the United States.
- Any company handling HIPAA-protected information must sign a Business Associates Agreement (BAA), accepting responsibility for the protection of that information while in the company's care. Cloud service providers, particularly those that offer free services, are often unwilling to sign a BAA.
How CAN I use cloud storage properly?
You might use cloud-based services to store your own personal files that don't contain sensitive information, and files that only contain publicly available data (that is, data not classified as Moderate or High Risk).
For Stanford information, the University has created agreements with certain cloud services providers, and there is an approved list of services for information with different levels of risk. See above for a list of approved services, or check the Risk Classifications page's list. Information Security Services and the University Information Security Office are working on finding additional secure cloud solutions, and some new services may soon be approved for University business.
If you have more questions about handling sensitive information, see the Stanford Risk Classification page, and visit the UIT Information Security page. And remember, when in doubt, DON'T.
For questions about how to handle your information, contact TDS Service Desk (call 725-8000 or visit tdshelp.stanford.edu. ).
TDS Information Security Services:
File a HelpSU Request
University IT Website: uit.stanford.edu
TDS Service Desk: 5-8000 (7am - 6pm, M-F)