Types of Cloud Services

There are essentially three types of cloud services that are frequently asked about:

Infrastructure: Services providing hosted virtual or physical servers that you then install and run your software application on.

Storage: Services that provide a data or document repository, and often allow synchronization and sharing between several client computers.

Applications: Often referred to as “Software as a Service” vendors or “SaaS” vendors, who for a subscription (with or without a fee), provide the client a software application.

May I use services "in the cloud?"

Much of what is done every day here at the University of Iowa is critical to the success of this institution and the fulfillment of its mission.  Some of it may also be subject to contractual obligations, regulatory requirements, policy, or legislation. 

When considering cloud service options, the Information Security & Policy Office can assist in assessing the security and trustworthiness of that service.  It is very important to understand the sensitivity level of your data, and to evaluate the service or vendor through the lenses of their ability to provide integrity, availability and confidentiality of your data.

Assessing a cloud service can be a challenge, especially when trying to determine the potential risks to the University that may be introduced by using one. 

Questions for all cloud service providers

These are applicable to all services, and include services for low-risk data such as publicly accessible documents or directory information – things with minimal or no negative impact if they are unavailable, damaged or otherwise compromised.  These kinds of services often carry a low requirement for confidentiality.

1. Do you know if the service interacts with or utilizes other 3rd party services or partners?  If so, to what degree will the 3rd party have access to (or copies of) your data?
2. What level of user tracking is employed by the service? 
3. How will you be notified in the event of a security breach, service outage, or compromise?
4. Do you/we retain all rights of ownership of information placed into the cloud service?

Questions for medium risk applications or information

As risk becomes greater, we utilize a higher set of security requirements. For those situations when it would be more than an inconvenience to lose access to the service, application, or your data, we consider them medium risk, and ask more questions. Medium risk may be appropriate when there is some level of confidentiality to the information, but the service or information may not be mission critical to the University of Iowa.

1. What is the exit strategy (i.e., to extract information, remove accounts) for leaving this service provider? 
2. Is data that is transmitted to and from the service provider protected via encryption?
3. When that data is “at rest” or not being transferred or copied to another entity, is it encrypted? 
4. How do you plan to recover from a service interruption, data loss, or other issue?
5. Does the service provider utilize strong passwords for authentication?

Questions for information or services that present a high risk

There are additional questions we should ask when there is a high risk to the University of Iowa and the success of its mission. There may be serious impact if the service is unavailable for a time, or if the information is compromised, or if we question it’s accuracy and integrity.  Often this level of risk should involve a contractual agreement with the service provider.

1. Can the University of Iowa negotiate a service contract (or Service Level Agreement) with the provider?
2. Does the cloud provider support external directory-based authentication, so University persons can use their HawkID for access to the service?
3. Does each user of the service get associated with a unique account ID?
4. Where does end-user-supplied data get physically stored?
   • On each client computer or mobile device?
   • With the service provider in their local infrastructure?
   • Local to the UI campus, in a centrally managed data center? (e.g., network-attached (NAS) storage such as your H: drive, or on a storage area network (SAN) device service)
   • With a 3rd party storage service provider like Amazon S3?
5. Can I audit and report on all accesses to the service, and information accessed by end users, as well as the cloud provider’s support staff?
6. Who are the parties that have access to data encryption keys?
7. Has the cloud service provider received a SAS 70 type II certification?