What is cloud computing?
Cloud computing is a term used to describe IT offerings which can be purchased as a service and used across the internet. These services offer convenience and flexibility; however the processes involved in correctly procuring and evaluating cloud services can be complex and subject to legal, ethical and policy compliance requirements.
In order to assist university staff meet the challenges of adopting this new technology IT Services have developed policy and guidelines to assist users in the selection and use of cloud services. The guidelines include a checklist to be used by anyone considering a cloud computing service for all or part of their official University work.
The checklist addresses the following types of issues:
- Stakeholder and institutional requirements – deals with the service and the implications of its use for Trinity.
- Vendor considerations – outlines issues to be considered in relation to the vendor offering the service.
- Data issues – deals with University data and the implications of its use, considers if the cloud solution justifies the risk of processing data offsite and the possible costs of security audits.
So if you are already using, or are planning in the future to start using, a cloud computing solution then please review the Cloud Computing Policy and Guidelines.
For more information on the below items, click the heading to expand.
Data Protection and the Cloud
When seeking to store or process personal data which is subject to the Data Protection Act in the cloud University staff should be aware of the following issues:
- Security - The Data Protection Acts (Section 2C (3)) place responsibility for data security squarely on the data controller who is accountable to the individual data subject for the safeguarding of their personal information. A data controller must therefore be satisfied that personal data will be secure if it is outsourced to a cloud provider.
- Data Location - Personal data that is held within the European Economic Area (EU Member States plus Iceland , Liechtenstein and Norway ) benefits from a common standard of protection laid down at EU level. When data is transferred outside of the EEA, special measures must be taken to ensure that it continues to benefit from adequate protection.
- Written Contract - Data protection law requires that there be a written contract with the cloud provider and any sub-processors to underpin the obligations as set out above. The contract should be clear on the key points outlined above: that the cloud provider – and any sub-processors used by the provider - will only process the data as instructed by the data controller; and that the contract includes detailed assurance by the cloud provider on security measures – including the additional measures that need to be taken to guarantee the security of personal data that is processed outside of the European Economic Area.
The Information Security Manager can assist you in assessing the security of a proposed cloud product. You can request assistance via the IT Service Desk.
Cloud Security Guidelines
IT Services adheres to the international IT Security best practice standard known as ISO27001 for all IT systems which store or process University data.
When selecting a Cloud Service therefore IT Services seeks concrete documentary evidence of that same standard from the potential Cloud IT service providers.
IT Services preferred way of verifying security standards is either receipt of an ISO 27001 certificate, or the output of an external audit which is based on ISO27001 or equivalent.
Additionally we will accept an internal company security configuration document/policy which shows comprehensive evidence of security controls applied and maintained in line with the ISO domains or equivalent best practice model.
Assessing Security of a Cloud Product
The Information Security Manager can assist you in assessing the security of a proposed cloud product. You can request assistance via the IT Service Desk