Cloud Security

Cloud computing  consists of applications and infrastructure resources that users access via the Internet. Companies such as Apple, Google, Microsoft, and Amazon provide cloud computing services for: communication, collaboration, project management, scheduling, data analysis, processing, sharing, and storage. Cloud computing services are generally easy for people and organizations to use because they are accessed via a browser and do not require installation or maintenance.

Cloud storage of files can expedite collaboration and sharing of information, however users need to be aware that CSU, Chico explicitly forbids the storage of University Level 1 Protected Information and restricts the storage of Level 2 Private Information (see table 2).

Additional Information

Cloud Computing Standard (effective date 9/05/17)

Data Classification and Protection Standards

Online Cloud Storage and E-mail FAQ

Requirements for Responsible Administrators of Cloud Services

Software as a Service (SaaS): Is the capability to use applications via a thin client interface such as a Web browser (e.g., Web-based email). Consumers no longer need to manage or control the underlying infrastructure.  SaaS providers manage the servers, operating systems, storage, and even individual application functionality.

Listing of Cloud Application and Storage Services:

Services Approved for University Use

Services Not Approved for University Use

 Google Apps for Education & Google Drive

Dropbox

 Microsoft O365 & OneDrive

iCloud

 Box

Amazon Cloud Drive

Table 1

Most cloud services, such as Google Docs, make it easy for individuals to sign-up and use their services, often at no monetary cost.  However, CSU, Chico faculty, staff, must be very cautious about self-provisioning a cloud service to process, share, store, or otherwise manage institutional data (as defined by the CSU Data Classification Standard). Self-provisioned cloud services may present significant data management risks.  Virtually all cloud services require individual users to accept click-through agreements. These agreements do not allow users to negotiate terms, do not provide the opportunity to clarify terms, often provide vague descriptions of services and safeguards, and can change without notice.

Policy for Use of Cloud Services for Storage, Communication, and Productivity involving University Data (Software as a Service):

  • Use of cloud services for storage, communication and productivity involving University Level 1 data is prohibited (Examples include but are not limited to Dropbox, Google Apps for Education, Office 365).
  • Use of cloud services for storage of University Level 2 data must be limited to services contracted by and supported by the University.  Cloud services which are not supported by and provisioned by the University are prohibited.
  • Uses of cloud service offerings which are not supported, provisioned or contracted by the University for storage, communication, and productivity are not recommended. This applies to any uses of University records including vital records which are classified as public or Level 3 data. University data should be limited to University supported, provisioned and contracted services.
  • The use of public cloud services for academic, non-FERPA data is permitted.

The following table outlines the data classification and proper handling of CSU, Chico data:

data storage table

Data Classification Standards 

Table 2